#fakebat — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #fakebat, aggregated by home.social.
-
PROSPERO & Proton66: Uncovering the links between bulletproof networks
#SocGholish #FakeBat #Coper #AS198953 #AS200593 -
A week in security (November 4 – November 10) https://www.malwarebytes.com/blog/news/2024/11/a-week-in-security-november-4-november-10-2 #AzireVPN #fakebat #tiktok #News
-
Hello again, FakeBat: popular loader returns after months-long hiatus https://www.malwarebytes.com/blog/cybercrime/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus #malvertising #Cybercrime #GoogleAds #fakebat #lummaC2 #malware #lumma
-
NUMOZYLOD Malware Distributed Through Popular Searches https://thecyberexpress.com/numozylod-malware-distributed-popular-searches/ #TheCyberExpressNews #CybersecurityNews #TheCyberExpress #FirewallDaily #malwarefamily #EugenLoader #PaykLoader #NUMOZYLOD #Payloads #FakeBat #malware #UNC4536
-
🔍 The Sekoia TDR team delved into the drive-by download technique used for malware distribution via web browsing.
Our latest report analyses #FakeBat, a widespread loader using this technique.
https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/
-
Malicious Google ad for Todoist -> #Fakebat
todciist[.]com
hxxps[://]ultra-fasteners[.]com/data/Todoist-x86[.]msix
C2: cdn-inform[.]com
-
⚠️ Malicious Google ad for
inkscape leads to #FakeBat➡️ Impostor site: inkckape[.]org
➡️ Payload:
hxxps[://]planbooknfly[.]com/data/Inkscape-x86[.]msix
dc471b087413ea64f7693b27e38ac568dea00ec1c7f699e48a6ef96b9cb4e30e
➡️ C2: utm-adschuk[.]com -
#SocGholish (AKA FakeUpdates) landing page localized in French, Spanish and German.
Payload is #FakeBat.
This campaign is also known as 'doggygangers' based on network traffic.
-
Google ad for VLC media player leads to #malvertising and drops #FakeBat
Fake site: vlc-media-player[.]com
Payload: fabulousfontshop[.]com/vlc-3[.]0[.]20-win64[.]msix
C2: utm_adsname[.]com -
#FakeBat via malicious Google ad for OneNote
Redirect: disenoymas[.]com[.]ar
Decoy site: onenote-download[.]com
Payload URL: church-notes[.]com/Onenote_setup[.]msix
Payload: 6481d5f0af192db843af4aacd46527a24f9c34c49037b3038951fa7fca3c7aa4 -
More #FakeBat #malvertising
aksoaiapk[.]com (cloaking)
trelconf[.]com (decoy)
avr-energie[.]com/Trello-Full-Installer-x64.msix (payload) -
#FakeBat is pretty active right now via #malvertising.
I've posted a bunch of IOCs in this blog: https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-delivered-via-several-active-malvertising-campaigns
-
After dropping #PikaBot for a few days, the threat actor behind one of the #malvertising campaigns switched back to #FakeBat.
The PowerShell script looks different, and there may be some new evasion tricks.
C2: ads-analyze[.]xyz
Sample: https://www.virustotal.com/gui/file/9c57936b065f3eb5a019f39058910ce94ddfff13257acb7bddddea000c305d0f