← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Malvertising campaign leads to info stealers hosted on GitHub
WHITE Storm-0408 AlienVault 2025-03-06 Modified: 2025-04-05
310
IOCs
HIGH VOLUME
A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature.
doeneriumlumma stealerinformation stealergithublummamalvertisingliving-off-the-landnetsupport ratmulti-stage attack
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Lumma stealer Doenerium NetSupport RAT
Indicators of Compromise (60 / 310 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://keikochio.com/staz/gribs.zip 2025-03-06
URL https://desi-porn.tube/ 2025-03-06
URL https://kassalias.com/pageagain/ 2025-03-06
URL https://lumdukekiy.shop 2025-03-06
URL https://lumquvonee.shop 2025-03-06
URL http://79.132.128.77/fakeurl.htm 2025-03-06
URL https://afterpm.com/pricedpage/ 2025-03-06
URL https://ageless-skincare.com/gn/ 2025-03-06
URL https://ak.ptailadsol.net/partitial/ 2025-03-06
URL https://clarebrownmusic.com/goodday/ 2025-03-06
URL https://compass-point-yachts.com/nicepage77/pro77.php 2025-03-06
URL https://covery-mover.biz 2025-03-06
URL https://cumpaicizewoa.net/partitial/ 2025-03-06
URL https://dare-curbys.biz 2025-03-06
URL https://dreamstorycards.com/amzpage/ 2025-03-06
URL https://dreasd.xyz 2025-03-06
URL https://dwell-exclaim.biz 2025-03-06
URL https://eaholloway.com/updatepage333/ 2025-03-06
URL https://egrowz.com/webview/ 2025-03-06
URL https://enricoborino.com/propage66/ 2025-03-06
URL https://formy-spill.biz 2025-03-06
URL https://gostrm.shop 2025-03-06
URL https://ikores.sbs 2025-03-06
URL https://impend-differ.biz 2025-03-06
URL https://kefuguy.shop 2025-03-06
URL https://klipcatepiu0.shop 2025-03-06
URL https://klipcatepiu0.shop/int_clp_sha.txt 2025-03-06
URL https://lakeplacidluxuryhomes.com/webpage37 2025-03-06
URL https://lilharts.com/propage6/ 2025-03-06
URL https://marshal-zhukov.com 2025-03-06
URL https://mycomp.cyou 2025-03-06
URL https://nationpains.com/safeweb3/ 2025-03-06
URL https://olopruy.com/ 2025-03-06
URL https://or-ipo.com/nice/ 2025-03-06
URL https://physicaltherapytustin.com/web-X/ 2025-03-06
URL https://physicaltherapytustin.com/webhtml/ 2025-03-06
URL https://pmpdm.com/webcheck35/ 2025-03-06
URL https://praxlonfire73.live 2025-03-06
URL https://primetimeessentials.com/newpagyes/ 2025-03-06
URL https://pub.culture-quest.shop 2025-03-06
URL https://razorskigrips.com/gn/ 2025-03-06
URL https://razorskigrips.com/goodk/ 2025-03-06
URL https://razorskigrips.com/newnewpage/ 2025-03-06
URL https://razorskigrips.com/perfect/ 2025-03-06
URL https://sacpools.com/pratespage/ 2025-03-06
URL https://se-blurry.biz 2025-03-06
URL https://shortlearn.click 2025-03-06
URL https://silversky.club 2025-03-06
URL https://startherehosting.net/todaypage/ 2025-03-06
URL https://statsace.com/web_us/ 2025-03-06
URL https://stocktemplates.net/input.php?compName= 2025-03-06
URL https://tailyoveriw.my 2025-03-06
URL https://thegay.com/ 2025-03-06
URL https://ukuhost.net 2025-03-06
URL https://violettru.click 2025-03-06
URL https://wrathful-jammy.cyou 2025-03-06
URL https://zinc-sneark.biz 2025-03-06
URL http://keikochio.com/incall.php 2025-03-07
URL htps://cdn.discordapp.com/attachments/1316109420995809283/1316112071376769165/NativeApp_G4QLIQRa.exe 2025-03-07
URL https://uc8ce1a0cf2efa109cd4540c0c22.dl.dropboxusercontent.com/cd/0/get/CgHUWBzFWtX1ZE6CwwKXVb1EvW4tnDYYhbX8Iqj70VZ5e2uwYlkAq6V-xQcjX0NMjbOJrN3_FjuanOjW66WdjPHNw2ptSNdXZi4Sey6511OjeNGuzMwxtagHQe5qFOFpY2xyt1sWeMfLwwHkvGGFzcKY/file?dl=1 2025-03-07
References (1)
↗ https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/