Eugenloader

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

EugenLoader, also known as FakeBat, is a form of malware that was detected by Microsoft in mid-November 2023. It was distributed by an initial access broker known as Storm-1113 through search advertisements mimicking the Zoom app, with the malware delivered via bogus MSIX installers masquerading as Zoom downloads. This method was also used to deploy other forms of malware, such as BATLOADER and IcedID, marking an increase in cybercriminals using paid advertisements to lure users to malicious sites and trick them into downloading harmful software. In addition to the Zoom app impersonation, campaigns delivering Atomic Stealer underwent changes, utilizing Google search ads impersonating Slack to deploy either Atomic Stealer or EugenLoader, depending on the operating system. The threat actors adapted their methods, modifying attack campaigns to spread either the upgraded Atomic Stealer malware or the EugenLoader malware loader through fraudulent Slack ads on Google search, according to a report by Malwarebytes. EugenLoader has been linked to multiple cybercriminal groups and used to deliver a variety of malware implants. In November 2023, it was used by a group known as Sangria Tempest (also known as FIN7) to drop its infamous Carbanak malware framework, which then deployed the Gracewire implant. As this group offers malware deployment as a service, EugenLoader has been utilized to deploy a range of implants including Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Manager (also known as NetSupport RAT), Sectop RAT, and Lumma stealer.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Carbanak	1	Carbanak is a sophisticated type of malware, short for malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Fakebat	1	FakeBat is a notable malware variant that has been increasingly involved in malvertising campaigns since at least November 2022, as per an early 2023 Intel471 report. This malicious software exploits and damages computers or devices by infiltrating systems through suspicious downloads, emails, or we

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Malware Loader

Rat

Implant

Loader

Malware

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Atomic Stealer	Unspecified	1	Atomic Stealer is a malicious software (malware) known for its ability to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. It is designed to steal personal information, disrupt operations, and even hold data hostage for ransom. A new version
Gracewire	Unspecified	1	Gracewire is a potent malware that has been deployed by threat actors to exploit and damage computer systems. It is typically delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations,
Netsupport Rat	Unspecified	1	NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
Lumma Stealer	Unspecified	1	Lumma Stealer is a malicious software (malware) that infiltrates systems primarily to steal personal information, disrupt operations, and exploit vulnerabilities. According to the ESET Threat Report H2 2023, Lumma Stealer gained significant traction in the second half of 2023, with its capabilities
Batloader	Unspecified	1	Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal
IcedID	Unspecified	1	IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Redline Stealer	Unspecified	1	RedLine Stealer is a type of malware that has been causing significant disruption in the digital landscape. This malicious software infiltrates computer systems, often without the user's knowledge, via suspicious downloads, emails, or websites, and then proceeds to steal personal information, disrup

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
FIN7	Unspecified	1	FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
Sangria Tempest	Unspecified	1	Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In m
Carbon Spider	Unspecified	1	CARBON SPIDER, also known as FIN7 and Sangria Tempest, is a threat actor that has been active in the eCrime space since approximately 2013. This criminally motivated group primarily targets the hospitality and retail sectors with the aim of obtaining payment card data. The group has been linked to s

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Eugenloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	6 months ago	Updated Atomic Stealer malware emerges
CERT-EU	6 months ago	Cyber Security Week In Review: January 12, 2024
CERT-EU	6 months ago	MSIX App Installer Disabled Amid Microsoft Malware Attacks
CERT-EU	9 months ago	New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers
CERT-EU	a year ago	New Malvertising Campaign Distributing Trojanized IT Tools via Google and Bing Search Ads
CERT-EU	7 months ago	Microsoft disables online Windows App Installer after attackers abuse it \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	7 months ago	Microsoft Disables App Installer After Feature is Abused for Malware
CERT-EU	7 months ago	Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	7 months ago	Microsoft disables online Windows App Installer after attackers abuse it \| #ransomware \| #cybercrime \| National Cyber Security Consulting