Cybersecurity researchers have uncovered a resurgence of the Fakebat malware loader being distributed through malicious Google Ads. After a months-long break, Fakebat has resurfaced, focusing on users who are looking for popular productivity software.
Malwarebytes detected a malicious Google ad impersonating Notion, a widely used productivity application.
The ad appeared at the top of search results and looked completely legitimate, with an official logo and website. However, clicking on it led users through a series of redirects before ultimately delivering the Fakebat malware.
Fakebat, also known as Eugenloader or PaykLoader, is a sophisticated loader-as-a-service (LaaS) malware that has been active since at least December 2022.
Managed Detection and Response Buyer’s Guide – Free Download (PDF)
It’s designed to download and execute various secondary payloads, including information stealers like IcedID, Lumma, and RedLine.
The malware’s distribution method exploits Google’s ad platform by using tracking templates to bypass detection, reads Malwarebytes report.
If the user is not an intended target, they are redirected to the legitimate website, making it difficult for Google to identify the malicious activity.
Once installed, Fakebat employs multiple stages of PowerShell scripts to evade detection and sandbox environments. The final payload in this campaign was identified as the LummaC2 Stealer.
This resurgence of Fakebat highlights the persistent threat of malvertising campaigns. Despite a recent decrease in such attacks, cybercriminals can quickly revert to these proven methods.
The incident underscores the ongoing challenge of brand impersonation in Google Ads, where built-in features can be exploited to create convincing fake advertisements.
Cybersecurity experts stress the importance of vigilance when clicking on search engine ads, even for well-known software. Users are advised to verify the authenticity of download sources and maintain up-to-date security software to protect against such threats.
The Fakebat campaign highlights that although malvertising fluctuates, it remains a crucial vector for malware distribution. As threat actors evolve their tactics, users, and platforms must remain alert to these sophisticated impersonation techniques.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!