Researchers have found that Fakebat malware is again being spread through malicious Google Ads, targeting users searching for popular productivity software. Malwarebytes flagged an ad impersonating the app Notion.
The ad appeared at the top of search results and looked legitimate, showing the official logo and website. But clicking it redirected users through multiple links, eventually downloading the Fakebat malware.
Fakebat Malware
Fakebat, also called Eugenloader or PaykLoader, is an advanced loader-as-a-service (LaaS) malware active since December 2022.
Fakebat is designed to download and run additional malware, including info-stealers like IcedID, Lumma, and RedLine.
According to Malwarebytes, it uses Google Ads with tracking templates to avoid detection. If a user isn’t a target, they are redirected to the real site, which makes detection challenging for Google. Once installed, Fakebat runs multiple PowerShell scripts to evade security checks, ultimately deploying the LummaC2 Stealer as its final payload.
The resurgence of Fakebat underscores the ongoing risk of malvertising. Despite a recent drop in these attacks, cybercriminals can quickly revert to these familiar tactics. This incident highlights how easily Google Ads can be exploited for brand impersonation, creating realistic fake ads.
Cybersecurity experts urge caution when clicking on ads, even for well-known software. Users should verify download sources and keep security software updated to defend against such threats.
Fakebat’s reappearance shows that while malvertising fluctuates, it remains a key method for spreading malware. As attackers adapt, both users and platforms need to stay vigilant against these sophisticated impersonation tactics.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment