Microsoft’s security researchers have uncovered a sophisticated malvertising campaign that has compromised approximately one million Windows devices worldwide. The attack, which began in December 2024, employs an intricate multi-stage infection chain to steal sensitive information, credentials, and cryptocurrency assets from unsuspecting users.
Sophisticated Attack Vector Through Malicious Advertising
The threat actors orchestrated their campaign by strategically placing malicious advertisements on illegal streaming platforms, notably movies7[.]net and 0123movie[.]art. These ads implemented advanced redirect mechanisms that exploited legitimate advertising networks and payment systems to monetize traffic while delivering malicious payloads to victims’ devices.
Complex Technical Infrastructure and Deployment Strategy
The attack’s technical sophistication is evident in its use of malicious iframe elements that trigger a series of redirects through intermediate resources, including fake technical support websites. The final payload delivery utilizes multiple legitimate platforms, including GitHub repositories, Discord, and Dropbox, demonstrating the attackers’ ability to abuse trusted services for malicious purposes.
Multi-Stage Malware Deployment Process
The infection chain begins with comprehensive device fingerprinting to optimize attack effectiveness. Subsequently, the malware disables security software, establishes command-and-control communication, and deploys NetSupport RAT. A particularly concerning aspect is the abuse of legitimate digital signatures, with Microsoft identifying and revoking 12 compromised certificates used in the campaign.
Impact Assessment and Data Exfiltration Capabilities
The campaign shows no discrimination in targeting, affecting both individual users and organizations. The primary payload combines the Lumma stealer and its open-source variant Doenerium to harvest sensitive data. These tools specifically target browser-based information, including cookies, stored passwords, and browsing history, while also scanning for various cryptocurrency wallet applications such as Ledger Live, Trezor Suite, and KeepKey.
This incident highlights the evolving sophistication of cybercriminal operations and their increasing ability to weaponize legitimate advertising infrastructure. Security experts recommend implementing robust defensive measures, including regular security software updates, strict access controls, and multi-factor authentication for critical services. Users should exercise particular caution when visiting streaming websites and maintain vigilance against deceptive advertisements that could serve as entry points for malware.
