Eugenloader

EugenLoader, also known as FakeBat, is a form of malware that was detected by Microsoft in mid-November 2023. It was distributed by an initial access broker known as Storm-1113 through search advertisements mimicking the Zoom app, with the malware delivered via bogus MSIX installers masquerading as Zoom downloads. This method was also used to deploy other forms of malware, such as BATLOADER and IcedID, marking an increase in cybercriminals using paid advertisements to lure users to malicious sites and trick them into downloading harmful software. In addition to the Zoom app impersonation, campaigns delivering Atomic Stealer underwent changes, utilizing Google search ads impersonating Slack to deploy either Atomic Stealer or EugenLoader, depending on the operating system. The threat actors adapted their methods, modifying attack campaigns to spread either the upgraded Atomic Stealer malware or the EugenLoader malware loader through fraudulent Slack ads on Google search, according to a report by Malwarebytes. EugenLoader has been linked to multiple cybercriminal groups and used to deliver a variety of malware implants. In November 2023, it was used by a group known as Sangria Tempest (also known as FIN7) to drop its infamous Carbanak malware framework, which then deployed the Gracewire implant. As this group offers malware deployment as a service, EugenLoader has been utilized to deploy a range of implants including Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Manager (also known as NetSupport RAT), Sectop RAT, and Lumma stealer.