Microsoft has dismantled a network of GitHub repositories fueling a widespread malvertising campaign that compromised nearly one million devices globally. The tech giant’s security teams detected the operation in December 2024, tracing infections back to malware-laden ads injected into pirated streaming sites.

Malicious Ads on Pirated Streaming Platforms Led to Infections

Security researchers found that cybercriminals embedded hidden redirections into video frames on illegal streaming platforms. These malicious scripts rerouted unsuspecting viewers through multiple redirectors before ultimately landing them on GitHub repositories hosting malware.

The initial lure was video ads on pirated content websites.
Users clicking or even just viewing these videos were silently redirected.
Traffic passed through multiple layers of malicious redirectors before reaching a GitHub-hosted payload.

Once on the infected repositories, victims unknowingly downloaded malware capable of gathering system details and deploying additional threats.

Multi-Stage Attack: How the Malware Spread

The attack didn’t stop at a single infection. Microsoft’s investigation uncovered a sophisticated, multi-stage process designed to persist within systems and exfiltrate sensitive data.

Stage One: Malicious GitHub repositories delivered the first malware payload, which collected system information such as memory size, screen resolution, OS version, and user paths.
Stage Two: The collected data was transmitted to an external server, while a second set of malicious scripts prepared for deeper infiltration.
Stage Three: A PowerShell script downloaded the NetSupport RAT (remote access trojan), granting attackers persistent control over compromised systems.
Final Stage: The malware deployed additional tools, including Lumma and Doenerium information stealers, to extract browser credentials and other sensitive data.

In some cases, the infection chain varied. If an executable file was used instead of a PowerShell script, it triggered an AutoIt-based execution method. This involved dropping a disguised AutoIt interpreter (.com or .scr file) alongside JavaScript components to gain persistence and execute further commands.

Microsoft’s Response and the Scale of the Attack

Microsoft responded swiftly to take down the malicious GitHub repositories, limiting further infections. However, the company’s security teams found that GitHub was not the only hosting service exploited in the campaign. Attackers also used Dropbox and Discord to distribute payloads, demonstrating how cybercriminals leverage multiple platforms to evade detection.

The campaign’s reach was vast, affecting both individual consumers and enterprise networks across industries. Microsoft tracked the activity under the name Storm-0408, a designation for threat actors specializing in remote access and information-stealing malware.

What’s Next? The Ongoing Battle Against Malvertising

Malvertising remains a major cybersecurity threat, particularly as attackers refine their methods to bypass traditional security defenses. Microsoft’s report sheds light on the growing sophistication of these campaigns, making it clear that:

Ad networks remain a weak point—Malicious actors continue to exploit legitimate advertising platforms to distribute malware.
Cloud services are being weaponized—Platforms like GitHub, Dropbox, and Discord are increasingly used to host malware, requiring stricter content moderation.
Multi-stage attacks are becoming the norm—Simple malware infections are evolving into layered, persistent attacks that are harder to detect and mitigate.

While Microsoft’s intervention has disrupted this particular campaign, the fight against malvertising is far from over. As attackers adapt, cybersecurity teams must stay ahead with proactive threat detection and mitigation strategies.