Microsoft has dismantled an undisclosed number of GitHub repositories that were being used in a massive malvertising campaign, which affected nearly one million devices worldwide.
The company’s threat analysts identified these attacks in December 2024 after noticing multiple devices downloading malware from compromised GitHub repositories. The malware was then leveraged to deploy additional malicious payloads on infected systems.
The attackers injected ads into videos on illegal pirated streaming websites, redirecting unsuspecting users to malicious GitHub repositories. According to Microsoft, these websites embedded redirectors within movie frames to generate ad revenue while steering victims toward malware-hosting sites. The redirects passed through multiple layers before ultimately leading to GitHub-hosted malware.
Once users landed on the infected GitHub repositories, their devices were compromised by malware designed to gather system information, including memory size, graphic details, screen resolution, operating system data, and user paths. The malware then exfiltrated this data while deploying additional payloads in subsequent attack stages.
A third-stage PowerShell script downloaded the NetSupport remote access trojan (RAT) from a command-and-control server, establishing persistence in the registry. Once active, the malware could deploy further threats such as the Lumma information stealer and the open-source Doenerium infostealer, allowing attackers to extract sensitive user data and browser credentials.
In cases where the third-stage payload was an executable, it initiated a CMD file to drop a renamed AutoIt interpreter with a .com extension. This AutoIt component executed a secondary binary, potentially deploying another version of the AutoIt interpreter with a .scr extension. A JavaScript file was also included to facilitate execution and persistence of these files.
In the final stage of the attack, the AutoIt payloads leveraged RegAsm or PowerShell to open files, enable remote browser debugging, and exfiltrate additional system data. PowerShell was also used in some cases to configure Windows Defender exclusion paths and drop additional NetSupport payloads.
Although GitHub was the primary platform for hosting the initial payloads, Microsoft Threat Intelligence also detected malicious files distributed via Dropbox and Discord. The company has categorized this activity under the umbrella term “Storm-0408,” which tracks various threat actors specializing in remote access and information-stealing malware. These actors commonly rely on phishing, search engine optimization (SEO) poisoning, and malvertising to distribute their payloads.
