Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

FakeBat (Loader) – Malware

July 12, 2024
Reading Time: 3 mins read
in Malware
FakeBat (Loader) – Malware

FakeBat

Addittional names

EugenLoader, Eugenfest, PaykLoader, Festik, Payk_34 and M1rages

Type of Malware

Loader (Dropper)

Date of initial activity

2017

Associated Groups

APOTHECARY SPIDER, Storm-1113

Motivation

Used to delivered other malwares

Attack Vectors

FakeBat (EugenLoader) is packaged in Microsoft installers (MSI or MSIX) distributed via social engineering lures. It is most commonly delivered via malicious ads (malvertising) on Google.

Targeted System

Microsoft Windows operating systems

Overview

FakeBat (EugenLoader) is a type of malware loader packaged in Microsoft installers (MSI or MSIX) distributed via social engineering lures. It is most commonly delivered via malicious ads (malvertising) on Google. The often large installers conceal a malicious PowerShell script responsible for communicating with the malicious infrastructure and retrieving a follow-up payload. FakeBat is marketed using the handle “Eugenfest” on the Exploit hacker forum. The loader was also advertised on XSS forums under the pseudonym “Payk_34.” Eugenfest’s online activity can be traced to Russian-language carding and hacking forums dating back to 2017 under various aliases such as Festik, Payk_34, and M1rages (see appendix for list). The actor previously ran an eBay fraud shop at fest-bay[.]com, which was populated with stolen credentials obtained by brute force attacks against the service. Fest-Bay was promoted on various carding forums and Telegram channels.

Targets

Primarily targets Microsoft Windows systems in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Moldova, and Tajikistan.

How they operate

Distribution (Google ad → phishing site → MSIX → PowerShell) The infection chain starts with a malicious ad via a Google search for Notion, the popular utility program. The ad uses the real website address for Notion, notion.so, and appears legitimate. Clicking on the ad redirects to a lookalike site hosted at notilion[.]co. When the “Download for Windows” button is clicked, a request is made to download an MSIX file named Notion-x86.msix. This file appears to have a legitimate signature under the name Forth View Designs Ltd. The final step in this delivery chain is the launch of the MSIX installer. Unbeknownst to the victim, a malicious PowerShell script is embedded into this installer and will execute the malicious payload. Post Infection Traffic The PowerShell script will connect to FakeBat’s command and control server (C2) located at utm-adrooz[.]com. This step in the infection chain determines the subsequent actions, particularly whether the follow-up payload will be served.
References:
  • FakeBat
  • Unraveling BatLoader and FakeBat
  • Malvertising Surges to Distribute Malware
Tags: APOTHECARY SPIDEREugenfestEugenLoaderFakeBatFestikGoogleGoogle AdsM1ragesMalwareMicrosoftPayk_34PaykLoaderPhishingPowerShellStorm-1113TelegramWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial