Microsoft’s cybersecurity team has uncovered a large-scale malvertising campaign that has compromised close to one million devices globally. The campaign, active since at least late 2024, primarily targets users who visit illegal movie streaming websites, where embedded malicious advertisements (malvertisements) redirect them to dangerous payloads.
These payloads—hosted on legitimate platforms such as GitHub, Discord, and Dropbox—deliver sophisticated malware designed to steal sensitive information from victims, including stored browser credentials and system configuration data.
Microsoft has since taken action to dismantle the GitHub repositories hosting the malicious files, but the campaign highlights a growing trend of cybercriminals exploiting trusted platforms to distribute malware.
How the Attack Works: A Multi-Layered Strategy
This malicious operation relies on multiple redirection layers to evade security detection and maximize infection rates. The process follows these steps:
1. Malvertising on Illegal Streaming Websites
The attack begins when unsuspecting users visit pirated movie or TV show websites that embed malicious redirectors in online advertisements. These redirectors serve as intermediaries that funnel users through multiple malicious pathways before reaching the final payload.
2. Redirecting to Fake Tech Support and Malware Websites
Instead of taking users directly to malware, the first redirect leads to another malicious website—often disguised as a tech support scam or a fake software update page. These sites trick users into downloading files that appear harmless but actually contain malware.
3. Final Redirect to GitHub for Malware Download
The ultimate redirection leads victims to GitHub repositories where the first-stage malware payload is hosted. Because GitHub is a widely trusted platform, many antivirus programs fail to flag these downloads as threats.
How the Malware Works: A Three-Stage Infection Process
Once the initial payload is downloaded from GitHub, it acts as a dropper to install additional malware in three key stages:
Stage 1: Dropping Initial Malware
The first-stage payload installs code that enables further infections. This malware ensures persistence by modifying system settings and disabling security features.
Stage 2: Collecting System Information
The second payload is designed to gather system data, including:
- Operating system details
- Installed software and user paths
- Memory size and graphics capabilities
- Screen resolution and system configuration
Stage 3: Installing Information Stealers and Remote Access Tools
At this point, attackers deploy various stealthy malware designed to steal sensitive data and establish long-term access to the system. Some of the malware strains observed include:
- Lumma Stealer – A dangerous infostealer known for extracting passwords, cookies, and saved credentials from web browsers.
- Updated Doenerium Stealer – A new variant designed to exfiltrate system information and enable further attacks.
- NetSupport RAT (Remote Access Tool) – Allows attackers to control the victim’s computer remotely, installing additional malware as needed.
Some versions of the attack also download extra files or run PowerShell, JavaScript, VBScript, and AutoIT scripts, further complicating detection and removal.
What Makes This Attack Dangerous?
1. Exploiting Trusted Platforms Like GitHub
By hosting malicious files on GitHub, Discord, and Dropbox, attackers bypass traditional security filters. Many antivirus programs and network security systems trust these platforms, allowing malware downloads to go unnoticed.
2. Multi-Layered Redirection to Evade Detection
The four to five redirection layers used in this attack make it difficult for security software to identify and block the threat.
3. Targeting a High Number of Users
By embedding malware in widely used illegal streaming websites, cybercriminals ensure a high infection rate, affecting almost one million devices worldwide.
Microsoft’s Response and Recommendations
1. Removing Malicious GitHub Repositories
Microsoft has confirmed that the malicious GitHub repositories have been taken down. However, since attackers frequently create new repositories, users must remain vigilant.
2. Security Best Practices for Users
To protect against such threats, Microsoft and cybersecurity experts recommend the following:
✅ Avoid Illegal Streaming Websites – Many pirate websites are known hotbeds for malware, and visiting them significantly increases the risk of infection.
✅ Do Not Trust Unsolicited Downloads – Never download software updates or files from random pop-ups or redirected pages.
✅ Use Reputable Security Software – Ensure that antivirus and antimalware tools are updated and actively scanning for threats.
✅ Be Cautious of Redirects – If a website unexpectedly redirects you multiple times, exit immediately.
✅ Check URL Sources – Before downloading any file, confirm that the link is from an official source, not a disguised malicious website.
✅ Enable Multi-Factor Authentication (MFA) – To protect sensitive data, enable MFA on all accounts, especially email, banking, and work-related platforms.
Conclusion
This malvertising campaign demonstrates the evolving tactics of cybercriminals who are now using legitimate platforms like GitHub to distribute malware. By leveraging illegal streaming websites as an entry point, attackers have successfully infected nearly one million devices worldwide.
Although Microsoft has taken action to shut down some of the malicious repositories, users must adopt strong cybersecurity habits to avoid falling victim to similar threats in the future. As cybercriminals continue refining their techniques, awareness and proactive security measures remain the best defense against these increasingly sophisticated attacks.
