Cybersecurity researchers have uncovered a surge in malware infections stemming from malvertising campaigns distributing a loader called FakeBat.
“These attacks are opportunistic in nature, targeting users seeking popular business software,” the Mandiant Managed Defense team revealed in a recent technical report. The infections use a trojanized MSIX installer to execute a PowerShell script for downloading a secondary payload.
FakeBat, also known as EugenLoader and PaykLoader, is linked to a threat actor named Eugenfest. Google’s threat intelligence team, tracking the malware as NUMOZYLOD, has attributed the Malware-as-a-Service (MaaS) operation to UNC4536.
These malware attacks use drive-by download techniques to redirect users searching for popular software to fake sites hosting malicious MSI installers. Some of the malware delivered via FakeBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (aka ArechClient2), and Carbanak.
“UNC4536’s strategy involves malvertising campaigns to distribute trojanized MSIX installers disguised as popular software like Brave, KeePass, Notion, Steam, and Zoom,” Mandiant explained. “These installers are hosted on websites mimicking legitimate software sites, tricking users into downloading them.”
The attack is sophisticated as it uses MSIX installers disguised as legitimate software like Brave, KeePass, Notion, Steam, and Zoom, with the ability to run scripts before launching the main application through a configuration called startScript.
UNC4536 acts as a malware distributor, using FakeBat to deliver next-stage payloads for their partners, including FIN7.
“NUMOZYLOD collects system information, such as OS details, antivirus products installed, and public IP addresses, and sends this data to its C2 server, creating a shortcut in the StartUp folder for persistence,” Mandiant added.
This revelation follows Mandiant’s detailed report on another malware downloader called EMPTYSPACE, used by UNC4990 for exfiltrating data and cryptojacking activities.