Massive Cyberattack Uses Malvertising to Steal Data – Microsoft Warns

Microsoft has disclosed details about a widespread cyberattack malvertising campaign that has impacted over one million devices worldwide. This attack, orchestrated by Storm-0408, is designed to steal sensitive information, posing a severe cybersecurity threat to users across different industries.

The attack, detected in December 2024, originated from illegal streaming websites loaded with malvertising redirectors. Victims were funneled through multiple intermediary sites, ultimately leading them to malicious repositories on GitHub, Discord, and Dropbox.

These platforms served as distribution hubs for initial access payloads, deploying Lumma Stealer and Doenerium malware—both designed to extract system details, credentials, and financial data. Microsoft confirmed that malicious GitHub repositories used in this attack have been taken down but did not specify how many were removed.

Multi-Stage Infection Chain

The attack employs a complex redirection system with four to five layers of redirects, increasing the difficulty of tracking its origin. The sequence involves:

1. Users visit pirated content sites embedded with malicious iframes.
2. They are redirected through multiple intermediary domains, evading detection.
3. They land on GitHub, Discord, or Dropbox, where malicious payloads are downloaded.
4. Malware executes system reconnaissance, data collection, and exfiltration.
5. Follow-on payloads, including NetSupport RAT and AutoIT scripts, establish persistence for further exploitation.

To bypass detection, attackers use PowerShell scripts to:

• Disable Microsoft Defender
• Scan for installed security software
• Search for cryptocurrency wallets

Additionally, threat actors rely on living-off-the-land binaries and scripts (LOLBAS), leveraging PowerShell.exe, MSBuild.exe, and RegAsm.exe to execute commands without raising alarms.

Emerging Cyber Threats: AI Chatbots as Attack Vectors

Beyond malvertising, cybercriminals are using fake AI chatbots to spread malware. A recent Kaspersky report uncovered a scheme where fraudulent websites imitated AI tools like DeepSeek and Grok, tricking users into executing malicious PowerShell scripts that granted remote access via SSH.

Attackers promoted these fake AI tools through verified X (Twitter) accounts, further enhancing their credibility.

How to Defend Against These Attacks

1. Strengthen Security Measures

• Enable Microsoft Defender SmartScreen to block malicious sites.
• Use Endpoint Detection and Response (EDR) solutions to monitor unusual behavior.
• Deploy threat intelligence tools to detect abnormal PowerShell activity.

2. Secure Online Behavior

• Avoid visiting illegal streaming websites, as they frequently host malware.
• Verify AI tools before downloading, especially those advertised on social media.
• Check URLs carefully to avoid falling for typosquatting scams.

3. Enforce Strong Authentication Policies

• Implement Multi-Factor Authentication (MFA) to protect against credential theft.
• Regularly audit and update security settings to prevent malware from disabling defenses.
• Restrict PowerShell execution to authorized users only.

The Storm-0408 malvertising campaign is a stark reminder of the evolving nature of cyber threats. As hackers adopt new tactics, organizations must remain proactive by strengthening their cyber defenses and educating users on emerging threats. With malvertising, GitHub exploitation, and AI-powered phishing on the rise, cyber resilience is more critical than ever.