Malvertising campaign leads to info stealers hosted on GitHub
Essential information
- Published
- 06/03/2025 23:02
- Modified
- 07/03/2025 10:41
- Tags
- 2025-03-06 doenerium github information stealer living-off-the-land lumma lumma stealer malvertising multi-stage attack netsupport rat
- Related entities
- 3 observables, 1 intrusion sets (apt), 19 techniques (mitre), 3 malware
Description
A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature.