TechHorizon Consulting

Microsoft Uncovers Massive Malvertising Campaign Infecting Millions

EJ

Mar 11, 2025By Eli Junco

Cybercriminals are constantly refining their methods, and a new malvertising campaign has caught the attention of Microsoft. Detected in early December 2024 and tracked under the moniker Storm-0408, this campaign has infected over one million devices worldwide. By leveraging deceptive ads on illegal streaming websites, threat actors are redirecting users through multiple layers of malicious sites to GitHub—and even Discord and Dropbox—where they host payloads designed to steal sensitive information and deploy additional malware.

What Is Malvertising?


Malvertising, short for malicious advertising, is a cyberattack method where hackers inject harmful code into legitimate online ads. These infected ads are designed to look genuine and are often embedded in high-traffic websites, including those hosting pirated content. Once a user clicks on one of these ads, they are redirected through a complex chain of intermediary sites that ultimately deliver the malware.

How the Campaign Works


In this campaign, the attack begins on illegal streaming websites where malicious ads are embedded within movie frames. These ads contain redirectors that send unsuspecting users to intermediary websites. From there, the user is further redirected to malicious repositories on platforms like GitHub, where dropper malware awaits. Microsoft’s Threat Intelligence team reported that these GitHub repositories were used to stage payloads that initiate a multi-stage infection process:

  • Establishing a Foothold:
    • The initial payload performs system discovery and collects basic information. It also sets the stage for subsequent attacks by dropping scripts that download additional tools.
  • Reconnaissance and Data Collection:
    • Follow-on payloads, including information stealers such as Lumma Stealer and the open-source Doenerium infostealer, are deployed to extract system details, user credentials, and browser data. A PowerShell script may also configure Microsoft Defender exclusions to help the malware evade detection.
  • Command Execution and Data Exfiltration:
    • The malware leverages living-off-the-land binaries (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe to communicate with its command-and-control (C2) server. This stage involves remote access tools, such as NetSupport RAT, and scripts written in JavaScript, VBScript, and AutoIT, all designed to maintain persistence, exfiltrate data, and execute further commands.
  • Evasion Tactics and Response
    • One of the campaign’s most alarming features is its use of legitimate platforms to hide malicious activity. By embedding its initial access payloads on GitHub—and occasionally on Discord and Dropbox—the campaign benefits from the inherent trust users place in these services. Microsoft has already taken steps to dismantle parts of the operation by taking down several malicious repositories and revoking compromised digital certificates.
Pop Up Spam

How to Protect Your Devices


The indiscriminate nature of this attack underscores the need for robust cybersecurity practices. Here are some key steps to mitigate the risk:

  • Avoid Illegal Streaming Sites:
    • These sites are often hotbeds for malvertising. Stick to reputable sources when accessing online media.
  • Be Wary of Unfamiliar Ads:
    • If an ad seems out of place or too good to be true, don’t click it.
  • Use Reputable Antivirus and Endpoint Protection:
    • Ensure that your security software is up-to-date to detect and block known threats.
  • Monitor Outbound Connections:
    • Unusual network activity can be an early sign of an infection.
  • Enable Multi-Factor Authentication (MFA):
    • MFA adds an extra layer of security to prevent unauthorized access.
SECURE CONCEPT

At TechHorizon Consulting, we understand that the digital landscape is fraught with evolving threats like this malvertising campaign. We have the experience to protect your network by implementing robust security measures, enforcing strong authentication, and continuously monitoring for suspicious activities. If your organization relies on online services, cloud platforms, or remote access solutions, now is the time to act.