Microsoft has revealed details of a large-scale malicious advertising campaign that has affected over one million devices worldwide, as part of an opportunistic attack designed to steal sensitive information.
The tech giant, which detected the activity in early December 2024, is tracking it under the broader umbrella of Storm-0408, a term used to describe a group of threat actors known to distribute remote access or information-stealing malware via phishing, search engine optimization (SEO), or malicious advertising.
“The attack originated from pirated streaming websites that contained malicious advertising redirectors, which led to an intermediary website where the user was then redirected to GitHub and two other platforms,” the Microsoft Threat Intelligence team reported.
The campaign affected a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.
The most notable aspect of the campaign is the use of GitHub as a platform for delivering initial access payloads. In at least two other isolated instances, the payloads were found hosted on Discord and Dropbox. The GitHub repositories have since been taken down, although the company did not disclose how many repositories were removed.
Microsoft’s code hosting service acts as a staging ground for dropper malware responsible for deploying additional programs like Lumma Stealer and Doenerium, which are capable of collecting system information.
The attack employs a complex redirection chain with four to five layers, where the initial redirector is embedded within an iframe element on pirated streaming websites serving copyrighted content.
The overall infection sequence is a multi-stage process that involves system discovery, information gathering, and the use of follow-on payloads such as NetSupport RAT and AutoIT scripts to facilitate further data theft. The remote access trojan also serves as a conduit for stealer malware.
- First stage: Establish a foothold on target devices
- Second stage: System reconnaissance, collection, and exfiltration, and payload delivery
- Third stage: Command execution, payload delivery, defensive evasion, persistence, command-and-control communications, and data exfiltration
- Fourth stage: PowerShell script to configure Microsoft Defender exclusions and run commands to download data from a remote server
Another notable aspect of the attacks involves the use of various PowerShell scripts to download NetSupport RAT, identify installed applications and security software, specifically scanning for the presence of cryptocurrency wallets, indicating potential financial data theft.
“In addition to the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host,” Microsoft stated. “The threat actors utilized living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for command-and-control and data exfiltration of user data and browser credentials.”
This revelation comes as Kaspersky disclosed that fake websites masquerading as the DeepSeek and Grok artificial intelligence (AI) chatbots are being used to trick users into installing a previously undocumented Python information stealer.
Websites impersonating DeepSeek, advertised by verified accounts on X (e.g., @ColeAddisonTech, @gaurdevang2, and @saduq5), have also been used to execute a PowerShell script that uses SSH to grant attackers remote access to the computer.
“Cybercriminals employ various schemes to lure victims to malicious resources,” the Russian cybersecurity company said. “Typically, links to such sites are distributed through messengers and social networks. Attackers may also use typosquatting or purchase ad traffic to malicious sites through numerous affiliate programs.”
