In December 2024, Microsoft Threat Intelligence identified a malware campaign stemming from pirate streaming sites. Using iframe malvertising redirector URLs to generate revenue, and redirects up to five layers deep, malware payloads hosted on GitHub, Discord and Dropbox, acted as a dropper for additional payloads hosted elsewhere. Microsoft says the goal was to steal information and it believes almost a million devices were infected.
Something I’m not understanding is how these payloads even get executed. In “First Stage” in Figure 3, it explains that the user is redirected to a Github repo and then the payload is downloaded, but how exactly does it go to the second stage from there? I would assume the user has to be dumb enough to double-click on the payload that got downloaded, but the article makes it sound like this all happens automatically after clicking the initial ad link