A large-scale malicious advertising campaign has redirected more than a million users to GitHub, Discord and Dropbox, where they fell prey to injected malware, and additional files and scripts. The attack steals information from a victim’s Windows computer, including computer, user and browser data.
Microsoft researchers determined that these malvertising redirectors were contained within iframes for videos hosted by illegal websites. Not to be confused with the iframes that are used to predict motion in MPEG streaming video packets, the iframes used in this malvertising campaign are the html tags that define in-line frames that would contain content on a Web page – such as a video.
The full redirect chain is composed of four to five layers. Exfiltration of a victim’s system data is accomplished by querying the Windows registry key for the victim’s computer, to get its device information, and then encoding and sending it to an external IP address.
The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host, according to a detailed article published in early March by Microsoft Security.
This malicious campaign has been tracked under a Microsoft umbrella program called Storm-0408, which Microsoft uses to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads.
How it works
Since December 2025, multiple hosts downloaded first-stage payloads from malicious GitHub repositories. The users were redirected to GitHub through a series of other redirections. Analysis of the redirector chain determined the attack likely originated from illegal streaming websites where users can watch pirated videos.
The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms. These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub.
Attacks in stages
Multiple stages of malware were deployed in this campaign, as listed below, and the several different stages of activity that occurred depended on the payload dropped during the second stage.
- The first-stage payload that was hosted on GitHub served as the dropper for the next stage of payloads.
- The second-stage files were used to conduct system discovery and to exfiltrate system information that was Base64-encoded into the URL and sent over HTTP to an IP address. The information collected included data on memory size, graphic details, screen resolution, operating system (OS), and user paths.
- Various third-stage payloads were deployed depending on the second-stage payload. In general, the third-stage payload conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defense evasion techniques.
Using the information extracted from the victim device, the attack then delivers one or more executables that conduct the rest of the attack. The steps used the attack differ, based on the characteristics of the device being attacked.
Threat and attack detection
The full article describes the malicious activities and flowcharts the steps of an attack. It also identifies individual files and scripts used in the attack.
The logs generated by Microsoft’s Defender security app and a range of reports generated by other Microsoft products can be used to determine whether a attack has taken place by identifying anomalous tasks, API activity, tampering attempts, keystroke monitoring and other suspicious activity.
The article also describes what the attacks look like in software logs.
Further reading
Malvertising campaign leads to info stealers hosted on GitHub. Article. March 6, 2025. Microsoft Threat Intelligence, Microsoft Security Experts
While this particular situation involves Microsoft Windows, such malvertising attacks happen with mobile and streaming set-top devices as well. The Digital Citizens Alliance published two highly informative reports, in 2021 and 2022. The techniques described in those reports have evolved since then.
Why it matters
To detect and address the malvertising attacks described in this article, Microsoft provided recommendations for mitigating the impact of this threat, detection details, indicators of compromise (IOCs), and hunting guidance to locate related activity. By sharing this research, Microsoft aimed to raise awareness about the tactics, techniques, and procedures (TTPs) used in this widespread activity so organizations can better prepare and implement effective mitigation strategies to protect their systems and data.
