Microsoft Threat Intelligence reports that the campaign was launched in December 2024: unknown attackers started distributing links that loaded ads. Microsoft claims that websites hosting such ads were illegal streaming websites offering pirated videos. The company’s report mentions two streaming website domains: movies7[.]net and 0123movie[.]art.
“The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms,” – Microsoft.
Malicious links contained within an iframe were taking victims through a chain of redirects and a number of intermediate sites (e.g. a scam tech support site) ultimately leading to GitHub repositories containing a variety of malicious files.
Malware was deployed in several stages. At early stages, information on the user’s device was collected, presumably to configure subsequent attack stages. At later stages, malware detectors were disabled, a connection was established with control servers, and the NetSupport remote monitoring and management software was installed.
“Depending on the second-stage payload, either one or multiple executables are dropped onto the compromised device, and sometimes an accompanying encoded PowerShell script. These files initiate a chain of events that conduct command execution, payload delivery, defensive evasion, persistence, C2 communications, and data exfiltration,” – Microsoft.
In addition to GitHub, payloads were also hosted on Discord and Dropbox.
Microsoft experts believe that this campaign was opportunistic in nature (i.e. the cybercriminals attacked everyone without distinction and didn’t target specific persons, companies, or industries). As a result, devices belonging to both individuals and various organizations were impacted.
After penetrating into the victim’s system, the malware (mostly the Lumma stealer or an updated version of the Doenerium open-source info stealer) accessed browser data files to steal login cookies, passwords, histories, and other sensitive information:
- AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releasecookies.sqlite;
- AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releaseformhistory.sqlite;
- AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releasekey4.db;
- AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releaselogins.json;
- AppDataLocalGoogleChromeUser DataDefaultWeb Data;
- AppDataLocalGoogleChromeUser DataDefaultLogin Data; and
- AppDataLocalMicrosoftEdgeUser DataDefaultLogin Data.
The attackers also attempted to access files stored on Microsoft OneDrive and scanned infected systems for cryptocurrency wallets, including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox.
According to Microsoft, first-stage reports were digitally signed with a newly-created certificate. In total, 12 certificates used in the malvertising campaign were identified and subsequently revoked by the company.
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →