Nearly a million Windows computers impacted by a malvertising campaign

📟 News

Date: 10/03/2025

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive information from infected workstations.

Microsoft Threat Intelligence reports that the campaign was launched in December 2024: unknown attackers started distributing links that loaded ads. Microsoft claims that websites hosting such ads were illegal streaming websites offering pirated videos. The company’s report mentions two streaming website domains: movies7[.]net and 0123movie[.]art.

“The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms,” – Microsoft.

Malvertising redirector URL in the website code
Malvertising redirector URL in the website code

Malicious links contained within an iframe were taking victims through a chain of redirects and a number of intermediate sites (e.g. a scam tech support site) ultimately leading to GitHub repositories containing a variety of malicious files.

Malware was deployed in several stages. At early stages, information on the user’s device was collected, presumably to configure subsequent attack stages. At later stages, malware detectors were disabled, a connection was established with control servers, and the NetSupport remote monitoring and management software was installed.

“Depending on the second-stage payload, either one or multiple executables are dropped onto the compromised device, and sometimes an accompanying encoded PowerShell script. These files initiate a chain of events that conduct command execution, payload delivery, defensive evasion, persistence, C2 communications, and data exfiltration,” – Microsoft.

In addition to GitHub, payloads were also hosted on Discord and Dropbox.

Attack scheme
Attack scheme

Microsoft experts believe that this campaign was opportunistic in nature (i.e. the cybercriminals attacked everyone without distinction and didn’t target specific persons, companies, or industries). As a result, devices belonging to both individuals and various organizations were impacted.

After penetrating into the victim’s system, the malware (mostly the Lumma stealer or an updated version of the Doenerium open-source info stealer) accessed browser data files to steal login cookies, passwords, histories, and other sensitive information:

  • AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releasecookies.sqlite;
  • AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releaseformhistory.sqlite;
  • AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releasekey4.db;
  • AppDataRoamingMozillaFirefoxProfiles<user profile uid>.default-releaselogins.json;
  • AppDataLocalGoogleChromeUser DataDefaultWeb Data;
  • AppDataLocalGoogleChromeUser DataDefaultLogin Data; and 
  • AppDataLocalMicrosoftEdgeUser DataDefaultLogin Data.

The attackers also attempted to access files stored on Microsoft OneDrive and scanned infected systems for cryptocurrency wallets, including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox.

According to Microsoft, first-stage reports were digitally signed with a newly-created certificate. In total, 12 certificates used in the malvertising campaign were identified and subsequently revoked by the company.

Related posts:
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'

A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer

Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…

Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage

According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…

Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →