Microsoft has taken offline an unknown number of GitHub repositories that were used in a large-scale malvertising campaign, affecting nearly one million devices worldwide.
The company’s threat analysts discovered these attacks in early December 2024, reports BleepingCompouter. This happened after they saw multiple devices downloading malware from GitHub repositories. This malware then used criminals to install a series of additional malicious programs on infected systems.
Injected ads into videos
After analyzing the campaign, researchers discovered that the attackers injected ads into videos on illegal streaming websites. These ads redirected potential victims to malicious GitHub repositories. These were under the control of the attackers.
Microsoft explained that streaming websites incorporated malvertising redirects into movie footage to generate revenue through pay-per-view or pay-per-click on malvertising platforms. These redirects then redirected traffic through one or two additional malvertising redirects. Those eventually led to another website, such as a malware or tech support scam website, and subsequently redirected to GitHub.
Malvertising videos led to GitHub
The malvertising videos thus directed users to GitHub repositories, where they became infected with malware that collected system information. Examples include memory size, graphics details, screen resolution, operating system and user paths. The malware stole this data and installed additional malicious software in the next stage.
A PowerShell script in the third stage of the attack downloaded the NetSupport Remote Access Trojan (RAT) from a command-and-control server and caused it to embed in the registry. Once active, the RAT was also able to install the Lumma information thief and the open-source Doenerium malware. This to steal user data and browser credentials.
If the third stage was instead an executable file, a CMD file was created and executed. While an AutoIt interpreter with a .com extension was inserted. This AutoIt component started the binary file and could possibly place another version of the interpreter with a .scr extension. A JavaScript file was also deployed to support the execution and persistence of .scr files.
In the final phase of the attack, the AutoIt components used RegAsm or PowerShell to open files, enable external browser debugging and steal additional information. In some cases, they also used PowerShell to set exclusion paths for Windows Defender or to install additional NetSupport malware.
Although GitHub was the primary platform for the spread of the first phase of the attack, Microsoft Threat Intelligence also saw malicious files hosted on Dropbox and Discord.
Microsoft stated that this activity is being tracked under the name Storm-0408, an umbrella term used to identify multiple threat actors engaged in spreading remote access or information-stealing malware via phishing, search engine optimization (SEO) or malvertising campaigns.
Wide range of organizations
The campaign affected a wide range of organizations and industries, and both consumer devices and corporate networks, highlighting the random nature of the attack, Microsoft stated.
Microsoft’s report provides additional and more detailed information on the different phases of the attacks and the malware used in this complex malvertising campaign.
Also read: Cyber attacks in 2025: SaaS is a blind spot, China advances