Microsoft has uncovered a large-scale malvertising operation that has affected more than one million devices worldwide. Detected in early December 2024, the campaign is attributed to threat actors known as Storm-0408, who specialize in distributing remote access tools and information-stealing malware.

## Attack Vector and Distribution

The attack chain begins on illegal streaming websites hosting pirated content. These sites contain embedded malvertising redirectors that guide victims through a sophisticated four to five-layer redirection process. Users are ultimately led to GitHub repositories containing malicious payloads, with some instances also utilizing Discord and Dropbox as hosting platforms.

## Multi-Stage Infection Process

The attack unfolds in four distinct stages:
1. **Initial Access**: Establishing a foothold on target devices
2. **Reconnaissance**: System discovery, information collection, and payload delivery
3. **Execution**: Command execution, evasion techniques, persistence establishment, and command-and-control communications
4. **Data Theft**: PowerShell scripts configure Microsoft Defender exclusions and download data from remote servers

## Malware Arsenal

The attackers deploy various malicious tools including:
– Lumma Stealer and Doenerium for system information collection
– NetSupport RAT for remote access
– PowerShell, JavaScript, VBScript, and AutoIT scripts for execution
– Living-off-the-land binaries like PowerShell.exe, MSBuild.exe, and RegAsm.exe for command and control

## Cryptocurrency Focus

The malware specifically scans for cryptocurrency wallets, suggesting financial theft as a primary objective.

## Related AI-Themed Attacks

Kaspersky has simultaneously reported fake websites impersonating DeepSeek and Grok AI chatbots that distribute a new Python-based information stealer. These deceptive sites are promoted by verified X accounts and execute PowerShell scripts that establish SSH connections for remote access.