Eugenloader

EugenLoader, also known as FakeBat or PaykLoader, is a malicious software program that has resurfaced after months of absence. It was detected by Microsoft in mid-November 2023 being delivered through search advertisements mimicking popular productivity applications such as Zoom and Notion. The malware was found to be distributed by an access broker known as Storm-1113, which specializes in malware distribution through search advertisements. Storm-1113 used bogus MSIX installers masquerading as Zoom to distribute EugenLoader, which acts as a conduit for various types of stealer malware and remote access trojans. The malware deployment technique has evolved with threat actors using fraudulent Google search ads impersonating Slack to spread either the Atomic Stealer malware or EugenLoader, depending on the operating system. This development was reported by Malwarebytes. Furthermore, the signed MSI installer hosted on rogue websites contains a malicious PowerShell script, a loader known as FakeBat (aka EugenLoader), which serves as a conduit to deploy RedLine Stealer on the compromised host. Another cybercriminal group, Sangria Tempest (also known as FIN7), used EugenLoader in November 2023 to drop its infamous Carbanak malware framework which subsequently deployed the Gracewire implant. Since this group offers malware deployment as a service, EugenLoader has been used to deploy a variety of implants including Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Manager (also known as NetSupport RAT), Sectop RAT, and Lumma stealer. These findings highlight an increase in cybercriminals using paid advertisements to lure users to malicious sites and trick them into downloading various types of malware.