216.73.217.64

Hello again, FakeBat: popular loader returns after months-long hiatus

· Published 11/11/2024 09:50 · Modified 11/11/2024 09:55

Export JSON

Essential information

Published
11/11/2024 09:50
Modified
11/11/2024 09:55
Tags
2024-11-11 brand impersonation fakebat google ads loader lummac2 malvertising obfuscation powershell stealer
Related entities
19 observables, 1 intrusion sets (apt), 8 techniques (mitre), 2 malware

Description

, a previously known as Eugenloader and PaykLoader, has resurfaced after a three-month absence. The malware was distributed through a malicious Google ad impersonating the productivity application Notion. The attack chain involves a tracking template, cloaking domain, and a decoy site. 's payload is the , which is injected into MSBuild.exe via process hollowing. The uses techniques and the RastaMouse AMSI bypass script. This incident highlights the ongoing threat of and in , demonstrating how threat actors can quickly revert to proven methods of malware distribution.

External references