"Cybercriminals Exploit Popular Software Searches to Spread FakeBat Malware"

The Mandiant Managed Defense team has discovered an increase in malware infections caused by malvertising campaigns that distribute a loader named "FakeBat," also known as "EugenLoader" and "PaykLoader." The researchers consider these attacks "opportunistic," as they are aimed at users looking to download popular business software. The infection involves a trojanized MSIX installer that runs a PowerShell script to download a secondary payload. FakeBat is linked to the threat actor named "Eugenfest." The malware is being tracked under the name "NUMOZYLOD," and the Malware-as-a-Service (MaaS) operation has been attributed to "UNC4536." Attack chains spreading the malware apply drive-by download methods to push users searching for popular software toward fake lookalike sites hosting booby-trapped MSI installers. The FakeBat loader has been used to deliver "IcedID," "RedLine Stealer," "Lumma Stealer," and other malware families. This article continues to discuss findings regarding cybercriminals' exploitation of popular software searches to spread FakeBat malware.

THN reports "Cybercriminals Exploit Popular Software Searches to Spread FakeBat Malware"

Submitted by grigby1

Submitted by Gregory Rigby on