Microsoft has attributed the attack to Storm-0409
The campaign, first detected in December 2024, used deceptive online advertisements to redirect unsuspecting users to malicious repositories on GitHub, where they unknowingly downloaded harmful payloads.
According to a recent advisory from Microsoft Threat Intelligence (MTI), the attackers behind the operation used a “modular and multi-stage approach” to payload deployment, ensuring deep penetration and persistence within compromised systems.
Microsoft detailed how the campaign’s payloads were designed to collect system information, exfiltrate documents, and deploy additional malicious scripts.
A three-stage attack
The initial stage of the attack involved injecting malicious ads into videos on illegal streaming platforms. Once clicked, these ads redirected users to GitHub repositories hosting malware-laden files and scripts.
The initial, GitHub-hosted malware acted as a dropper, initiating a series of stages.
The second stage involved system discovery and exfiltration of system information, including memory size, graphic details, operating system (OS), and user paths. This data was Base64-encoded and sent via HTTP to an IP address.
The third stage varied depending on the initial payload, often involving connection to a command-and-control (C2) server for further file downloads, data exfiltration, and defense-evasion techniques.
Microsoft has attributed the attack to a threat actor group it tracks as Storm-0409, which is known for deploying remote access and infostealer malware through malvertising techniques.
Some of the identified malware strains include Lumma stealer and an updated version of the Doenerium infostealer. Additionally, the attackers used the remote monitoring and management (RMM) tool NetSupport to maintain prolonged access to infected devices.
While GitHub was the primary platform used for hosting the malicious payloads, the advisory noted that attackers also leveraged other cloud-based services, including Discord and Dropbox, in their broader infection campaign.
The repositories facilitating the attack have since been taken down. However, Microsoft warns that this campaign is unlikely to be the last to employ these tactics.
GutHub is a target for threat actors
GitHub, a widely used code hosting service owned by Microsoft, has increasingly become a target for cybercriminals seeking to distribute malware under the guise of legitimate software.
Kevin Kirkwood, CISO at cybersecurity firm Exabeam, outlined broader challenges faced by open-source and cloud-based platforms.
“It’s great news to hear that Microsoft has taken steps to mitigate the problem of a very large set of operations that were occurring in a number of GitHub repositories,” Kirkwood stated.
“The problem is the level playing field that free and open-source software (FOSS) delivery systems offer to both the normal development community and the threat actor community.”
He pointed out that the very openness that makes platforms like GitHub valuable also makes them vulnerable to misuse.
To mitigate the risk of similar attacks, Microsoft recommends enterprise users strengthen their Microsoft Defender for Endpoint configurations.
This includes enabling tamper protection, network protection, and Web protection, as well as running endpoint detection and response (EDR) in block mode.
Microsoft Defender XDR customers are advised to activate specific attack surface reduction rules.
Want to know more? Computing ‘s Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.
