Microsoft Uncovers Massive Malvertising Campaign Targeting Over One Million Devices

Microsoft has revealed details of a large-scale malvertising campaign that has impacted over one million devices worldwide, aiming to steal sensitive information through opportunistic attacks.

Threat Actor & Attack Chain

• Tracked as: Storm-0408 – a group known for distributing remote access trojans (RATs) and information-stealing malware via phishing, SEO manipulation, and malvertising.
• Initial Discovery: December 2024
• Primary Targets: Both consumer and enterprise devices across multiple industries.

Malicious Redirects & Delivery Mechanism

The attack originates from illegal streaming websites embedded with malvertising redirectors, which lead victims to intermediary websites before redirecting them to GitHub, Discord, and Dropbox for payload distribution.

• GitHub has been particularly abused to host dropper malware, which then delivers secondary payloads like Lumma Stealer and Doenerium to harvest system data.
• Microsoft has since taken down compromised GitHub repositories, though the exact number remains undisclosed.

Multi-Stage Attack Process

1. First-Stage: Establish foothold on target devices.
2. Second-Stage: Conduct system reconnaissance, collect data, and deploy additional payloads.
3. Third-Stage: Execute commands, evade security defenses, and establish persistence.
4. Fourth-Stage: Use PowerShell scripts to bypass Microsoft Defender and exfiltrate stolen data.

The attack chain also leverages NetSupport RAT and AutoIT scripts, enabling further data theft, including browser credentials and cryptocurrency wallets.

Tactics & Evasion Techniques

• The malware employs multiple layers of redirections (4-5 steps) to disguise its origins.
• Threat actors rely on "living-off-the-land binaries and scripts" (LOLBAS) such as:
  • PowerShell.exe
  • MSBuild.exe
  • RegAsm.exe
    These tools are used for command-and-control (C2) communications and data exfiltration while avoiding detection.

Wider Cybersecurity Concerns

Microsoft's disclosure follows reports from Kaspersky, which found that fake DeepSeek and Grok AI chatbot websites are being used to distribute an undocumented Python-based information stealer.

• Attackers leverage verified social media accounts on X (formerly Twitter) to promote these bogus AI tools.
• Victims are tricked into executing PowerShell scripts that establish remote SSH access for attackers.

Takeaways & Recommendations

With cybercriminals increasingly using malvertising, typosquatting, and ad traffic manipulation, organizations and users must:
✅ Avoid downloading software from unverified sources
✅ Monitor browser redirects and block malicious ad networks
✅ Regularly update security tools to detect evolving threats

The campaign highlights the growing sophistication of malvertising attacks, emphasizing the critical need for proactive cybersecurity measures.