CTI Roundup: Malvertising, XCSSET Variant, and GitHub Abuse

In this week’s roundup, the Tanium CTI team examines a large malvertising campaign impacting global devices. Next, it analyzes a new macOS malware variant called XCSSET. Finally, CTI investigates an ongoing campaign using fake GitHub repositories to distribute malware.

New malvertising campaign infects more than 1 million devices

Microsoft is sounding the alarm about a large malvertising campaign impacting more than one million devices globally.

According to Microsoft, the opportunistic attack originated from illegal streaming sites embedded with malvertising redirectors, which ultimately directed victims to GitHub and other platforms hosting infostealer malware.

What is Storm-0408?

Microsoft is monitoring this activity under Storm-0408. It involves several threat actors linked to remote access or infostealing malware, particularly those that rely on phishing, SEO, and malvertising for distribution.

The threat actors primarily use GitHub to host the payloads, with occasional payloads being hosted on Discord and Dropbox. Microsoft first observed the activity in December 2024.

Understanding the redirection chain

Microsoft noticed several hosts downloading first stage payloads from malicious GitHub repositories. These users were sent to GitHub via a series of other redirections, likely from illegal streaming sites.

The redirectors routed traffic via a few redirectors but ultimately led the victims to a scam site that would redirect them to GitHub. The campaign deployed several stages of malware.

What does the attack chain look like?

After the victim redirects to GitHub where the malware is hosted, the malware will establish the initial foothold on the user’s device. This malware acts as a dropper for the rest of the payloads and stages, which include infostealers, RMM software, and various scripts.

The actor’s activity leads to “a modular and multistage approach to payload delivery, execution and persistence,” which includes four stages summarized below:

1. Establish a foothold on the host
   
   In the first stage of the attack, a payload is dropped onto the victim’s device from GitHub, enabling the actor to establish a foothold on it. As of mid-January 2025, these payloads were digitally signed with a new certificate. Twelve certificates were identified, all of which have since been revoked.
2. System discovery, collection, and exfiltration
   
   Microsoft observed different second stage payloads depending on what was used during the first stage. However, the objectives of the second stage remain the same regardless of the first stage, which includes discovery, collection, and exfiltration. The malware will gather information about the device, such as the OS version, running commands, device name, and domain name.

[Read also: Anatomy of a cyberattack – 3 ways to continuously reduce business risk]

3. PowerShell and .exe
   
   Again, the third stage varies depending on what occurred in the second stage, and either one or several executables are dropped. The second stage payloads will run third stage executables to identify running programs, particularly searching for keywords known to be associated with security software. The executable also produces an AutoIT v3 interpreter file that gets renamed to use a .com file extension and is executed.
   
   In some cases, the second stage payload will drop a PowerShell script. This PowerShell can download additional files (like NetSupport RAT) from the C2, establish persistence for malware, and exfiltrate information to C2 servers.
4. PowerShell
   
   In some cases, the previously renamed AutoIT file will drop an additional PowerShell script. This script is obfuscated, and its purpose is to modify Microsoft Defender by adding exclusion paths so certain folders containing malicious artifacts are not scanned.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The redirection chain in this attack is quite sophisticated, as it starts from a single redirector embedded on a site. The actor also demonstrated advanced capabilities with the multi-stage infection chain and various payloads. That said, the actor also follows the common trend of abusing legitimate services, like GitHub, to further blend in.

Microsoft’s report goes into detail about the varying payloads and stages it’s observed related to this activity. The report also shares some recommended actions, hunting queries, and Defender alerts that may help identify activity associated with this threat.

XCSSET variant uses obfuscation and enhanced persistence

Microsoft recently discovered a new macOS malware variant, XCSSET, which is infecting Xcode projects, a development application used to build Apple and macOS apps.

The latest variant demonstrates enhanced obfuscation, improved persistence, and new infection strategies. It is ultimately “characterized by its modular approach and encoded payloads.”

What is XCSSET malware?

XCSSET malware, first identified in 2022, targets Xcode projects during the build process. Compared to its initial appearance, the newly discovered XCSSET variant shows improved error handling and increased reliance on scripting languages, UNIX commands, and legitimate binaries. Notably, it obscures its module names, which complicates analysis.

Microsoft also reports that the new variant employs distinct persistence techniques and that, although some modules seem to be currently in development, the C2 server is active and downloading additional modules.

How does the new XCSSET variant work?

The new variant is a four-stage infection chain in which the last stage runs additional sub-modules:

1. In the first stage, an Xcode shell payload runs when a victim builds an infected Xcode project. The decoded payload will make a curl request to the C2 server, receiving the second stage payload.
2. In the second stage, the payload gathers information about the operating system and sends that data to the C2 server before receiving another payload.
3. In the third stage, a shell script will confirm that the device’s XProtect version is less than 5287, stop referenced running processes, and search for a hidden file in the “.a” home folder. This stage will also delete existing references to “l.app” and create a new one, download an additional script, and create an AppleScript to launch the previously downloaded script. Lastly, the script will enable the “LSUIElement” key to hide the app from the Dock, running the application in the background and removing the created app.
4. In the fourth stage, the previously created AppleScript app runs and executes commands to extract the OS version, Safari version, user locale, firewall status, SIP status, and CPU information. It will then repeatedly call a function with multiple obfuscated module names.

[Read also: What is device vulnerability management?]

The importance of sub-modules in the fourth stage

The fourth stage script can download various sub-modules capable of the following activities:

• Listing browser extensions
• Downloading more modules
• Stealing digital wallet data
• Establishing persistence in multiple different ways
• Stealing Notes data
• Infecting Xcode projects

Microsoft also identified a few modules related to file/data exfiltration that are believed to still be in development.

Analyst comments from Tanium’s Cyber Threat Intelligence team

One of the most important pieces from Microsoft’s report is that XCSSET’s C2 server is downloading additional modules. So, while this new variant may not be too widespread, it has additional modules in development and is currently active. The new developments to this variant also align with the overall landscape emphasis on recent attacks targeting macOS.

Ongoing campaign uses fake GitHub repositories to spread malware

Trend Micro discovered an ongoing campaign that uses fake GitHub repositories to distribute malware.

The campaign employs AI-generated content to make the fake repositories seem legitimate, with successful attacks enabling threat actors to steal 2FA extensions, login credentials, and more.

[Read also: Yes, ChatGPT will turbocharge hacking—and help fight it, too]

How are hackers abusing GitHub?

It’s evident that threat actors continue abusing GitHub to distribute malware. However, the actor doesn’t host malware on GitHub in this campaign. Instead, they use generative AI to create what appear to be legitimate repositories on GitHub.

How does the attack start?

This ongoing campaign begins with fake GitHub repositories generated by AI, crafted to resemble legitimate tools and software. The actor then employs AI to produce README files and documentation, enhancing the illusion of legitimacy to deceive victims into installing the content.

[Read also: The 3 biggest GenAI threats (plus 1 other risk) and how to fend them off]

Trend Micro says that the fake repositories stand out right now because the formatting of the README content is “heavily assisted by AI, as exhibited by telltale signs such as excessive emoji usage, unnatural phrasing, a hyperlinked logo, and structured content.”
The repositories aim to trick victims into downloading .zip files that contain a payload for the SmartLoader malware.

How does SmartLoader use Lumma Stealer?

The SmartLoader malware delivers the Lumma Stealer and other payloads by downloading a file from GitHub and saving it as “search.exe,” which can then execute Lumma Stealer.

SmartLoader is known to inflate files when loading the payload, increasing the file size to approximately 1GB. The malware will execute additional files, create malicious files in the temp folder, run various security software discovery commands, and conduct browser debugging. Once this process is complete, Lumma Stealer will connect to its C2 to exfiltrate data.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This is yet another recent example of threat actors using GitHub as part of their attack, reminding us that an established sense of trust can and will often be abused.

What’s interesting about this attack is the actor’s use of AI-generated content, especially since we haven’t seen many examples of AI being used in attacks. Trend Micro notes that this attack is ongoing and will likely continue to evolve as actors continue to “make use of advanced tools to automate and enhance their attacks.”

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.