Microsoft: Nearly 1 million devices were attacked by malware spread through ads on illegal streaming sites

If you're going to visit a website that hosts pirated video streams, you'd better be prepared to accept the risks. The owners of the 1 million devices affected by malware originating from these sites may not have considered this. Microsoft wrote that its threat analysis team detected a large-scale malicious advertising campaign in December 2024, affecting nearly one million devices worldwide.

The company traced two illegal streaming sites - movies7 and 0123movie - to embedded malvertising redirectors. The attackers injected ads into videos hosted on the website. These ads generate pay-per-view or pay-per-click revenue from the malvertising platform and subsequently direct traffic through one or two additional malicious redirectors.

Victims are eventually directed to another website, such as a tech support scam site, and then redirected to GitHub.

The GitHub repository, which housed the malware used to deploy more malicious files and scripts, has now been removed. Once someone downloads the malware, it is used to collect system information and deploy second-stage payloads to steal documents and data.

The third stage PowerShell script payload then downloads the NetSupport Remote Access Trojan (RAT) from the command and control server and sets persistence in the registry. RATs can deliver Lumma information-stealing malware or updated versions of Doenerium information-stealing software.

The malware also allows attackers to monitor the victim's browsing activities and even interact with active browsers, including Firefox, Chrome, and Edge.

The first stage payload is digitally signed using a newly created certificate and contains some legitimate files to hide its true nature. A total of 12 different certificates were identified, all of which were later revoked.

While GitHub is the primary platform for delivering these payloads, Microsoft also discovered that one payload was hosted on Discord and another on Dropbox. As with GitHub, web pages hosting malware on these platforms have been removed.

Microsoft wrote that the campaign was indiscriminate and affected both consumer and enterprise devices. Microsoft also noted that Microsoft Defender software for Windows is capable of detecting and flagging malware used in attacks.