According to research from Sekoia, the loader-as-a-service (LaaS) family of loader malware known as FakeBat has grown to be one of the most popular loader malware families disseminated via drive-by download this year.

The business stated in a Tuesday report that “the primary goal of FakeBat is to download and execute the next-stage payload, such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif.”

Drive-by assaults involve tricking users into downloading fake software installers or browser upgrades by means of techniques including malvertising, search engine optimization (SEO) poisoning, and malicious code injections into hacked websites.

Over the past several years, there has been an increasing trend in the usage of malware loaders in tandem with landing pages that pose as genuine installers and impersonate websites for software. This connects to the more general point that one of the primary methods still used by threat actors to get first access is phishing and social engineering.

A Russian-speaking threat actor dubbed Eugenfest (aka Payk 34) has been offering FakeBat, also known as EugenLoader and PaykLoader, to other cybercriminals on underground forums under a LaaS subscription model at least since December 2022.

The loader is intended to get beyond security measures and gives users the ability to trojanize legal software by generating builds using templates. Users can also use an administrative interface to track installs over time.

Previous generations of the virus used an MSI format for its builds; however, starting September 2023, variants have been found that utilize an MSIX format and have included a digital signature with a valid certificate in the installer to circumvent Microsoft SmartScreen security.

For the MSI format, the virus is available for $1,000 per week and $2,500 per month; for the MSIX format, it is accessible for $1,500 per week and $4,000 per month; and for the combined MSI and signature package, it requires $1,800 per week and $5,000 per month.


Sekoia reported that it has identified distinct activity clusters spreading FakeBat through three main channels: social engineering on social media platforms, spoofing well-known software through malicious Google advertisements, and distributing bogus web browser upgrades through hacked websites. This includes initiatives that are probably associated with Nitrogen, BATLOADER, and the FIN7 gang.

“In addition to hosting payloads, FakeBat [command-and-control] servers highly likely filter traffic based on characteristics such as the User-Agent value, the IP address, and the location,” Sekoia stated. “This enables the distribution of the malware to specific targets.”

The revelation coincides with the analysis of a malware campaign by the AhnLab Security Intelligence Center (ASEC) that disseminated DBatLoader, also known as ModiLoader and NatsoLoader, via phishing emails with an invoice theme.

In order to distribute the Lumma information stealer, it also follows the identification of infection chains that spread Hijack Loader (also known as DOILoader and IDAT Loader) through illegal movie download websites.

“This IDATLOADER campaign is using a complex infection chain containing multiple layers of direct code-based obfuscation alongside innovative tricks to further hide the maliciousness of the code,” Dave Truman, a Kroll researcher, stated.

“The infection relied on running malware hidden deep within a specially designed file that was posing as a PGP secret key using Microsoft’s mshta.exe. To prevent the malicious code from being discovered, the campaign used creative modifications of well used strategies in addition to extensive obfuscation.”

Phishing efforts have also been seen to distribute Remcos RAT, while a new threat actor from Eastern Europe known as Unfurling Hemlock uses loaders and emails to drop binary files that function as a “cluster bomb” to disseminate many malware strains simultaneously.

“The malware being distributed using this technique is mostly comprised of stealers, such as RedLine, RisePro, and Mystic Stealer, and loaders such as Amadey and SmokeLoader,” Hector Garcia, a researcher at Outpost24, stated.

“Most of the first stages were detected being sent via email to different companies or being dropped from external sites that were contacted by external loaders.”