Microsoft has revealed a sprawling malvertising campaign that infected nearly one million devices worldwide by exploiting ads on two pirated video streaming websites. In a report released last week Thursday, the tech giant’s security team detailed how the attack, which began in early December 2024, used deceptive advertisements to distribute malware, compromising both consumer and enterprise devices in an opportunistic bid to steal sensitive information.
The company traced the origins of the infections to two illegal streaming domains that hosted pirated video content. According to Microsoft, these sites embedded malvertising redirectors within their video streams, a tactic designed to generate pay-per-view or pay-per-click revenue for the attackers. Unsuspecting users who visited these sites were redirected through a series of intermediary websites, including tech support scam pages, before being funneled to malicious repositories on legitimate platforms like GitHub, Discord, and Dropbox. These repositories housed the malware that initiated the infection chain.
While Microsoft did not provide specific details about the appearance of the scam sites, it suggested that they likely lured users into downloading programs under false pretenses—such as fake tech support tools—that were actually malware. Once installed, this malware was capable of looting system information, remotely controlling the infected device, and even spying on users’ browsing activities across popular browsers like Firefox, Chrome, and Edge. The attack’s ability to interact with active browser instances raised particular concern, as it allowed hackers to monitor and manipulate user behavior in real time.
The campaign’s sophistication was evident in its use of signed software certificates to mask its malicious intent. Microsoft reported that as of mid-January 2025, the first-stage payloads were digitally signed with newly created certificates, a tactic meant to make the malware appear legitimate. A total of twelve such certificates were identified, all of which have since been revoked. These initial payloads also included legitimate files to further evade detection, delivering a second-stage payload that collected device information and sent it back to the hackers’ servers. This second stage also enabled the installation of additional malware, amplifying the attack’s reach and impact.
Microsoft’s security team described the campaign as indiscriminate, affecting a wide range of organizations and industries. The malware’s ability to target both consumer and enterprise devices underscored the growing risks associated with illegal streaming sites, which often serve as breeding grounds for cybercrime.
In response, Microsoft took swift action to mitigate the threat. GitHub, which is owned by Microsoft, along with Discord and Dropbox, removed the pages hosting the malware. Additionally, Microsoft confirmed that its built-in Windows Defender software can detect and flag the malware used in the attack, offering a layer of protection for users. The company also advised users to strengthen their cybersecurity practices, such as enabling multifactor authentication and using browsers with robust security features like Microsoft Edge, which supports Microsoft Defender SmartScreen to block malicious sites.
This incident serves as a stark reminder of the dangers lurking on pirated streaming platforms. As illegal streaming continues to attract users seeking free content, cybercriminals are increasingly exploiting these sites to distribute malware on a massive scale. For now, Microsoft’s intervention has disrupted this particular campaign, but the broader challenge of securing the digital landscape remains a pressing concern.
Please follow us on Facebook and X for more news, tips, and reviews. Need cord cutting tech support? Join our Cord Cutting Tech Support Facebook Group for help. You can find Luke on X HERE.