New ‘BUBBAS GATE’ Malware Advertised on Telegram Boasts SmartScreen and AV/EDR Bypass

A new malware loader dubbed “BUBBAS GATE” has surfaced on underground forums and Telegram channels, drawing attention for its bold claims of advanced evasion capabilities, including bypassing Microsoft’s SmartScreen and modern AV/EDR solutions.

The loader was first advertised on June 22, 2025, with the threat actor touting a suite of features designed to evade detection and maximize persistence on infected systems.

Advanced Evasion Techniques

According to the actor’s promotional posts, BUBBAS GATE leverages a combination of indirect syscalls via a modified VEH (Vectored Exception Handler), avoids using standard Windows APIs, and employs PEB (Process Environment Block) walking along with custom stack logic.

These techniques are designed to circumvent traditional security hooks and detection mechanisms, a trend increasingly observed among sophisticated malware loaders aiming to stay ahead of endpoint protection platforms.

The loader’s claim of SmartScreen bypass is particularly notable. Recent campaigns, such as those distributing DarkGate and Phemedrone Stealer, have exploited SmartScreen vulnerabilities to deliver malware without triggering user warnings.

While BUBBAS GATE’s specific method remains unverified, the actor asserts it can evade SmartScreen and AV/EDR, aligning with a broader surge in black-market demand for such evasion tools.

BUBBAS GATE advertises support for both x64 and x86 architectures, as well as binaries compiled in .NET (2.0–4.0) and Rust, with compatibility for TLS and CRT-supported executables.

Notably, the loader claims to use a proprietary AES-based encryption scheme that does not rely on standard Windows cryptographic APIs like bcrypt.dll, further complicating detection by security products.

Feature Set and Pricing

The Telegram listing details a robust feature set:

• Persistence: Auto-restarts every minute
• Anti-VM: Detects and evades virtualized analysis environments
• Stealth: Fake error window, self-delete capability, file size padding, version cloning
• Privilege Escalation: Run-as-admin support
• Customization: Custom icon support, IPLogger integration

The loader is priced at $200 per build and comes with a “15-day Windows Defender warranty,” a marketing tactic increasingly seen among malware sellers to entice buyers with promises of undetected operation.

Despite the ambitious claims, there is currently no independent validation from other threat actors or security researchers.

No leaked samples have been observed in the wild, and the loader’s actual effectiveness remains unproven.

This is not uncommon in the cybercrime ecosystem, where new tools are often hyped before real-world impact is confirmed.

BUBBAS GATE’s emergence underscores the ongoing arms race between malware developers and security vendors, with evasion features and anti-analysis techniques at the forefront.

Organizations should remain vigilant, ensure systems are patched against known SmartScreen and EDR vulnerabilities, and monitor for new loader activity as the tool’s reputation develops.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free