Hosting malware on a reputable developers’ platform possibly lowered the public’s guard and helped to compromise 1m devices within two months

According to an advisory by Microsoft, more than a million devices have been compromised by a malvertising campaign on illegal streaming websites.

The attack uses deceptive ads to lure users into downloading malicious software, specifically info-stealers, hosted on GitHub.

Uncovered in early 2025, the campaign exploits trusted platforms and clever tactics to slip past standard defenses, creating a widespread threat to IT environments.

Modus operandi
The scheme starts with ads on the illicit sites, often posing as ads for legitimate software. Clicking these ads directs users to typo-squatted domains — URLs that mimic real ones, such as “puttyorg.com” instead of “putty.org.” From there, victims are led to GitHub repositories containing malicious MSI installer files. These files, disguised as valid updates, unleash infostealers like Lumma or Rhadamanthys, which snatch sensitive data including passwords and system information.

Capitalizing on the developers’ platform’s reputation, attackers set up repositories with names that echo legitimate software projects, hiding malware in files executed through obfuscated JavaScript or PowerShell scripts. This approach makes it tough to spot, as the platform’s credibility masks the risks perceived by users of the illicit websites.

The stolen data is subsequently traded via Telegram channels, and Microsoft has note the campaign’s reach — over 1 million devices in two months.

For IT professionals, proactive steps are essential, according to experts:

  • Users need training to double-check URLs and download only from official sources, especially when browsing risky sites
  • IT teams should use web filters to block typo-squatted domains and watch for unusual PowerShell activity, a frequent malware signpost
  • Enhancing endpoint security to catch script-based threats is also vital

The two firms are working to dismantle the malicious repositories, but the campaign’s flexibility suggests it may persist: attackers could pivot to new platforms or tweak their methods. Staying alert and keeping systems secure remain the strongest countermeasures against this growing menace, according to the advisory.