Hello again, FakeBat: popular loader returns after months-long hiatus

SUMMARY :

FakeBat, a loader previously known as Eugenloader and PaykLoader, has resurfaced after a three-month absence. The malware was distributed through a malicious Google ad impersonating the productivity application Notion. The attack chain involves a tracking template, cloaking domain, and a decoy site. FakeBat's payload is the LummaC2 stealer, which is injected into MSBuild.exe via process hollowing. The loader uses obfuscation techniques and the RastaMouse AMSI bypass script. This incident highlights the ongoing threat of malvertising and brand impersonation in Google ads, demonstrating how threat actors can quickly revert to proven methods of malware distribution.

OPENCTI LABELS :

powershell,stealer,fakebat,malvertising,loader,obfuscation,lummac2,google ads,brand impersonation


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Hello again, FakeBat: popular loader returns after months-long hiatus