SoylentNews

An Anonymous Coward writes:

https://www.theregister.com/2025/03/10/infosec_in_brief/ [theregister.com]

Infosec in Brief -- Microsoft has spotted a malvertising campaign that downloaded nastyware hosted on GitHub and exposed nearly a million devices to information thieves.

Discovered by Microsoft Threat Intelligence late last year, the campaign saw pirate vid-streaming websites embed malvertising redirectors to generate pay-per-view or pay-per-click revenue from malvertising platforms.

“These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub,” according to Microsoft’s threat research team.

GitHub hosted a first-stage payload that installed code that dropped two other payloads. One gathered system configuration info such as data on memory size, graphics capabilities, screen resolution, the operating system present, and user paths.

Third-stage payloads varied but most “conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defense evasion techniques.”

The attackers built four to five redirect layers in the campaign, each of which followed on from the GitHub dropper to install more nastiness that it appears were designed to steal information including stored browser credentials.

Microsoft noted that the malicious repos have since been taken down, and provided plenty of indicators of compromise and other valuable information in its report to aid in hunting down and stopping related campaigns.

Original Submission