Microsoft warns that a threat actor identified as DEV-0569, which is well-known for disseminating various malicious payloads, was recently seen updating its delivery techniques.
For the dissemination of malware, DEV-0569 has relied on malicious ads (malvertising), blog comments, phoney forum pages, and phishing links. However, over the past few months, Microsoft has observed that the threat actor has begun using contact forms to distribute phishing links, while choosing to host fake installers on legitimate-looking software download websites and repositories, like GitHub and OneDrive. The adversary still relies on malvertising to spread malware, and in one campaign even developed the strategy by incorporating Google Ads.
According to Microsoft, “These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads.”