Microsoft’s cybersecurity team has uncovered a large-scale malvertising campaign that has compromised close to one million devices globally. The campaign, active since at least late 2024, primarily targets users who visit illegal movie streaming websites, where embedded malicious advertisements (malvertisements) redirect them to dangerous payloads.
These payloads—hosted on legitimate platforms such as GitHub, Discord, and Dropbox—deliver sophisticated malware designed to steal sensitive information from victims, including stored browser credentials and system configuration data.
Microsoft has since taken action to dismantle the GitHub repositories hosting the malicious files, but the campaign highlights a growing trend of cybercriminals exploiting trusted platforms to distribute malware.
How the Attack Works: A Multi-Layered Strategy
This malicious operation relies on multiple redirection layers to evade security detection and maximize infection rates. The process follows these steps:
1. Malvertising on Illegal Streaming Websites
The attack begins when unsuspecting users visit pirated movie or TV show websites that embed malicious redirectors in online advertisements. These redirectors serve as intermediaries that funnel users through multiple malicious pathways before reaching the final payload.
2. Redirecting to Fake Tech Support and Malware Websites
Instead of taking users directly to malware, the first redirect leads to another malicious website—often disguised as a tech support scam or a fake software update page. These sites trick users into downloading files that appear harmless but actually contain malware.
3. Final Redirect to GitHub for Malware Download
The ultimate redirection leads victims to GitHub repositories where the first-stage malware payload is hosted. Because GitHub is a widely trusted platform, many antivirus programs fail to flag these downloads as threats.
How the Malware Works: A Three-Stage Infection Process
Once the initial payload is downloaded from GitHub, it acts as a dropper to install additional malware in three key stages:
Stage 1: Dropping Initial Malware
The first-stage payload installs code that enables further infections. This malware ensures persistence by modifying system settings and disabling security features.
Stage 2: Collecting System Information
The second payload is designed to gather system data, including:
- Operating system details
- Installed software and user paths
- Memory size and graphics capabilities
- Screen resolution and system configuration
Stage 3: Installing Information Stealers and Remote Access Tools
At this point, attackers deploy various stealthy malware designed to steal sensitive data and establish long-term access to the system, including:
- Lumma Stealer – Extracts passwords, cookies, and saved credentials from web browsers.
- Updated Doenerium Stealer – Exfiltrates system information and enables further attacks.
- NetSupport RAT – A remote access tool that allows attackers to control the victim’s computer remotely.
What Makes This Attack Dangerous?
- Exploiting Trusted Platforms Like GitHub: Attackers bypass security filters by hosting malware on trusted platforms.
- Multi-Layered Redirection: The multiple redirection layers make it hard for security software to detect the threat.
- Targeting High-Volume Users: Illegal streaming websites have a large audience, ensuring a high infection rate.
Microsoft’s Response and Recommendations
Microsoft has removed the malicious GitHub repositories, but cybercriminals continually create new ones. To stay protected, follow these security best practices:
- Avoid Illegal Streaming Websites – Many pirate websites are malware hotspots.
- Do Not Trust Unsolicited Downloads – Never download files from pop-ups or redirected pages.
- Use Reputable Security Software – Keep antivirus and antimalware tools updated.
- Be Cautious of Redirects – If a site redirects you multiple times, exit immediately.
- Check URL Sources – Verify that downloads come from official sources.
- Enable Multi-Factor Authentication (MFA) – Secure accounts with MFA to protect sensitive data.
Conclusion
This malvertising campaign shows how cybercriminals use trusted platforms like GitHub to distribute malware. By leveraging illegal streaming websites, attackers have infected nearly one million devices worldwide.
While Microsoft has taken action, users must adopt strong cybersecurity habits to avoid falling victim to similar threats. Awareness and proactive security measures remain the best defense against these evolving attacks.
