Archive for author: makoadmin

A week in security (November 11 – November 17)

Last week on Malwarebytes Labs:

Last week on ThreatDown:

Stay safe!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Malicious QR codes sent in the mail deliver malware

Physical letters that contain a QR code to trick people into downloading malware are being sent through the mail, according to a warning issued by The Swiss National Cyber Security Centre (NCSC).

The letters are sent as if they come from the official Swiss Federal Office of Meteorology and Climatology (MeteoSwiss) and they urge the recipient to install a new “severe weather app.”

This app, however, does not exist, and the letters do not come from MeteoSwiss either.

Scanning the QR code in the malicious letters leads to a banking Trojan known as Coper, but also referred to as Octo2. Coper is a Malware-as-a-Service which “customers” can spread as they see fit, but they pay for the use of the malicious software and the underlying infrastructure. These customers are running campaigns targeting Europe, the US, Canada, the Middle East, Singapore, and Australia.

Coper is a sophisticated banking Trojan that has several advanced features:

  • Device Takeover (DTO) capabilities for remote control
  • Advanced obfuscation techniques to avoid detection
  • Overlay attacks aimed at credential theft

The fake “meteorology app” for this malware campaign is disguised under the name “AlertSwiss” when installed on Android devices, but Coper cybercriminals can customize these names for all other campaigns. That adaptability makes for a more convincing lure depending on which country or region is being targeted. For instance, “AlertSwiss” is a clear attempt to fake the name of an official app from the Federal Office for Civil Protection which is used by federal and cantonal agencies to inform, warn, and alert the population. That real app’s name is “Alertswiss” (note the tiny difference).

Using QR codes in snail mail offers the criminals a few advantages. People may not expect to end up with their device infected by something as non-technical as a physical letter. And QR codes get typically read by mobile devices, which—unfortunately—still get overlooked when it comes to installing security software.

QR codes are becoming more common, especially after the COVID-19 pandemic which pushed many restaurants into using digital menus instead of physical menus that are shared between customers (in the earliest days of COVID lockdowns, science was still emerging on the risk levels of touching shared objects). Because of so much change in the past few years, seeing a QR code in a letter from an official institution does not trigger any alarm bells anymore.

And many Android users suffer from either a “patch gap” or are even using Android versions that are no longer supported, so will never receive another security update. One of the main causes for a patch gap is the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers, which then need to make it available for the users.

Security advice

  • Keeping your device up to date protects you from known vulnerabilities and helps you to stay safe.

We have found that many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

  • Scan a QR code with the same security mindset as clicking a link

If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link and, if necessary, research to find another, more trustworthy, way to get the information or download you want. Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable such features.

  • Use anti-malware protection on your devices

Your mobile devices are in need of protection just as much as your computer. Malwarebytes offers customers Malwarebytes for Android and Malwarebytes for iOS. Malwarebytes detects Coper as Android/Trojan.Banker.Ink.a.

122 million people’s business contact info leaked by data broker

A data broker has confirmed a business contact information database containing 132.8 million records has been leaked online.

In February, 2024, a cybercriminal offered the records for sale on a data breach forum claiming the information came from pureincubation[.]com.

Post on BreachForums from February
Cybercriminal offering to sell Pure Incubation data

Pure Incubation was founded in 2012, and the company later rebranded to DemandScience. DemandScience describes itself as “a leading global B2B demand generation company accelerating global growth for clients.”

DemandScience says it specializes in lead generation, content marketing, and software development offering data intelligence and marketing solutions for B2B organizations. That’s a mouthful to describe a data broker that specializes in selling aggregated public data that other companies can use in their marketing campaigns.

When contacted by BleepingComputer about the leak, DemandScience responded by email:

“Regarding the matter referenced in your email, we have conducted a thorough internal investigation and conclude that none of our current operational systems were exploited. We also conclude that the leaked data originated from a system that has been decommissioned for approximately two years.”

It might not be a current system, but a third-party count of the data still showed around 122 million unique business email addresses. Although at some point when we all have switched jobs, it will become worthless. Maybe that’s why the cybercriminals offered to sell for $6,000.

That the company left a decommissioned system online for a criminal to find and plunder should be grounds for a hefty fine.

Despite DemandScience playing it down, the data is valuable. How else is it making money by gathering it from public records?

What can you do?

Any business that meets the definition of data broker must register with the California Privacy Protection Agency (CPPA) annually. The CPPA defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses.

This is good news, because it offers Californians a sort of opt-out opportunity, by filling out this form: https://demandscience.com/privacy-policy-ccpa/

You can check whether your email address was included in this data breach by using Malwarebytes’ free Digital Footprint scan. Fill in the email address you’re curious about and we’ll give you a free report.

This leak also shows how important it can be to have your data removed from data brokers sites like these. To help you, Malwarebytes offers a Personal Data Remover service (US only) that can delete your information from search results, spam lists, people search sites, data brokers, and more.

Advertisers are pushing ad and pop-up blockers using old tricks

Despite the countermeasures some services are taking against well-known ad blockers, lots of people now use one. This is no doubt due to increased privacy concerns around online tracking, along with the growing number of ads per site.

And where there is money to be made, you’ll find social engineering and affiliates.

In a campaign predominantly used on media websites, we found a misleading ad that promised visitors some content they might be interested in.

When we followed the link, we ran into one of the oldest tricks in a malvertiser’s playbook—the website told us we needed something extra in order to be able to view the content.

In the olden days, that something extra used to be video codecs or specific video players, but now we’ll be told we need a browser extension to “continue watching in safe mode.”

You need to install the Adblock Pro - Browser Extension to continue watching in safe mode

Following the prompt to install Adblock Pro we found that the whole trick was set up to promote another blocker called Push Notifications Blocker.

Push Notifications Blocker in the Chrome Web Store

This one is a bit demanding when it comes to the permissions it claims to need. This isn’t always a reason for alarm (we have to ask for certain permissions to enable Malwarebytes Browser Guard effectively, for example), but is something to keep an eye on.

Push Notifications Blocker permissions

The prompt shown below demonstrates what the extension is supposed to do.

Notificatiosn for this site are currently blocked. Do you wnat to allow them? Allow or Keep Blocking?

The extension provides information about the current status of the notifications permission of the website and gives the user control to change it or keep the current setting.

But using this extension soon shows some side effects. The browser becomes extremely slow, and other users have reported redirects happening at unexpected moments, and search results that looked off because they weren’t done with the intended search engine.

A further investigation convinced us that this extension should be classified as adware. What puzzled us is that the exact same trick on the same domain was used to promote other Chrome extensions that promised to block ads, and those extensions have earned the trust of many users.

To us, this looks like a campaign executed by an affiliate, a company that promotes products or services from another company. If someone buys something through the affiliate’s efforts, the affiliate earns a commission.

Certainly the irony of an ad blocker being promoted in a malvertising campaign was not lost on us.

Malwarebytes detects Push Notifications Blocker as Adware.Redirector.

Malwarebytes Premium Security and Malwarebytes Browser Guard block recommendedchain[.]com.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Scammer robs homebuyers of life savings in $20 million theft spree

A 33-year-old Nigerian man living in the UK and his co-conspirators defrauded over 400 would-be home buyers in the US.

In the initial phase, Babatunde Francis Ayeni and his criminal gang targeted US title companies, real estate agents, and real estate attorneys. Employees of these companies were tricked into clicking malicious attachments and links and filling in their email account login information on fake sites. The entered information went straight to the phishers and allowed the criminals to monitor the emails of those employees.

As soon as the scammers spotted an email where someone was asked to make a payment as part of a real estate transaction, they would change the wiring instructions and let the victims deposit their payments into bank accounts associated with the criminals instead of the legitimate real estate transaction.

Some 400 people fell victim to this sophisticated business email compromise (BEC) scheme. 231 of these victims were unable to reverse the wire transactions in time and lost their entire transaction—often their life savings.

The total losses amount to nearly $20 million. To cover their tracks, the gang would buy Bitcoin with the stolen funds and divide it over three different addresses.

Last year, the FBI warned BEC focused on the real estate sector was on the rise.

“From calendar years 2020 to 2022, there was a 27% increase in victim reports to the Internet Crime Complaint Center (IC3) of BECs with a real estate nexus. In this same time frame, there was a 72% increase in victim loss of BECs with a real estate nexus.”

Ayeni was sentenced to ten years in federal prison for his role in the massive cyber fraud conspiracy.

During the multi-day sentencing hearing, numerous victims provided victim impact statements about how the crime affected them. They noted that in addition to losing all of the money they saved for the purchase of a new home, they felt significant shame, despair, and depression due to being victimized the way they were.

United States Attorney Sean P. Costello said:

“Cyber-enabled crimes can cause substantial and lasting harm to victims in an instant. Criminals across the world may believe that they are causing no harm to their victims and that they are safe behind their keyboards, but this case proves otherwise. With our law enforcement partners, we will continue to aggressively investigate, pursue, and hold accountable the crooks who perpetrate frauds online, wherever they are.”

Better to double-check

When transferring large sums of money, it’s advisable to double check whether the account details mentioned in any email correspond with those of the expected receiver of the funds.

  • Use trusted contact information: always verify account details using contact information from a trusted source, and check whether it matches the information provided in the suspicious email or invoice.
  • Call the company directly: Use a known, verified phone number to call the company and confirm any changes to payment instructions or account details.
  • Use secure verification methods: If available, use secure portals or platforms provided by legitimate vendors to verify account information.
  • If possible, follow up whether the payment came through at the legitimate receiver’s end while you still have the option to reverse the transaction.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Temu must respect consumer protection laws, says EU

Temu has been accused of a number of infringements on its platform against European Union (EU) consumer law.

The Consumer Protection Cooperation (CPC) Network of national consumer authorities and the European Commission teamed up for a coordinated ongoing investigation into Temu and its practices. The investigation covers a range of misleading and “unduly influences” on consumers’ purchasing decisions, and looks at the information obligations that need to be met by an online marketplace.

The CPC Network is made up of the national consumer authorities of the 27 EU Member States, Norway, and Iceland.

The problems the investigation found cover almost every aspect of misleading advertising one can think of:

  • Fake discounts. Telling buyers that items are offered with a discount when in reality the price is the same or even higher than before.
  • Pressure selling. Claiming that items are in short supply or need to be purchased before a deadline.
  • Forced gamification. Forcing consumers to play “spin the fortune wheel” before accessing the platform without making them aware of the conditions attached to the use of claiming the rewards in the game.
  • Missing and misleading information. Giving incomplete and even incorrect information about consumers’ legal rights to return goods and receive refunds. Temu also fails to tell customers up front that they need to reach a minimum value before they can complete their purchase.
  • Fake reviews. Hosting suspected unauthentic reviews, and providing inadequate information about how Temu ensures the authenticity of reviews published on its website.
  • Hidden contact details. Deliberately making it hard for customers to contact Temu for questions and complaints.

The CPC Network made objections to the fact that Temu does not provide information on whether the seller is a trader or not, and would also like to ensure that any environmental claims are accurate and substantiated.

Temu has one month to reply with a proposal to address the identified issues. Should the company fail to do so, national authorities can take enforcement measures to ensure compliance. These measures can be fines based on Temu’s annual turnover in the Member States concerned.

Temu responded:

“Although we have gained popularity with many consumers in a relatively short time, we are still a very young platform — less than two years in the EU — and are actively learning and adapting to local requirements.”

This is not the only problem Temu is facing at the moment. In June, we reported that the Chinese online shopping giant is facing a lawsuit filed by the State of Arkansas Attorney General, alleging that the retailer’s mobile app spies on users.

In September, a cybercriminal claimed to be selling a stolen database containing 87 million records of customer information. Temu denied it suffered a data breach, a statement supported by other circumstances, but these claims have a tendency to linger on.

And back in February, the trade association Toy Industries of Europe released a report warning that none of the 19 toys it bought on Temu.com complied with EU legislation. After sending the toys to a laboratory for testing, the organization claimed that many of them posed significant risks for children.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Warning: Online shopping threats to avoid this Black Friday and Cyber Monday 

It’s that time of year again. Thanksgiving will pass just as quickly as it arrived, and the festive season will soon hit full swing as countless people go online for some gift shopping. But where there’s a gift to be bought, there’s also a scammer out to make money.

And make money they do. In the last five years, the Internet Crime Complaint Center (IC3) said it has received 3.79 million complaints for a wide range of internet scams, resulting in $37.4 billion in losses. 

Today, we’re warning of several online threats that could target you over the next few weeks and months: brand impersonation and fakes, credit card skimming, and malvertising. 

1. Brand impersonation scams 

This Black Friday and beyond, you’re likely to see scammers ripping off big name brands. Here are a few fakes you should look out for. 

Temu ads offer discounted PS5s 

Scrolling through Facebook, we were presented with a couple of posts advertising discounted PS5s. 

Ads on Temu showing PS5

“Quit overspending on PS5! This one I got off TEMU is AWESOME and is much cheaper. I’d highly recommend picking this up!” 

Of course, it’s tempting to get a discount on high-value items like a PlayStation 5, but Temu doesn’t actually sell PS5s.

If you click the play button on the “video,” you are instead redirected to a Temu page selling various PlayStation accessories that are not official or in any way approved by Sony.  

Fake Amazon offers you great deals this Black Friday 

Amazon is relatively low cost, it’s convenient, and you can look at someone’s wish list on there. Except in this scam we caught online, the website isn’t really Amazon—check out the URL. 

Screenshot of a fake Amazon site showing goods to buy

Fake online stores like this use Amazon’s branding to sell counterfeit products. Even if you take the risk and buy a knock off product (which we think is a bad idea), you have no guarantee of receiving the merchandise, and definitely no buyer protection. 

Walmart makes it easy for you to buy gift cards 

Nothing says “I saw this and thought of you” like a Walmart gift card on Christmas day. But make sure you are buying from the right website.  

Again, in this example, check out the URL—this website might look Walmart, but it’s a fake that will happily take your money in exchange for nothing. 

Screenshot of a fake Walmart site advertising gift cards

“USPS” now delivers you fraud 

If you’re taking advantage of Black Friday sales and buying many things at once, it can be tricky to keep track of what you’ve ordered. Even if you do know what’s coming, you often don’t know which package service will deliver it to your door. Scammers take advantage of this and will send fake delivery notice emails that encourage you to click on them. 

With this fake USPS site, you are asked to pay a small fee to have your delivery processed. However, once you hand over your card details the scammers can take whatever amount they like and sell your details to other criminals. 

Screenshot of fake USPS site

These scams are very common. In fact, when we looked, we saw 50 fake USPS sites set up in only a day: 

Diagram showing many fake USPS domains

2. Credit card skimmers 

We’re seeing a lot of online stores hosting credit card skimmers, especially smaller retailers.  

A credit card skimmer is a piece of malware that is injected into a website, often through vulnerabilities in the content management system (CMS) or the plugins that the site owner uses. 

When visiting a site that has a card skimmer on it, you’ll likely have no idea it’s even there. However, a single script injection is enough to steal your credit card data. 

Screenshot of code being inserted into a website

Last year, we saw a large uptick in card skimmers just before the holiday season. One particular campaign that we tracked peaked in April 2023, but then really slowed down during the summer months. Across months, cybercriminals had infected multiple websites and built custom templates to trick victims into handing over their credit card details. By October, the same campaign had increased to its highest volume yet, and it is highly likely that this year will be the same. 

When looking at compromised websites, it can be hard to tell what—if anything—is wrong. However, if a site looks like it hasn’t been maintained in a while (for example, it displays outdated information, such as ‘Copyright 2022′) you should avoid entering in your card details. Most compromises happen because a website’s CMS and its plugins are outdated and vulnerable. 

Our free browser extension Malwarebytes Browser Guard blocks credit card skimmers by default. If you visit a compromised store you’ll be shown a warning like this: 

image e05f85

Access to the store isn’t blocked, we just block the skimmer code so it can’t load. And while you could in theory still shop safely, we’d still advise you to avoid buying anything from there. 

3. Malvertising increases in line with gift shopping 

Malvertising—or malicious advertising—is a favorite of scammers, who use online ads and sponsored search results to deliver malware to their unsuspecting victims.  

Malvertising doesn’t require that criminals know a victim’s email address, login credentials, or personal information to deliver them malware. All the scammers need to do is fool someone into clicking on an ad that looks legitimate.  

Last fall, Malwarebytes tracked a 42% increase month-over-month in malvertising incidents in the US. This year we’re seeing a similar uptick, with a 41% increase from July to September as we head into the holiday shopping season. 

In terms of the actual advertiser accounts that are used in malvertising campaigns, most are based in the US and are set up using a combination of fake identities or hijacked accounts. However, according to our research findings, ads originating in Pakistan and Vietnam account for 90% of the fraud. 

Pie chart showing the countries of origin of attacks

Most (77%) of the accounts are used once only—created quickly and then burned. Once that account is dead, cybercriminals spin up the next one and on it goes.  

No brand is safe from malvertisers. We’ve tracked campaigns that spoof Google, Amazon, eBay, Walmart, Lowe’s—and even Malwarebytes.  

Our advice: It’s not always easy to tell a real ad from a scam, so it’s best to avoid clicking on sponsored ads at all. Use genuine search results or navigate directly to the site yourself. 

How to shop safely this holiday season  

  • Remember: If it’s too good to be true then it probably is. Discounted items are tempting—especially at a time of year when lots of spending takes place—but these offers often amount to nothing. Instead, research the best deal at reputable retailers. 
  • Don’t get rushed into making decisions. Scammers will use a sense of urgency to pressure you into performing quick actions before you can properly think things through. Take your time before doing anything like clicking links or entering card details. 
  • Get an ad and malicious content blocker like Malwarebytes Browser Guard. If you’re blocking ads then you can’t be tricked into clicking on them. Browser Guard (which is free!) also protects against credit card skimming and other online threats. 
  • Keep an eye on your financial statements: An uptick in online shopping deserves an uptick in vigilance with checking online bank accounts, credit card statements, investment portfolios—in fact, any financial account data. Flag anything that seems suspicious with your provider. 
  • Protect your online accounts. Use a different password for every account (a password manager is super helpful in generating and storing all your passwords), and set up multi-factor authentication (MFA) wherever you can.  
  • Protect your devices: Most security products offer some kind of web protection that detects malicious domains and IP addresses, including Malwarebytes Premium which offers web and phishing protection. 
  • Clean up your personal data online: Cybercriminals use publicly available information in their scams, so check what information is available about you online using our free Digital Footprint scan. You can also take the first step in removing your personal information from the network of data brokers online with our Personal Data Remover

Thanks to Jerome Segura for his research on this piece.

DNA testing company vanishes along with its customers’ genetic data

A DNA testing company that promised clients insights into their genetic disposition has suddenly disappeared. The BBC reports it tried several methods to reach the company but failed in this effort.

London offices are closed, nobody answers the phone, and clients are no longer capable of accessing their online records. All the company’s social media accounts haven’t been updated since 2023 at the latest.

The atlasbiomed.com domain appears to be inactive. Customers were only able to look at their test results online, these were not downloadable, so now they are not only unable to see them, but they also have no idea what has happened to that data.

Although there is no evidence that any of the data has been misused, it is worrying to not know who now has access to the data, especially now that the investigation shows that there might be ties to Russia.

While four out of eight company officers have resigned, two of those that remain are listed at the same address in Moscow. That happens to be the same address as that of a Russian billionaire, who is described as a now resigned director.

DNA testing has become so commonplace that many people have blindly participated without truly understanding the implications. It has always been a problem to figure out who you could trust with your genetic data. For some people it’s their cheapest chance of finding out whether they are affected by some genetic disorder.

Since those early days, we’ve had several warnings about how submitting your genetic data can go sideways.

In 2018, MyHeritage suffered a security incident which exposed the email addresses and hashed passwords of 92 million users.

In 2020, Ancestry was acquired by investment firm Blackstone for $4.7 billion, which raised questions about the potential commercialization of genetic data and its transfer to new owners.

And the ongoing saga of what happened at 23andMe is the clearest example of why people would be hesitant to submit genetic data. In 2023, cybercriminals put up information belonging to as many as seven million 23andMe customers for sale on criminal forums following a credential stuffing attack against the genomics company.

Since then all board members have resigned, except for CEO Anne Wojcicki who has stood by her plans to take the company private, raising again the subject of what happens to customer genetic data when a company is sold.

Data breaches happen to the best companies. So, even if a company has good intentions, there is still a risk of your genetic data being linked to your personally identifiable information (PII). This makes the information a treasure trove for advertisers, insurance companies, and Big Pharma.

All of this makes it very understandable that customers of Atlas Biomed are worried about where their data might end up.

Words of warning

The UK regulator, the Information Commissioner’s Office (ICO) has confirmed it has received a complaint about Atlas Biomed, saying in a statement:

“People have the right to expect that organizations will handle their personal information securely and responsibly.”

Unfortunately, we know that not all organizations will meet that expectation, so there are a few things you should keep in mind.

If you submit genetic material, research the company you want to trust with it thoroughly.

Only share the personal information you absolutely have to provide with the genetic testing company. Lie if you must and create a separate free email account so the information can’t be tied to your main account.

Make sure to familiarize yourself with the company’s privacy policy and opt out of sharing information where possible. Make sure to stay informed about any policy updates or changes from the company.

As a wise lady and one of my former editors once wrote:

“Many a friend and family member have scoffed at my warnings to stay away from consumer DNA testing kits, remarking that they have nothing to hide or that there’s no harm in releasing their DNA into the hands of researchers. I honestly hope they’re right.

I hope they never have to fear having their health insurance ripped away because of pre-existing conditions or an increased risk of developing certain diseases. I hope they aren’t inundated with marketing emails about cancer-preventative nutrition or the best new medicines to prolong the onset of Alzheimer’s. I sincerely hope they’re never targeted by racial-profiling police officers, denied a job by a prejudiced employer or buried in paperwork after having their identity stolen by a hacker. And I fervently hope they’ll never have to hide their genetic profile from a government hell-bent on ridding its country of a certain ethnicity or race.”


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A week in security (November 4 – November 10)

Last week on Malwarebytes Labs:

Last week on ThreatDown:

Stay safe!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Hello again, FakeBat: popular loader returns after months-long hiatus

The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While we noted a decrease in loaders distributed via malvertising for the past 3 months, today’s example is a reminder that threat actors can quickly switch back to tried and tested methods.

After months of absence, Fakebat (AKA Eugenloader, PaykLoader) showed up on our radar again via a malicious Google ad for the productivity application Notion. FakeBat is a unique loader that has been used to drop follow-up payloads such as Lumma stealer.

In this blog post, we detail how criminals are targeting their victims and what final malware payload they are delivering post initial infection. The incident was found and reported to Google on the same day as this publication.

Google Ads distribution

Last time we saw FakeBat was on July 25 2024, via a malicious ad for Calendly, a popular online scheduling application. In that instance, FakeBat’s command and control infrastructure ran from utd-gochisu[.]com.

Fast forward to November 8, 2024, and we have an ad appearing at the top of a Google search for ‘notion’. That sponsored result looks entirely authentic, with an official logo and website. We already know that criminals are able to impersonate any brand of their liking by simply using a click tracker — or tracking template — in order to bypass detection.

image 00e479

According to Google’s Ads Transparency Center , the Notion ad was shown in the following geographic locations:

image b7f9c2

Below is the network traffic from the ad URL to the payload. We can see the use of the tracking template (smart.link), followed by a cloaking domain (solomonegbe[.]com), before landing on the decoy site (notion[.]ramchhaya.com):

image c03d18

Why does this work and bypasses Google? Likely because if the user is not an intended victim, the tracking template would redirect them to the legitimate notion.so website.

FakeBat drops LummaC2 stealer

After extracting the payload, we recognize the classic first stage FakeBat PowerShell:

image 07f473

Security researcher and long time FakeBat enthusiast RussianPanda was kind enough to give us a hand by looking at this installer in closer detail.

After some fingerprinting to avoid sandboxes, we get this second stage PowerShell:

image f1c809

Of note, the threat actors are still using the same old RastaMouse AMSI bypass script from April 2024:

image e5a808

The loader is obfuscated with .NET Reactor, where it decrypts the embedded resource with AES and then injects it into MSBuild.exe via process hollowing:

image e1b48c

The decrypted payload is LummaC2 Stealer with user ID: 9zXsP2.

Conclusion

While malicious ads delivering malware payloads have been a little more rare for the past several weeks, today’s example shows that threat actors can and will make a comeback whenever the time is right.

Brand impersonation via Google ads remains problematic, as anyone can leverage built-in features to appear legitimate and trick users into downloading malware.

We appreciate and would like to thanks RussianPanda‘s quick analysis on the payload, as well as security researcher Sqiiblydoo for reporting the malicious certificate used to sign the installer.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Malvertising chain

solomonegbe[.]com
notion[.]ramchhaya.com

Malicious Notion installer

34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de

FakeBat C2

ghf-gopp1rip[.]com

1.jar (PaykRunPE)

2de8a18814cd66704edec08ae4b37e466c9986540da94cd61b2ca512d495b91a

LummaC2 (decrypted payload)

de64c6a881be736aeecbf665709baa89e92acf48c34f9071b8a29a5e53802019

JwefqUQWCg (encrypted resource)

6341d1b4858830ad691344a7b88316c49445754a98e7fd4a39a190c590e8a4db

Malicious URLs

furliumalerer[.]site/1.jar
pastebin[.]pl/view/raw/a58044c5

LummaC2 Stealer C2s:

rottieud[.]sbs
relalingj[.]sbs
repostebhu[.]sbs
thinkyyokej[.]sbs
tamedgeesy[.]sbs
explainvees[.]sbs
brownieyuz[.]sbs
slippyhost[.]cfd
ducksringjk[.]sbs