Malicious Ads On Illegal Streaming Sites Infected 1 Million PCs, Microsoft Warns

Microsoft has shut down multiple GitHub repositories that were being used in a large-scale malvertising campaign affecting nearly one million devices worldwide.

The company discovered the attack in December 2024, when its threat intelligence team noticed malware being downloaded from GitHub onto users’ devices.

According to a Microsoft analysis, cybercriminals planted malicious ads inside videos on illegal streaming websites. These ads redirected unsuspecting users to GitHub, where malware was secretly downloaded onto their systems.

Once installed, the malware deployed additional harmful programs designed to steal personal information, compromise security, and allow attackers to maintain control over infected devices.

Microsoft’s analysis revealed that the campaign was highly organized, using multiple stages to spread malware. The first step involved luring users to GitHub, Discord, or Dropbox, where the malware was hosted.

Once downloaded, the malware collected data about the infected system, including memory size, operating system details, and user information. The attackers then used this data to deploy even more harmful programs, including information-stealing malware like Lumma Stealer and Doenerium.

In some cases, a remote monitoring tool called NetSupport was also installed, allowing attackers to control infected devices remotely. The campaign, tracked by Microsoft under the name Storm-0408, was designed to be difficult to detect. Attackers used legitimate tools like PowerShell and JavaScript to blend in with normal system operations.

They also implemented persistence techniques, such as modifying registry settings and adding startup shortcuts, to ensure that the malware remained on the infected devices even after a restart.

Microsoft worked with GitHub’s security team to remove the malicious repositories, preventing further infections. However, the company warned that similar attacks could happen in the future. It urged users to be cautious when visiting illegal streaming sites and to keep their software and security protections updated.

The blog post also provided technical details for cybersecurity professionals, including ways to detect signs of infection and prevent similar threats.

Microsoft emphasized the need for organizations to stay vigilant against evolving cyber threats, especially those leveraging trusted platforms like GitHub to spread malware.