Malware News Malvertising campaign leads to info stealers hosted on GitHub

nicolaasjan

nicolaasjan

Level 5
Thread author
Verified
Well-known
May 29, 2023
222
Content source
https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.

GitHub was the primary platform used in the delivery of the initial access payloads and is referenced throughout this blog post; however, Microsoft Threat Intelligence also observed one payload hosted on Discord and another hosted on Dropbox.

The GitHub repositories, which were taken down, stored malware used to deploy additional malicious files and scripts. Once the initial malware from GitHub gained a foothold on the device, the additional files deployed had a modular and multi-stage approach to payload delivery, execution, and persistence. The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host. This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads.

In this blog, we provide our analysis of this large-scale malvertising campaign, detailing our findings regarding the redirection chain and various payloads used across the multi-stage attack chain. We further provide recommendations for mitigating the impact of this threat, detection details, indicators of compromise (IOCs), and hunting guidance to locate related activity. By sharing this research, we aim to raise awareness about the tactics, techniques, and procedures (TTPs) used in this widespread activity so organizations can better prepare and implement effective mitigation strategies to protect their systems and data.

We would like to thank the GitHub security team for their prompt response and collaboration in taking down the malicious repositories.
Click to expand...
 
  • Like
  • +Reputation
Reactions: TairikuOkami, oldschool, Andy Ful and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,816
  • Like
  • +Reputation
Reactions: Captain Awesome, TairikuOkami, oldschool and 4 others
TairikuOkami

TairikuOkami

Level 38
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,732
It can be so easily blocked at multiple levels, mostly by my beloved DNS

First-stage: DNS blocking malware and TLDs
First-stage: Probably by disabling GPU features
Third-stage: DNS blocking C&C
Third-stage: Firewall blocking TCP Out
Fourth-stage: Disable WSH (VBScript)
Fourth-stage: Restricting PowerShell?
Fourth-stage: DNS blocking again
Fourth-stage: RunAsPPL set to 1
 

Attachments

  • capture_03092025_100401.jpg
    capture_03092025_100401.jpg
    243.5 KB · Views: 21
  • capture_03092025_100535.jpg
    capture_03092025_100535.jpg
    52.9 KB · Views: 21
  • capture_03092025_103807.jpg
    capture_03092025_103807.jpg
    64.6 KB · Views: 20
  • Like
Reactions: Captain Awesome and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,816
TairikuOkami said:
It can be so easily blocked at multiple levels, mostly by my beloved DNS

First-stage: DNS blocking malware and TLDs
First-stage: Probably by disabling GPU features
Third-stage: DNS blocking C&C
Third-stage: Firewall blocking TCP Out
Fourth-stage: Disable WSH (VBScript)
Fourth-stage: Restricting PowerShell?
Fourth-stage: DNS blocking again
Fourth-stage: RunAsPPL set to 1
Click to expand...

DNS blocking or blocking Ads in the web browser is a good idea, but it will not block many attacks.
I think combining many security layers (including DNS blocking) is welcome. For example, this attack can be blocked in the "Third Stage" by blocking PowerShell and CMD scripts. Enabling good Network Protection can also block/mitigate many such attacks.
 
  • Like
  • +Reputation
Reactions: simmerskool, oldschool, Captain Awesome and 1 other person

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Malware News Fake Homebrew Google ads target Mac users with malware
Replies
1
Views
386
Security News
Kongo
Kongo
nicolaasjan
    • Like
    • Wow
    • Sad
Malware News GitHub Notification Emails Hijacked to Send Malware
Replies
0
Views
1,690
Security News
nicolaasjan
nicolaasjan
Gandalf_The_Grey
    • Like
Malware News Global infostealer malware operation targets crypto users, gamers
Replies
0
Views
1,722
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top