Fakebat

Malware updated 14 days ago (2024-11-11T15:01:17.342Z)

Download STIX

Preview STIX

FakeBat, also known as Eugenloader and PaykLoader, is a unique malware loader that has been observed in several malvertising campaigns. The malware is often used to drop follow-up payloads such as Lumma stealer. It was first noticed on July 25, 2024, via a malicious ad for Calendly, a popular online scheduling application. After a period of absence, FakeBat re-emerged through a malicious Google ad for the productivity application Notion. The malware's command and control infrastructure was found to be running from utd-gochisu[.]com during one instance. The threat actors behind FakeBat have employed sophisticated tactics to distribute the malware, including setting up fake Zoom sites like z00nn.one-platform-to-connect[.]group, info-zoomapp[.]com, zoomnewsonly[.]site, zoonn[.]virtual-meetings[.]cn[.]com, and promoapp-zoom[.]com. These sites host download URLs such as youstorys[.]com/fonts/Zoom-x64.msix, windows-rars[.]shop/bootstrap/Zoom-x64.msix, and scheta[.]site/apps.store/ZoomInstaller.msix, which appear to be legitimate Zoom installers but are actually infected with the malware. The installers have unique identifiers that can be used to track their malicious activity. On January 8, we identified a malvertising campaign using similar tactics previously seen in FakeBat distributions. In these campaigns, an open directory on the same domain shows the location of the Windows payload, which is an MSI installer (FakeBat), and the Mac payload, Atomic Stealer (AMOS). These campaigns show similarities with previous FakeBat activities, indicating that the same threat actors might be involved. This highlights the need for constant vigilance against evolving cyber threats and the importance of secure browsing practices.

Description last updated: 2024-11-11T14:47:18.793Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Atomic Stealer Amos is a possible alias for Fakebat. Atomic Stealer Amos is a software vulnerability that was discovered in 2023, designed to exploit macOS devices. This flaw in software design or implementation was used by cybercriminals to spread malware to Mac users, primarily through malicious advertising and compromised websites. The malware was	2
Atomic Stealer is a possible alias for Fakebat. The Atomic Stealer is a type of malware that poses a significant threat to macOS devices. This malicious software infiltrates systems, often unbeknownst to the user, through suspicious downloads, emails, or websites. Once installed, it has the potential to steal personal information, disrupt operati	2
Eugenloader is a possible alias for Fakebat. EugenLoader, also known as FakeBat or PaykLoader, is a malicious software program that has resurfaced after months of absence. It was detected by Microsoft in mid-November 2023 being delivered through search advertisements mimicking popular productivity applications such as Zoom and Notion. The malw	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Malvertising

Windows

Payload

Loader

PowerShell

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Fakebat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Malwarebytes	14 days ago	Hello again, FakeBat: popular loader returns after months-long hiatus \| Malwarebytes
Malwarebytes	10 months ago	Atomic Stealer rings in the new year with updated version
Malwarebytes	8 months ago	New Go loader pushes Rhadamanthys stealer \| Malwarebytes
CERT-EU	8 months ago	The Surge of FakeBat Malware in Search-Based Malvertising Campaigns
CERT-EU	8 months ago	FakeBat delivered via several active malvertising campaigns \| Malwarebytes
CERT-EU	a year ago	Fake KeePass site uses Google Ads and Punycode to push malware
CERT-EU	a year ago	Malvertising attack uses Punycode character to spread malware through a fake "KeePass" website
CERT-EU	a year ago	Google ads push malicious CPU-Z app from fake Windows news site
CERT-EU	a year ago	Google ads push malicious CPU-Z app from fake Windows news site
CERT-EU	a year ago	New Malvertising Campaign Distributing Trojanized IT Tools via Google and Bing Search Ads
CERT-EU	a year ago	Google-Hosted Malvertising Leads To Fake Keepass Site That Looks Genuine - Slashdot
CERT-EU	a year ago	Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Malwarebytes	a year ago	New MetaStealer malvertising campaigns \| Malwarebytes
Malwarebytes	a year ago	PikaBot distributed via malicious search ads \| Malwarebytes
Malwarebytes	a year ago	Malvertisers zoom in on cryptocurrencies and initial access \| Malwarebytes
Malwarebytes	a year ago	Clever malvertising attack uses Punycode to look like KeePass's official website
CERT-EU	a year ago	New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers
CERT-EU	9 months ago	One year later, Rhadamanthys is still dropped via malvertising \| Malwarebytes
CERT-EU	10 months ago	Cyber Security Week In Review: January 12, 2024
CERT-EU	10 months ago	Atomic Stealer rings in the new year with updated version \| Malwarebytes