Malvertising campaign leads to info stealers hosted on GitHub

March 7, 2025, 10:41 a.m.

Description

A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature.

External References

https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
https://otx.alienvault.com/pulse/67ca2991532d81738cbca1e8
Tags
malvertising
lumma stealer
github
lumma
netsupport rat
information stealer
multi-stage attack
doenerium
2025-03-06
living-off-the-land

Date

  • Created: March 6, 2025, 11:02 p.m.
  • Published: March 6, 2025, 11:02 p.m.
  • Modified: March 7, 2025, 10:41 a.m.

Indicators

  • htps://cdn.discordapp.com/attachments/1316109420995809283/1316112071376769165/NativeApp_G4QLIQRa.exe
  • https://uc8ce1a0cf2efa109cd4540c0c22.dl.dropboxusercontent.com/cd/0/get/CgHUWBzFWtX1ZE6CwwKXVb1EvW4tnDYYhbX8Iqj70VZ5e2uwYlkAq6V-xQcjX0NMjbOJrN3_FjuanOjW66WdjPHNw2ptSNdXZi4Sey6511OjeNGuzMwxtagHQe5qFOFpY2xyt1sWeMfLwwHkvGGFzcKY/file?dl=1
  • http://keikochio.com/incall.php
Download all indicators here!

Attack Patterns

  • Lumma Stealer
  • NetSupport RAT
  • Doenerium
  • Storm-0408