Microsoft: Massive Malvertising Campaign Infects a Million Devices
A sprawling malvertising campaign that targeted people watching pirated videos on illegal streaming sites delivered information-stealing malware to almost a million devices, according to security researchers at Microsoft.
The bad actors targeted both consumer and enterprise devices from a broad array of organizations and industries, which highlighted what the researchers called the “indiscriminate nature of the attack.”
The multi-step campaign eventually took the victims from the illegal streaming sites to malware payloads hosted on GitHub, with one or two stops in between, Microsoft Threat Intelligence wrote in a report. At the starting point, the streaming websites included malvertising redirectors embedded into the movie frames by bad actors to drive pay-per-view or pay-per-click revenue from malvertising platforms.
“These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub,” the researchers wrote, adding that they also found one payload hosted on Discord and another on Dropbox.
The repositories on Microsoft-owned GitHub have since been taken down.
One Redirect After Another
In the chain of redirects, the traffic was routed from the streaming sites through one or two other malicious redirectors until landing on another website, such a malware or tech support scam stie. From there, they were redirected to GitHub, where multiple stages of malware were deployed, with the “several different stages of activity that occurred depended on the payload dropped during the second stage.”
The first-stage payload hosted on GitHub was a dropper that established a foothold in the targeted system and led to the next payloads. Those files were used to discover and exfiltrate system information, which was encoded to Base64 – which converted the binary data to a readable text format – in the URL and sent over HTTP to an IP address. Among the information taken was memory size, graphic details, screen resolution, user paths, and the operating system.
“Various third-stage payloads were deployed depending on the second-stage payload,” the researchers wrote. “In general, the third-stage payload conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defense evasion techniques.”
Infostealers Come First
The malware deployed by the dropper included infostealers that were either Lumma stealer or an updated version of Doenerium. In some instances, a legitimate remote monitoring and management (RMM) solution – NetSupport – also was deployed with the infostealer.
Along with that, the malware also ran PowerShell, JavaScript, VBScript, and AutoIT scripts on the host system. The cybercriminals also used living-of-the-land binaries and scripts already on the systems, including PowerShell.exe, MSBuild.exe, and RegAsm.exefor C2 and data exfiltration of the user data and browser credentials.
“Each stage dropped another payload with a different function,” the researchers wrote. “Actions conducted across these stages include system discovery (memory, GPU, OS, signed-in users, and others), opening browser credential files, Data Protection API (DPAPI) crypt data calls, and other functions such as obfuscated script execution and named pipe creations to conduct data exfiltration. Persistence was achieved through modification of the registry run keys and the addition of a shortcut file to the Windows Startup folder.”
Malvertising an Ongoing Threat
The campaign, which Microsoft tracked as Storm-0408, is the latest example of malvertising being used to steal credentials. It comes just more than a month after Malwarebytes in January unveiled a fake ad campaign on Google that aimed to steal account credentials and two-factor authentication codes.
Enzoic, a cybersecurity firm that aims to prevent fraud and account takeover via compromised credentials, wrote in a column last month about early cyberthreat trends in 2025 that malvertising is a continuing problem, particularly now that ads are becoming so integrated into widely used web applications and services.
“As it becomes harder to distinguish what is an ad and what is not, it becomes easier for threat actors to snare unsuspecting visitors, who may have thought they clicked on a legitimate search result,” Enzoic’s threat research team wrote. “Early malvertising often involved tricking users into downloading viruses, trojans, or spyware. These days, we also need to look out for infostealers and fake login page clones.”
Enzoic’s report echoes what other cybersecurity vendors are seeing. Device security Avast noted in a blog post last year that its researchers saw a surge in malvertising on such platforms as YouTube in early 2024.
“The quality of malicious ads has improved immensely, making it harder for users to distinguish between what’s real or fake,” the company wrote. “Finding a space online that’s not rife with ads seems like an unlikely dream – unless you pay for it. And depending on the platform, you may think that the ads you see are legitimate. However, that may not be the case.”
