Microsoft has uncovered a vast malvertising campaign, under the code name Storm-0408, believed to have affected over a million devices worldwide. The attack, detected in early December 2024, targets both consumer and enterprise devices, exploiting illegal streaming sites as launch points for malware distribution via phishing and search engine manipulation. Key to this offense is the strategic use of platforms like GitHub for malicious payloads, which has since led to the takedown of several repositories. Microsoft warns of a complex multi-layer redirection process employed by the attackers, indicative of sophisticated tactics aimed at sensitive information theft.
The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.
The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms.
The most significant aspect of the campaign is the use of GitHub as a platform for delivering initial access payloads.
The overall infection sequence is a multi-stage process that involves system discovery, information gathering, and the use of follow-on payloads such as NetSupport RAT.
Collection
[
|
...
]