Cybersecurity experts have identified a significant rise in malware infections, driven by malvertising campaigns that distribute a malicious loader known as FakeBat.
“These attacks are opportunistic, preying on individuals searching for popular business software,” noted the Mandiant Managed Defense team in a technical report. “The infection mechanism involves a trojanized MSIX installer that runs a PowerShell script to fetch a secondary malicious payload.”
FakeBat, also referred to as EugenLoader and PaykLoader, is associated with a threat actor called Eugenfest. The malware is tracked by Google’s threat intelligence team under the name NUMOZYLOD, with the Malware-as-a-Service (MaaS) operation attributed to a group identified as UNC4536.
The attack sequences spreading this malware employ drive-by download techniques, redirecting users searching for legitimate software to deceptive look-alike sites that host compromised MSI installers. Malware families delivered through FakeBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (also known as ArechClient2), and Carbanak—an infamous malware linked to the FIN7 cybercrime group.
“UNC4536’s strategy involves using malvertising to distribute trojanized MSIX installers disguised as well-known software like Brave, KeePass, Notion, Steam, and Zoom,” explained Mandiant. “These altered installers are hosted on websites designed to resemble genuine software hosting sites, tricking users into downloading them.”
The attack’s uniqueness lies in the use of MSIX installers camouflaged as popular software, which can execute a script prior to launching the primary application via a configuration called startScript.
Essentially, UNC4536 functions as a malware distributor, with FakeBat serving as a conduit for deploying additional malicious payloads for their affiliates, including FIN7.
“NUMOZYLOD collects system details, such as operating system information, domain status, and installed antivirus products,” Mandiant elaborated. “In certain variants, it also gathers the host’s public IPv4 and IPv6 addresses, transmits this data to its command-and-control server, and creates a shortcut (.lnk) in the StartUp folder to maintain persistence.”
This revelation follows just over a month after Mandiant detailed the attack lifecycle of another malware downloader named EMPTYSPACE (also known as BrokerLoader or Vetta Loader), which has been employed by a financially motivated threat group labeled UNC4990 to facilitate data theft and cryptojacking activities targeting organizations in Italy.