Understanding the FakeBat Loader: Distribution Tactics and Cybercriminal Infrastructure

Distribution Tactics

  1. Fake Browser Updates: Attackers inject malicious JavaScript into compromised websites, prompting fake browser update notifications. Users who click on these notifications are redirected to malicious pages hosting the FakeBat loader. This method is particularly deceptive as it mimics legitimate browser update prompts​ ​.
  2. Malvertising: FakeBat is also distributed through malvertising campaigns. These campaigns use ad URLs that either redirect through compromised legitimate sites or employ URL shorteners to obscure the true destination. These ads often masquerade as legitimate software downloads from well-known brands like OneNote, Epic Games, and others​ .

Cybercriminal Infrastructure

  1. Command and Control (C2) Servers: FakeBat uses a network of C2 servers to manage the infected systems. These servers are often hosted on domains that appear legitimate to avoid detection. Recent campaigns have seen the use of Russian-based hosting services and a variety of subdomains to maintain operational resilience​ ​.
  2. Payload Delivery: The malware is typically delivered via MSIX installers, which are digitally signed to bypass security checks. These installers contain obfuscated PowerShell scripts that connect to the attackers’ servers for further instructions​ (
  3. Redirection Mechanisms: To evade detection, attackers use sophisticated redirection mechanisms, including conditional redirects based on parameters like time of day or user-agent strings. This allows them to selectively serve the malicious content and avoid scrutiny from security researchers and automated detection systems​ ​.

Recommendations for Protection

  1. Awareness and Training: Educate users about the risks of fake update notifications and the importance of verifying the legitimacy of such prompts.
  2. Ad Blocking: Implement ad-blocking solutions to reduce exposure to malvertising campaigns.
  3. Security Software: Use advanced endpoint detection and response (EDR) solutions to detect and block malicious activities associated with FakeBat.

Leave a Reply

Your email address will not be published. Required fields are marked *