Almost 1 million business and home PCs compromised after users visited illegal streaming sites: Microsoft – Source: www.csoonline.com

Careless online surfing by employees continues to be the bane of CISOs trying to keep malware off their IT networks. The latest example of its consequences comes from Microsoft, which reports that in early December it detected a large-scale data theft campaign that leveraged GitHub, Discord, and Dropbox to distribute malware to nearly 1 million devices.

The likely initial cause: People clicking on malicious ads posted on streaming websites hosting pirated videos.

And while it might seem that ordinary users would be the victims, Microsoft reports that the campaign also impacted a wide range of organizations and industries, including both consumer and enterprise devices.

The report not only shows that platforms like GitHub, Discord, and Dropbox have to tighten their security, say experts, but also that, as part of security awareness training, CISOs have to regularly remind employees of the risks, both when they are at work and at home, of going to websites that promise goodies.

“Malware spread by malicious advertising, and GitHub being involved, is nothing new,” said Roger Grimes, data-driven defense evangelist for awareness training provider KnowBe4 . “Today, it’s almost business as usual. Any cybersecurity training should include education about how internet search engines and advertising can lead you to bad places. People have to know this reality. It has always been this way, but it’s worse than ever.”

He noted that, even when a potential victim is led to a bad site, the user has to take some action, and often ignore multiple security warnings, to run the malware.

“The malware doesn’t just launch onto the person’s device and start doing bad things, unless they are unpatched,” he said. “Usually, the user has to manually and actively allow the malware content to run (versus just displaying a web page). So, users must be made aware that malicious advertising exists, and that if they don’t manually allow the content to run, usually they will be safe from it.”

For CISOs, the report shows how important it is to run an ad blocker as well as other defenses, said Johannes Ullrich, dean of research at the SANS Institute, and it’s not just in case employees ignore company policy to stay away from unapproved websites. “Sadly,” he said in an email, “malicious ads are still showing up on legitimate sites, too.”

Campaigns have multiple stages

In this campaign, the majority of the malware distribution went through GitHub, and Microsoft, which owns GitHub, blunted the campaign by taking down the infected repositories there. But GitHub is not the only site to be abused in this way; Ullrich said it’s a “difficult” problem for all file-hosting sites.

“The initial payload was a simple ‘dropper’. ‘Droppers’ are very simple software that downloads, decodes, and executes code,” he noted. “They are not inherently malicious and are difficult to identify before they are used for malicious purposes. Maybe we hear more about GitHub compared to other file hosting sites because Microsoft is more proactive and public about shutting these repositories down.”

Security researchers have been reporting on threat actors’ use of GitHub in particular for spreading malware, in part because it’s a location trusted by application developers for grabbing open source code.

In one of the most recent reports, last month Kaspersky said it found a campaign by unknown threat actors to create over 200 GitHub repositories (“repos”) containing fake projects offering malicious code, including Telegram bots, tools for hacking the game Valorant, Instagram automation utilities, and Bitcoin wallet managers. 

That campaign has been going on for at least two years, Kaspersky said.

And just over a year ago, researchers at Apiiro reported finding over 100,000 GitHub code repositories using typo-squatting (giving repositories similar names to legitimate ones) to ape legitimate repos, or by just cloning an existing repo.

These examples show another element of security awareness training: Making sure developers understand the need to check the legitimacy of a repo before downloading code destined for a corporate application.

The recent Microsoft malvertising report said infected illegal streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue for the threat actor or actors. But part of the scheme involved victims being re-directed several times to malicious GitHub repositories for the installation of first stage payloads.

As of mid-January 2025, the first-stage payloads discovered were digitally signed with a newly created certificate, Microsoft said. A total of twelve different certificates were identified, all of which have been revoked.

Second stage files were then used to discover what was on victim PCs and to exfiltrate system information. The malware may have included Lumma Stealer and Doenerium. Various third-stage payloads were deployed, depending on the second-stage payload, for downloading additional files and stealing data.

Depending on the initial payload, NetSupport, a remote monitoring and management (RMM) program, was also often deployed alongside the infostealer. Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host. The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) such as PowerShell.exe, MSBuilt.exe and RegAsm.exe to connect to command and control (C2) servers and for data exfiltration of user data and browser credentials.

Microsoft’s defensive recommendations include strengthening endpoint detection, particularly to block malicious artifacts, and requiring the use of multifactor authentication for logins.

Security awareness training is critical

To be effective, any security awareness and training program needs to recognize and be tailored to reflect the way people really work with security in an organization, as part of creating a positive security culture, says the UK’s National Cybersecurity Centre.

There are free resources to help organizations build a cybersecurity and privacy learning program. For example, the US National Institute for Standards and Technology’s (NIST) latest guidance on the subject is an 87-page outline that notes that a plan needs measurements of success such as employee ability to recognize and report potential cybersecurity events and employee behavior change, and feedback throughout the year.

“Cybersecurity and privacy awareness learning activities should be conducted on an ongoing basis throughout the year,” it says in part, “to ensure that employees are aware of their roles within the organization and the appropriate steps they must take to protect information, assets, and individuals’ privacy.”

Examples of awareness activities that are appropriate for all users include:

• messages on logon screens, organizational screen savers, and email signature blocks;
• employee newsletters with cybersecurity and privacy articles;
• posters (physical or digital) with cybersecurity and privacy tips;
• a Cybersecurity Awareness Month (October) or Data Privacy Awareness Week (January) activity fair;
• cybersecurity and privacy reminders and tips on employee materials (e.g., pens, notepads, etc.);
• periodic or as-needed email messages that provide timely tips or are sent in response to a cybersecurity or privacy event or issue.