Microsoft has uncovered a massive malvertising campaign that has compromised over a million devices globally. The attackers used malicious ads and compromised websites to distribute information-stealing malware, primarily targeting users of illegal streaming sites.
-
Nikita Alexander
- March 10, 2025
- 3 minutes
Microsoft Threat Intelligence has discovered a massive malvertising campaign that has impacted nearly a million devices worldwide. The campaign, active since December 2024, targets users visiting illegal streaming websites. It employs a multi-stage attack chain to deliver information-stealing malware.
The attackers cleverly exploit the user’s desire for free streaming content by embedding malicious redirectors within movie frames on these illegal sites. When a user clicks to play a video, they unknowingly trigger a series of redirects, ultimately landing on a malicious payload hosted on various platforms.
While GitHub was initially the primary platform for hosting the malicious files, Microsoft has also observed instances of malware being delivered via Dropbox and Discord. This highlights the attackers’ opportunistic approach and willingness to leverage various platforms to maximize their reach.
Multi-stage attack chain
The malvertising campaign employs a complex, multi-stage attack chain to evade detection and maintain persistence on the victim’s device:
- First Stage: The initial payload, downloaded from GitHub, Dropbox, or Discord, serves as a dropper. This means it installs additional malicious files and scripts onto the infected device.
- Second Stage: These new files perform system discovery. Collecting sensitive information such as system specifications, browser credentials, and even encrypted data via DPAPI calls. This data is then sent to the attacker’s command-and-control (C2) server.
- Third Stage: This stage varies depending on the second-stage payload. It can involve PowerShell scripts, AutoIT scripts, and other executables. These tools can establish persistence through registry modifications and startup folder shortcuts, exfiltrate additional data, and even deploy remote access tools (RATs) like NetSupport.
- Fourth Stage: In some instances, a fourth stage is observed where additional PowerShell scripts disable security measures, download more malware, and establish connections with additional C2 servers.
Mitigating the threat
Microsoft has taken swift action to mitigate this threat, working with GitHub to take down the malicious repositories and providing detailed recommendations for users and organizations.Key recommendations include:
- Strengthening endpoint security: Enabling tamper protection, network protection, and web protection features in Microsoft Defender for Endpoint.
- Enhancing operating environment security: Implementing multi-factor authentication (MFA). Using phishing-resistant authentication methods and enabling Microsoft Defender SmartScreen for web browsing protection.
- Restricting potentially harmful tools: Leveraging AppLocker to restrict access to reconnaissance, fingerprinting, and RMM tools.
Read the full report from Microsoft Security to learn more about this malvertising campaign’s multi-stage attack chain.
This malvertising campaign serves as a stark reminder of the evolving threat landscape and the importance of proactive security measures. By understanding the attackers’ techniques and implementing the recommended mitigations, users and organizations can better protect themselves from falling victim to such attacks.
Leave a Reply