A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature. Author: AlienVault
Related Tags:
Doenerium
multi-stage attack
T1218.005
T1059.005
T1059.007
T1003.001
T1053.005
information stealer
T1204.001
Associated Indicators:
B0AAB51B5E4A9CDD5B3D2785E4DEA1EC06B20BC00E4015CCD79E0BA395A20FBD
2A29C9904D1860EA3177DA7553C8B1BF1944566E5BC1E71340D9E0FF079F0BD3
40ABBA1E7DA7B3EAAD08A6E3BE381A9FC2AB01B59638912029BC9A4AA1E0C7A7
773D3CB5EDEF063FB5084EFCD8D9D7AC7624B271F94706D4598DF058A89F77FD
7880714C47260DBA1FD4A4E4598E365B2A5ED0AD17718D8D192D28CF75660584
5185F953BE3D0842416D679582B233FDC886301441E920CB9D11642B3779D153
02533F92D522D47B9D630375633803DD8D6B4723E87D914CD29460D404134A66
D2E9362AE88A795E6652D65B9AE89D8FF5BDEBBFEC8692B8358AA182BC8CE7A4
1F73A00B5A7AC31FFC89ABBEDEF17EE2281CF065423A3644787F6C622295FF29