CyberSecurityBoard
Sponsor Register Login

FakeBat delivered via several active malvertising campaigns

February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling.
We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection.
One malware family we have been tracking on this blog is FakeBat.
It is very unique in that the threat actor uses MSI installers packaged with heavily obfuscated PowerShell code.
For weeks, the malvertiser helping to distribute this malware was abusing the same URL shortener services which may have made the attack somewhat predictable.
We saw them experimenting with new redirectors and in particular leveraging legitimate websites to bypass security checks.
Another interesting aspect is the diversity of the latest campaigns.
For a while, we saw the same software brands being impersonated over and over again.
With this latest wave of FakeBat malvertising, we are seeing many different brands being targeted.
During the past several weeks, FakeBat malvertising campaigns used two kinds of ad URLs.
As observed in other malvertising campaigns, they were abusing URL/analytics shorteners which are ideal for cloaking.
That practice enables a threat actor to use a 'good' or 'bad' destination URL based on their own defined parameters.
In the most recent malvertising campaigns we see the threat actor abusing legitimate websites that appear to have been compromised.
There are currently several campaigns running including OneNote, Epic Games, Ginger and even the Braavos smart wallet application.
A number of those malicious domains can be found on Russian-based hoster DataLine.
FakeBat continues to be a threat to businesses via malicious ads for popular software downloads.
The malware distributors are able to bypass Google's security checks and redirect victims to deceiving websites.
It is as important to defend against the supporting infrastructure as the malware payloads.
That is not always easy since legitimate websites may be used to defeat domain blocklists.
As always, blocking ads at the source via system policies such as ThreatDown DNS Filter, remains one the most effective ways to stop malvertising attacks in their tracks.


This Cyber News was published on www.malwarebytes.com. Publication date: Tue, 12 Mar 2024 23:44:28 +0000


Cyber News related to FakeBat delivered via several active malvertising campaigns

The Surge of FakeBat Malware in Search-Based Malvertising Campaigns - In recent months, cybersecurity researchers have observed a concerning surge in search-based malvertising campaigns, with documented incidents nearly doubling compared to previous periods. Amidst this uptick in online threats, one particular malware ...
1 year ago Cysecurity.news
FakeBat delivered via several active malvertising campaigns - February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection. One ...
1 year ago Malwarebytes.com Cloak
Fake KeePass site uses Google Ads and Punycode to push malware - A Google Ads campaign was found pushing a fake KeePass download site that used Punycode to appear as the official domain of the KeePass password manager to distribute malware. Google has been battling with ongoing malvertising campaigns that allow ...
1 year ago Bleepingcomputer.com
Cybersecurity Awareness Campaigns in Education - Cybersecurity awareness campaigns in education are essential to protect digital systems and information. The target audience for cybersecurity awareness campaigns in education includes students, teachers, administrators, and other staff members. ...
1 year ago Securityzap.com
Top 10 Best Active Directory Management Tools in 2025 - SolarWinds Access Rights Manager (ARM) is a robust Active Directory management tool designed to enhance security and simplify user permissions management. Dameware Remote Everywhere (DRE) is a powerful Active Directory management tool that provides ...
7 months ago Cybersecuritynews.com
Malvertisers zoom in on cryptocurrencies and initial access - While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks. The threat actors are using a number of ...
1 year ago Malwarebytes.com Cloak
New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers - A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z. "This incident is a part of a larger malvertising ...
1 year ago Thehackernews.com Cloak
Avoid high cyber insurance costs by improving Active Directory security - Insurance broker and risk advisor Marsh revealed that US cyber insurance premiums rose by an average of 11% in the first quarter of 2023, and Delinea reported that 67% of survey respondents said their cyber insurance costs increased between 50% and ...
1 year ago Bleepingcomputer.com
FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection - An ongoing malvertising campaign is being used to distribute virtualized. NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion ...
2 years ago Thehackernews.com
Microsoft says malvertising campaign impacted 1 million PCs - The malvertising videos redirected users to the GitHub repos that infected them with malware designed to perform system discovery, collect detailed system info (e.g., memory size, graphic details, screen resolution, operating system (OS), and user ...
8 months ago Bleepingcomputer.com
Vane and Viper Threat Groups Leveraging PropellerAds for Malvertising Campaigns - The cybersecurity landscape has recently seen increased activity from the Vane and Viper threat groups, who have been leveraging the PropellerAds advertising platform to distribute malvertising campaigns. These campaigns are designed to deliver ...
1 month ago Darkreading.com Vane Viper
CVE-2009-3874 - Integer overflow in the JPEGImageReader implementation in the ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary ...
7 years ago
Five Eyes Agencies Put Focus on Active Directory Threats - Security Boulevard - Cybersecurity agencies in the United States and other countries are urging organizations to harden the security around Microsoft’s Active Director (AD) solution, which has become a prime target of hackers looking to compromise enterprise networks. ...
1 year ago Securityboulevard.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com
Active Roles Wins 2025 Cybersecurity Excellence Award for Hybrid Active Directory Protection - One Identity, a leader in unified identity security, today announced that One Identity Active Roles has been named a winner in the Hybrid Active Directory Protection category of the 2025 Cybersecurity Excellence Awards. Their Unified Identity ...
7 months ago Cybersecuritynews.com
New Malvertising Campaign Targets Popular Websites with Sophisticated Techniques - A new malvertising campaign has been uncovered targeting popular websites with advanced techniques to distribute malware and steal user data. This campaign uses deceptive ads that redirect users to malicious sites, exploiting browser vulnerabilities ...
2 months ago Cybersecuritynews.com
Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns - On January 3, 2024, Mandiant's X social media account was taken over and subsequently used to distribute links to a cryptocurrency drainer phishing page. The following blog post provides additional insight into the drainer leveraged in this campaign, ...
1 year ago Mandiant.com
Fighting Ursa Aka APT28: Illuminating a Covert Campaign - Early this year, Ukrainian cybersecurity researchers found Fighting Ursa leveraging a zero-day exploit in Microsoft Outlook. During this time, Fighting Ursa conducted at least two campaigns with this vulnerability that have been made public. Unit 42 ...
1 year ago Unit42.paloaltonetworks.com CVE-2023-23397
Why the Keitaro TDS keeps causing security headaches - A software company named Keitaro has long been labeled by cybersecurity vendors as a legitimate traffic distribution system vendor, yet the company's product is repeatedly used for malicious activity by cybercriminals. Despite being described as a ...
1 year ago Techtarget.com
See How Our Cloud-Delivered Security Services Provide 357% ROI - Investing in Palo Alto Networks Cloud-Delivered Security Services provided a 357% return on investment and net present value of $10.04 million over 3 years, along with a 6-month payback period, according to a recently released Forrester Consulting ...
1 year ago Paloaltonetworks.com
Active Directory Infiltration Methods Employed by Cybercriminals - Active Directory infiltration methods exploit vulnerabilities or weaknesses in Microsoft's Active Directory to gain unauthorized access. Active Directory is a central component in many organizations, making it a valuable target for attackers seeking ...
1 year ago Gbhackers.com
Fake Microsoft Teams Installers Push Oyster Malware via Malvertising - Cybercriminals are exploiting fake Microsoft Teams installers to distribute the Oyster malware through malvertising campaigns. These deceptive installers mimic legitimate software to trick users into downloading malicious payloads. Once installed, ...
1 month ago Bleepingcomputer.com
Pikabot Malware Surfaces As Qakbot Replacement for Black Basta Attacks - A threat actor associated with Black Basta ransomware attacks has been wielding a new loader similar to the notoriously hard-to-kill Qakbot, in a widespread phishing campaign aimed at gaining entry to organization networks for further malicious ...
1 year ago Darkreading.com Black Basta
CVE-2025-38282 - In the Linux kernel, the following vulnerability has been resolved: ...
4 months ago
Active! Mail RCE flaw exploited in attacks on Japanese orgs - Late last week, Qualitia released a security bulletin about a stack-based buffer overflow vulnerability tracked under CVE-2025-42599 (CVSS v3 score: 9.8, "critical") impacting all versions of Active! up to and including 'BuildInfo: 6.60.05008561' on ...
6 months ago Bleepingcomputer.com CVE-2025-42599

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)