Microsoft recently uncovered a sophisticated malvertising scheme that infected nearly 1 million Windows computers with data-stealing malware, including Lumma and other infostealers. The attack, which affected both individual users and businesses across various sectors, relied on a multi-layered approach involving illegal streaming sites and GitHub as key distribution points. Experts warn that this is likely not the final instance of such tactics.

The campaign came to light in December when Microsoft Threat Intelligence (MTI) traced its origins to illegal streaming platforms laced with malicious ads. These ads redirected users through several stages, often four or five layers deep, starting with an iframe on the streaming sites. Victims were funneled to intermediary pages, such as tech-support scams or malware-laden sites, before landing on GitHub-hosted payloads. Additional malware was also found on platforms like Discord and Dropbox.

According to MTI’s findings, shared in a recent blog post, the initial malware retrieved from GitHub acted as a springboard, deploying additional files in a modular, multi-step process. These files gathered system details, such as memory, graphics, and user data, and established persistence on infected devices, paving the way for further data theft.

Among the payloads were the Lumma stealer and an enhanced version of the Doenerium stealer. GitHub, in partnership with Microsoft, swiftly removed the malicious repositories, though experts caution that similar attacks are likely to resurface.

Skilled Cybercriminals Drive the Attack

Microsoft links this campaign to a group it calls Storm-0408, known for leveraging phishing, SEO manipulation, and malvertising to deliver remote access tools and info-stealing malware. Here, the attackers embedded malicious redirectors within movie frames on streaming sites, likely to profit from pay-per-click or pay-per-view ad schemes.

Ensar Seker, chief security officer at SOCRadar, suggests this fits into a larger malware-as-a-service (MaaS) framework, where ready-made malvertising tools distribute threats like ransomware and banking Trojans. While Windows remains the primary target, Seker predicts a rise in cross-platform attacks as macOS and Linux gain traction among professionals.

How the Attack Unfolds

The campaign unfolded in stages, with the GitHub-hosted first-stage payload serving as a dropper. The second stage collected system info, encoded in Base64 and sent via HTTP to a remote IP address, covering details like screen resolution, OS version, and file paths. The third stage varied by payload but typically involved connecting to a command-and-control (C2) server, downloading more files, stealing data, and dodging detection.

Protecting Against Malvertising Threats

Microsoft outlined several defensive steps for enterprise users of Microsoft Defender for Endpoint. Recommendations include activating tamper protection, enabling network and web protections, and using endpoint detection and response (EDR) in block mode to stop threats missed by traditional antivirus tools. Microsoft Defender XDR users were also advised to apply attack surface reduction rules to counter common attack methods.

Beyond technical fixes, awareness is key. Roger Grimes, a data-driven defense expert at KnowBe4, emphasizes educating users about the risks of online ads and search results. “Not every ad or link is safe,” he warns. “Users need to know that these can lead to dangerous places.”

This campaign underscores the evolving threat of malvertising and the need for both robust defenses and user vigilance to combat such attacks.