FOCUS MODE
EXTRACT IOC
Threat Research

Malvertising Campaign Leads to Info Stealers Hosted on GitHub

microsoft
Malvertising Campaign Leads to Info Stealers Hosted on GitHub
In December 2024, a widespread malvertising campaign was discovered that affected nearly a million devices globally, originating from illegal streaming websites embedded with malicious advertisements. The attack involved a series of redirections leading to GitHub, Dropbox, and Discord, where malware was hosted. This campaign targeted various sectors indiscriminately, highlighting the need for enhanced security measures across devices and networks. Affected: consumer devices, enterprise devices, GitHub, Dropbox, Discord

Keypoints :

  • December 2024: A large-scale malvertising operation detected by Microsoft Threat Intelligence.
  • Approximately one million devices affected globally.
  • The attack primarily originated from illegal streaming websites.
  • Utilized malicious advertisements to redirect users to GitHub and other platforms.
  • GitHub was the primary host for the malware payloads, including various repositories.
  • Multiple stages of malware delivery and execution observed.
  • The campaign targeted both consumer and enterprise devices.
  • Modular malware approach involved information exfiltration and persistence mechanisms.
  • Recommendations provided for mitigating risk and enhancing detection capabilities.
  • Close collaboration between Microsoft and GitHub proved critical in taking down malicious repositories.

MITRE Techniques :

  • Initial Access (T1071) – Malvertising campaign leading users to malicious sites.
  • Command and Control (T1071) – Hosted payloads in GitHub and redirected users via multiple malicious links.
  • Credential Access (T1110) – Leveraged credential stealing techniques via malware hub.
  • Exfiltration Over Command and Control Channel (T1041) – Exfiltrated data during payload execution and subsequent stages.
  • Execution (T1059) – Used PowerShell, VBScript, AutoIT scripts for executing malware.
  • Persistence (T1547) – Modified registry/run keys and created startup shortcuts for persistence.
  • Discovery (T1083) – Conducted system discovery through registry queries and other methods.

Indicator of Compromise :

  • [Domain] movies7[.]net
  • [Domain] 0123movie[.]art
  • [Domain] fle-rvd0i9o8-moo[.]com
  • [URL] hxxps://github[.]com/down4up/
  • [URL] hxxps://startherehosting[.]net/todaypage/

Full Story: https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/

Tags: LEARN, VULNERABILITY, PHISHING, HUNTING, DISCOVERY, HUNT, RECONNAISSANCE, SCAM