----- # Executive Summary BatLoader and FakeBat are two competing, Russian-speaking Malware-as-a-Service (MaaS) crime groups that specialize in infecting corporate employees with malware. These services are known to infect their targets with [every type of malware from the Royal ransomware to the Gozi banking trojan.](https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/) [eSentire’s security research team, the Threat Response Unit (TRU), has been closely tracking the two MaaS](https://www.esentire.com/resources/tru-intelligence-center) operations. Between September 2022 and November 2023, TRU intercepted and shut down BatLoader and FakeBat attacks launched at 23 of eSentire’s customers. These included companies in the manufacturing, software, legal, retail, and healthcare industries. TRU has discovered the handles of each lead operator. BatLoader’s top operator goes by Afron, and FakeBat’s main operator goes by Eugenfest. TRU has also tracked the threat actors’ online activities, going back to 2017 for Eugenfest and 2020 for Afron. Although BatLoader and FakeBat are similar in several aspects, they are rivals, each competing to capture more of the MaaS market. Both MaaS operations work closely with their customers to create seamless, end-to-end malware delivery using search advertisements for popular business software, yielding high-value victims for further exploitation. Both operations offer variable payment options for additional services, as well as assistance in running the advertising campaigns, if needed. The threat actors, behind BatLoader and FakeBat, have figured out that if they provide their customers with a reliable malware loader, assist them with parts of the malware operation, where needed, and provide the loader and their assistance for an affordable price, they will significantly increase their market share. Thus, even the lowest-level hacker can get into the cybercrime game. The BatLoader and FakeBat operations are referenced by the following names: BatLoader a.k.a AfronLoader, DefeatDefenderLoader and FakeBat a.k.a PaykLoader, EugenLoader. Both MaaS offerings were initially advertised on Telegram and Russian-speaking underground forums, Exploit and XSS, and remain active to this day. ----- ### BatLoader and FakeBat Attack 23 Companies Across the Manufacturing, Software, Legal, Retail, & Healthcare Industries The BatLoader service was first advertised on the hacker underground in May 2022, while the FakeBat MaaS came on the scene in December 2022. As previously mentioned, TRU detected and shut down BatLoader and FakeBat attacks launched at 23 of eSentire’s customers, between September 2022 and November 2023. The targets included companies in the manufacturing, software, legal, retail, and healthcare industries. Threat actors who purchase BatLoader or FakeBat's services are promised a malware loader capable of evading defenses and reliably infecting victims. The BatLoader operators claim the following success rate for their malware loader: “What is the Payout Percentage, the success rate for every 100 of people that download the BatLoader malware, 50% end up infected with your payload.” The BatLoader operators also state that their malware loader will circumvent Google Alerts, Smart Screen, and Windows Defender, and TRU has observed this. Both operations also offer extended services to assist with delivering payloads via search advertisements. ### Show Them the Money A customer can rent the MaaS from the BatLoader operators or the FakeBat operators for one month, for set rental fees. For BatLoader, as of September 2023, customers must transfer USD $3,000 one time through the Guarantor of the forum in which the operators and the customer are doing business. A Guarantor is a trusted middleman for buying and selling goods and services between users on an underground forum. Guarantors are part of an underground forum’s management staff, and they perform escrow services. According to the BatLoader operators, the one-time payment of $3,000 is to demonstrate that the customer is serious about doing business. After the money is deposited, a profit-sharing agreement is negotiated privately between the BatLoader operators and the customer. To rent the FakeBat MaaS, the operators are currently offering both an unsigned MSI loader for USD $2,500 per month or a signed MSIX loader for USD $4,000 per month. If a customer wants additional services, such as payload delivery, the services are negotiable for a minimum of USD $3,000 on top of the cost of the loader. ### The MO of BatLoader and FakeBat and the Art of Deception Once the operators have been paid their rental fees, the process works like this. The operators will create and purchase Google ads, promoting popular business software, such as Slack, ChatGPT, Adobe, etc. These ads are designed to entice corporate employees to websites that the BatLoader and FakeBat operators design and host. These websites mimic legitimate software hosting sites so when corporate employees visit the websites to download the software they desire, they get infected with the BatLoader or FakeBat malware loader. Once the loader is on an employee’s computer, the customers’ preferred payload is downloaded onto the victim’s computer, alongside an actual copy of the business software the corporate employee was seeking. To provide the customers with another layer of authenticity, the BatLoader operators claim their malware loader is always signed. The FakeBat operators offer their customers either an unsigned MSI loader for USD $2,500 per month or a signed MSIX loader for USD $4,000 per month. The final payload can be whatever the customer chooses, whether it be ransomware, banking trojans, password stealers, remote access trojans (RATs), or Remote Monitoring and ----- Management (RMM) tools. In the case of BatLoader, customers can customize their payloads specifically for corporate networks, providing an efficient, flexible means of monetizing the victim machine and environment through information theft, network access, or possibly extortion. ### BatLoader and the Royal Ransomware Connection [Security researchers have seen BatLoader infections lead to Royal ransomware deployment. The Royal](https://www.darkreading.com/threat-intelligence/royal-ransomware-expands-target-linux-vmware-esxi-environments) [ransomware gang is said to be run by top operators, formerly with the notorious Conti ransomware gang, Royal](https://www.securityweek.com/royal-ransomware-possibly-rebranding-after-targeting-350-organizations-worldwide/) [was behind the May 2023 breach of the city of Dallas, causing the city government to shut down some of its courts](https://www.bleepingcomputer.com/news/security/dallas-says-royal-ransomware-breached-its-network-using-stolen-account/) and the attack disrupted portions of its 911 emergency services. According to a November 2023 report from the [FBI and the Cybersecurity Infrastructure and Security Agency (CISA), the Royal threat actors have targeted](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a) numerous critical infrastructure sectors including: manufacturing, healthcare and public healthcare (HPH), education, and communications. Law enforcement estimates that the Royal gang has targeted 350 victims since September 2022 and has [demanded more than $275 million from these organizations. According to a separate May 2023 security report,](https://unit42.paloaltonetworks.com/royal-ransomware/) the Royal gang also attacked seven local government entities, including the City of Dallas and claimed to have compromised 26 manufacturers in 2023 alone. They also hit 14 educational institutions and eight healthcare organizations since coming on the hacker scene in 2022. The following report details the origins of BatLoader and FakeBat and provides insight into how these malware services have evolved into seamless, turn-key criminal operations, requiring their business partners to require few cyber skills. Readers also gain a glimpse into the psyche of the lead criminals behind these malware services, and how they conduct business on the underground. Lastly, TRU provides a list of security recommendations to help organizations protect themselves from these threats. ----- # Unraveling the BatLoader and FakeBat Operations Since January 2022, eSentire’s Threat Response Unit (TRU) has tracked two Malware-as-a-Service (MaaS) operations sometimes labeled under a common identifier known as BatLoader. This blending is likely due to the similarities between the two operations, whereby malicious installer files (.msi or .msix) are distributed using Google Search advertisements for popular software such as Zoom, ChatGPT and Adobe. These installation packages execute an embedded Batch (.bat), PowerShell (.ps), or Python (.py) scripts to install malware on the victim’s machine. There are two similar and competing MaaS operations: 1. **BatLoader a.k.a AfronLoader, DefeatDefenderLoader** 2. **FakeBat a.k.a PaykLoader, EugenLoader** These operations were initially advertised on Telegram and Exploit/XSS forums and remain active to this day. This report will explore the origins and differences between these two operations. ### BatLoader Origins and Ties to MalSmoke, Zloader [The earliest mention of the loader can be traced to a January 2022 blog by Check Point Research, who](https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/) backtracked the activity to November 2021. The blog describes an infection scheme whereby MSI (Microsoft Software Installer) files disguised as installers drop the remote monitoring tool Altera Agent followed by several Batch files (.bat) which add exclusions to Microsoft Defender and install Zloader as the main payload. Based on similarities in TTPs and domain registration data, researchers linked the activity to a campaign dubbed MalSmoke [by Malwarebytes in 2020.](https://www.malwarebytes.com/blog/news/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme) _Figure 1 Comparison of Malwarebytes' (left) and Check Point Research (right)_ The MalwareBytes blog described how the MalSmoke operators shifted delivery from the Fallout Exploit kit to using social engineering via fake Java MSI installer files on adult websites beginning in October 2020. That infection scheme can be seen on the left side of Figure 1. There are a few other clues that strengthen the MalSmoke/BatLoader connection. First, the threat actor we’ve linked to BatLoader was active on Exploit forums in February 2020 promoting a pay-per-install scheme that used the Fallout exploit kit (Figure 2). ----- _Figure 2 Exploit post promoting Fallout EK installs (translated)._ The threat actor received several replies critiquing the quality of installs delivered by exploit kits, to which they replied, “I can't guarantee that you'll have top companies in your logs. I don't promise that.” In a now-deleted advertisement for an early version of BatLoader, they admitted drive-by exploit methods are no longer relevant. [Furthermore, the panel logo (a version of the Eye of Providence) referenced for moviehunters[.]site in the](https://en.wikipedia.org/wiki/Eye_of_Providence) [MalSmoke campaign (Figure 1, left) matches several favicons found in known BatLoader Panels at](https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif) shvarcnegerhistory[.]com/t1s1j1/index/login as well as countingstatistic[.]com/g00m1n/index/login: _Figure 3 Eye of Providence Logo seen in BatLoader Panels._ [The “BatLoader” or BATLOADER label originates from a February 2022 report by Mandiant. The various reports](https://www.mandiant.com/resources/blog/seo-poisoning-batloader-atera) predating the BatLoader-as-a-service advertisements shown below suggest the threat actor(s) were working privately with other actors before deciding to commoditize their loader. Notably, Zloader (commonly linked to early [BatLoader infections) was disrupted by Microsoft’s Digital Crime Unit in April 2022. TTPs and infrastructure in an](https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/) [accompanying Microsoft report also align with early reported BatLoader activity.](https://www.microsoft.com/en-us/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/) Coincidentally, BatLoader was then marketed in its current form on the Exploit[.]in forum a month later. The relationship isn’t immediately clear, but it’s a realistic possibility that BatLoader’s operators decided to open up the loader and find new partners following the ZLoader takedown. Microsoft, who tracks BatLoader operators as [Storm-0569 (formerly DEV-0569), also raised this hypothesis in a November 2022 blog, stating “DEV-0569](https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/) ----- _frequently diversifies their payloads and has shifted from delivering ZLoader at the beginning of 2022, possibly in_ _[response to disruption efforts against Zloader in April 2022.”](https://www.microsoft.com/en-us/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/)_ ### Zloader and BatLoader Infrastructure Overlap During our research we identified domains tied to ZLoader, BatLoader, or both, in public reports and malware repositories. In certain cases, the same contact information was used to register domains tied to Zloader command and control and BatLoader. For example, seledka[.]prostokvash@rambler.ru registered multiple [imposter sites and Zloader domains listed in Microsoft’s legal filing pertaining to their actions against Zloader.](https://noticeofpleadings.com/zloader/files/Application%20for%20TRO/TRO%2004%20-%20Coy%20Decl%20ISO%20TRO%20and%20PI%20with%20Exs%201-11%20ISO%20TRO%20and%20PI.pdf) That same email and related contact name were used to register two BatLoader domains. Another example was [abdel@info-electronics[.]com, which registered dozens of Zloader domains found in the aforementioned filing as](mailto:abdel@info-electronics.com) [well as datalystoy[.]com and websekir[.]com, both mentioned in early BatLoader reports from Walmart and](https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489) [Mandiant. A sampling of these relationships is visualized in Figure 4.](https://www.mandiant.com/resources/blog/seo-poisoning-batloader-atera) _Figure 4 Zloader and BatLoader overlap visualized_ ----- ### “Afron” and BatLoader-as-a-Service BatLoader has been advertised on the Exploit forum under the handle “Afron” since at least May 2022. Afron joined Exploit in February 2020, where they immediately began advertising a Pay-Per-Install scheme using the Fallout exploit kit (Figure 2). It’s likely that Afron was active on Exploit and other forums under a different alias prior to this. Unlike EugenLoader/Fakebat’s vendor, Afron is seemingly more careful with their operational security, using unique IM accounts and pushing discussions to private messages as often as possible. They are also careful to not directly access the forums from their personal machine, once telling other forum members “I access the forum through a separate virtual _machine, and it takes 10-15 minutes just to get everything up and running”. Following the_ EK operation and prior to marketing BatLoader, Afron’s activity on the forum was sparse, again leading us to believe they operate under multiple handles or forums and use the Afron handle primarily for advertising/networking on the Exploit forum. Afron’s posts during this time revolved around seeking help from other forum members. In one request, they sought advice on stealing email contacts from infected machines for use in follow-on spam messages. In another, they requested a contact for Gozi malware so they could rent it. Finally, in a revealing post in August 2020, they requested advice for determining whether a “…bot resides on a large network” (i.e. a malware foothold in a corporate vs home network). Suggestions from other forum users included querying the ARP table (a technique that would find its way into present-day BatLoader), using NLtest (“you can try in the same powershell nltest _/domain_trusts /all_trusts”) among other methods._ In March 2022, Afron attempted to market an early version of BatLoader under the name “DefeatDefenderLoader.” The post, titled “[АРЕНДА] Приватный не резидентный лоадер с обходом Windows _SmartScreen-а и Windows дефендера” or “[RENTAL] Private non-resident loader with bypass of Windows_ _SmartScreen and Windows Defender” has since been removed from the forum, but it describes launching an_ .exe/.dll with admin privileges using MSI installer packages (the full translated text can be found in the Appendix at the end of this report). The post begins with an admission that their prior work with exploit kits wasn’t fruitful: _We've been in this field for over a year. Initially, we worked with bundles, but since that's no longer_ _relevant, we created our own loader._ The post largely mirrors that of the May thread described below but offers a Telegram channel https://t[.]me/DefeatDefenderLoader as a point of contact. ### BatLoader-as-a-Service BatLoader has been advertised on Exploit forum since May 2022, with continuous updates over time. For clarity, translated excerpts from the post and subsequent discussion thread on Exploit are provided below. Screenshots of the advertisement can be found below, and the full translated text can be found in the appendix. ----- _Figure 5 Part 1 of Afron’s BatLoader Rental Post, Captured September 2023. See Appendix for Translated Text._ _Figure 6 Part 2 of Afron’s BatLoader Rental Post, Captured September 2023. See Appendix for Translated Text._ The initial offering included the following: _I'm offering for rent:_ _1. Loader with bypass for Google Alerts/SmartScreen/Windows Defender._ ----- _2. Bot with form grabbing/injection/Hide-VNC/socks/cookies/Stealer modules._ _The rental cost includes everything:_ _* Servers for the admin panel._ _* Proxy server for proxying requests._ _* Backup domains._ _* Crypt._ As of September 2023, the offer includes both a non-persistent and persistent loader along with DanaBot banking trojan: _I offer for rent:_ _1. Non-resident loader for Google/Bing Ads with bypassing Google Alerts/Smart Screen/Windows_ _Defender. (We are the authors)_ _2. Resident loader (referred to as "anchor") for corporate networks (We are the authors)_ _3. DanaBot banking trojan, software author is JimmBee._ Afron claims the loader is always signed and loads specific payloads based on whether the infected machine resides on a corporate network: − _The loader is always signed with a valid EV certificate (no one else offers this on the forum)._ − _Finally, there is full detection of corporate networks on the loader (the payload is unloaded based_ _on this)._ The code signing certificates are likely acquired from other users/service providers on the forum, such as “arbadakarba2000” whom Afron vouched for at one point in a separate thread. #### Variable Payloads The custom load behavior is further explained in the offer: _Different payloads are delivered depending on the network structure:_ _1. User network:_ - _Loading one or several payloads._ _2. Corporate network:_ - _Loading payloads only if the machine is in a domain._ - _The machine name must not match the Domain parameter._ - _ARP table contains 3+ records (parameter can be adjusted) with addresses of local subnets_ _(192.168., 10., 172.)._ - _The domain must not be equal to WORKGROUP._ ----- [This logic matches our analysis from the fall of 2022. In that analysis, these checks were used to load variable](https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader) GPG-encrypted payloads Ursnif/Vidar/Synchro RMM and Cobalt Strike. In January 2022 (prior to marketing the [loader on Exploit), reported payloads using this scheme were AltaraAgent, Gozi or Zloader, and Cobalt Strike.](https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489) _Figure 7 Variable payload logic from https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader_ #### Price The price to rent the loader has varied over time. Initially it was rented for around $4,000 per month for just the loader. In July 2022, Afron introduced a $5,000 monthly package consisting of a bot which “….includes Hidden _VNC, support for web injects, a stealer from all popular browsers (Chrome, Firefox, Edge), a form grabber, and an_ _embedded loader”. Afron claims that customers are “…making hundreds of thousands of dollars with us”. As of_ September 2023, the payment model involves depositing $3,000 as a goodwill gesture, whereby a profit-sharing model is negotiated privately. #### Malvertising Vector BatLoader is marketed primarily as a loader to be distributed using search advertisements such as Google Ads: _The surfer searches and finds your advertisement, clicks, lands on the White Page, passes all checks,_ _and your cloaker displays the Black Page on which the surfer downloads the loader._ Afron is clear initially that the onus is on the renter to provide their own landing page and drive traffic to it. They go a step farther and ensure the MSI installer matches the ad lure used by the operator: _The loader is tailored individually for each tenant, meaning I perform a complete installation of donor_ _software. In the end, the surfer receives what they came for, whether it's the Brave browser, Zoom, or_ _some lesser-known PDF Reader._ ----- The overhead caused by payload customization and code signing certificates are a couple reasons why Afron is selective with who gets access to the loader, at one point posting “Right now, there's one spot available - all others _are in line, with a wait of 1-2 months for their spot”. Additionally, load throughput is raised and lowered from_ upwards of 1,000 loads per day to as low as 50. Due to demand, Afron begins offering landing pages in August 2022: _We have our own landing pages now - already have about 10-15 for all popular software._ _We'll share them!_ Initially, it’s not clear if this is a free add-on. This stance is further clarified to be a paid option in an update to the post’s FAQ section: _Do you provide Landing Pages?_ - _Yes, this service is paid separately._ #### MSI/MSIX Installer Files [As we’ve covered in various blogs on BatLoader, the primary execution method uses installer files to launch Batch,](https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif) PowerShell and Python scripts. In July 2023, Afron announced that they would be moving to MSIX, a relatively new installer file type: _Now we use a sleek installer, MSIX, just like the Microsoft Store._ This follows the jump to MSIX by EugenLoader/FakeBat some months earlier, which we have documented in [several blog posts in May and August 2023. Interestingly, Afron drops MSIX in late August 2023 due to lack of](https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks) success with the format: _We no longer offer .msix as there won't be any conversion on corporate machines._ #### BatLoader’s Panel BatLoader’s panel is relatively straightforward and includes the victim IP, country, operating system, status of the bot, installation status and comments. _Figure 8 BatLoader_ _Admin Panel, retrieved from Exploit forum._ ----- As a final note, it’s apparent that Afron (and possibly others on his team) have access to logs from all tenants. Responding to such an allegation in February 2023, Afron says “…this is a rental, not a sale of software to you”. ### FakeBat/EugenLoader As stated at the beginning of this report, BatLoader is often mistaken for another MSI loader operation known as “FakeBat” or EugenLoader. FakeBat is marketed using the handle “Eugenfest” on the Exploit hacker forum. The loader was also advertised on XSS forums under the pseudonym “Payk_34”. #### Eugenfest’s Background Eugenfest’s online activity can be traced to Russian-language carding and hacking forums dating back to 2017 under various aliases such as Festik, Payk_34 and M1rages (see appendix for list). The actor previously ran an eBay fraud shop at fest-bay[.]com which was populated with stolen credentials obtained by brute force attacks against the service. Fest-Bay was promoted on various carding forums and Telegram channels (Figure 9 and 10). _Figure 9 Eugenfest promoting Fest-Bay eBay shop on Telegram._ ----- _Figure 10 Eugenfest promoting eBay shop on BHF (translated)._ Eugenfest’s past projects relied on services from other users/providers. It is highly probable that web development for Fest-bay[.]com was outsourced to Shopsn, a service offering ecommerce shop templates and hosting (Figure 11). eBay credentials were likely obtained for this shop using brute force tools sold by other members, such as the JKS tool in Figure 12 (Eugenfest admits to using the brute force tool but prefers an unnamed privately developed tool over it). _Figure 11 Shopsn, used to create Fest-Bay_ ----- _Figure 12 Cracked version of an eBay account brute force tool shared on Exploit Forum._ Eugenfest has also actively sought video game keys and related objects using various pseudonyms on carding and hacking forums (Figure 13) dating back to 2018. These keys were then sold on sites such as G2A or Kinguin for profit. _Figure 13 Eugenfest promoting their game key service._ ----- From 2019 onward, Eugenfest’s post history on BHF and Exploit forums indicates a shift towards malware deployment and selling stolen data. In July and August 2022, they can be seen asking for traffic/loading services [and sought to rent the Matanbuchus loader from BelialDemon on Exploit forums. Notably, Eugenfest had praised](https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/) Afron’s loader (BatLoader) in August 2022, implying they were using it months before launching a similar service: _What can I say about this tool? It's absolutely amazing, with some mind-blowing software. It performs_ _its function at 999%, bypassing Google Defender, and the callback is incredible._ Coincidentally, during this time, Eugenfest’s post history suggests they are actively abusing Google advertisements. In September 2022, they replied to an ad fraud Q&A thread asking for help: _Hello everyone, does anyone know what's currently happening with Google? All the loopholes have been_ _patched up, and I've tried many different approaches. I'm launching with VNC, and the trust can't go_ _any higher. It keeps giving me a suspended business practice or unpaid. I'm ready to buy information_ _on launching through the forum's guarantor with 3 proofs of successful launches._ The loophole referenced above refers to abusing free ad credits on new accounts, a common scheme used for pushing malicious ads. The timing of Eugenfest’s endorsement of BatLoader and comments on Google Ads suggests they were an active BatLoader user prior to marketing a competing service on Exploit. ### FakeBat-as-a-Service Eugenfest first marketed their loader in December 2022 and currently offers both an unsigned MSI loader for $2,500 per month or a signed MSIX loader for $4,000 per month. _Figure 14 Eugenfest's post promoting FakeBat loader in December 2022. A full translation of the post can be found in the appendix._ ----- The capabilities and advertised price closely match that of Afron’s loader (BatLoader), including working with customers to ensure payloads match malvertising themes. Additional services, including payload delivery, are negotiable for a minimum of $3,000 on top of the cost of the loader. FakeBat provides several points of contact for renting and support: _Tox ID for Admin:_ _0BF0BA66030916F61BB7D9E954FB98A8F973DB6531F18EB6CEE006D7E275B906BC58EB71F358_ _Tox ID for Support:_ _7CB85C41D6E3FC9602FB8D79B955820AC4EEF41F29F2177B9750C129935F216FE0573DA8899F_ _Telegram Admin: hxxps://t[.]me/payk_work_ _Telegram Support: hxxps://t[.]me/spektr234_ _Figure 15 Several Telegram handles linked in Eugenfest’s FakeBat post._ On September 6, 2023, a Telegram channel was created to communicate changes with the loader (the channel has 36 members as of September 14, 2023): _Figure 16 Snapshot of FakeBat Telegram channel._ ----- #### FakeBat’s Admin Panel Like BatLoader, FakeBat’s admin panel contains a basic table with victim information, installation status, installed antivirus and a text box for comments (Figure 17). _Figure 17 Primary FakeBat admin panel._ It also includes a statistics window for viewing infection rates (Figure 18), changing payload links (Figure 19) and modifying the builds and panel protections (Figure 20). _Figure 18 FakeBat includes a statistic diagram showing victim percentages._ ----- _Figure 19 Configuration window to update payload links. The blurred column contains the themes used (Zoom, Anydesk etc). This_ _ensures the payload matches the ad theme used._ _Figure 20 Build and panel configuration._ ----- As is the case with BatLoader, it is highly probable that FakeBat operators have access to data across their customer tenants. #### FakeBat Infrastructure FakeBat’s imposter pages and panels have historically been registered using Namecheap, NameSilo and r01.ru. Imposter pages typically contain a lookalike name and the .software gTLD (e.g. any-desk[.]software). FakeBat panels typically contain the strings “ads”, “job”, “adv” and “panel”. Panels are hosted on .site and .ru TLDs (rarely .xyz as well). The email address johnbolton778@proton[.]me, which we associate with medium confidence to EugenFest, was used to register the domain ADS-CHECK[.]COM on November 22, 2022 (see below). A similar name was seen tied to domains in mid to late 2023. _Domain name: ads-check[.]com_ _Registry Domain ID: 2740094228_DOMAIN_COM-VRSN_ _Registrar WHOIS Server: whois.namecheap.com_ _Registrar URL: http://www.namecheap.com_ _Updated Date: 0001-01-01T00:00:00.00Z_ _Creation Date: 2022-11-22T11:35:18.00Z_ _Registrar Registration Expiration Date: 2023-11-22T11:35:18.00Z_ _Registrar: NAMECHEAP INC_ _Registrar IANA ID: 1068_ _Registrar Abuse Contact Email: abuse@namecheap.com_ _Registrar Abuse Contact Phone: +1.9854014545_ _Reseller: NAMECHEAP INC_ _Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited_ _Domain Status: addPeriod https://icann.org/epp#addPeriod_ _Registry Registrant ID:_ _Registrant Name: Private Person_ _Registrant Organization: Ads_CHECKLLC_ _Registrant Street: th 12_ _Registrant City: New York_ _Registrant State/Province: NY_ _Registrant Postal Code: 30012_ _Registrant Country: US_ _Registrant Phone: +1.6823653636_ _Registrant Phone Ext:_ ----- _Registrant Fax:_ _Registrant Fax Ext:_ _Registrant Email: johnbolton778@proton[.]me_ [The WHOIS record also tied the domain to company “Ads_CHECKLLC”, which was used to register at least 34](https://www.whoxy.com/company/59143234) [domains between November 2022 and February 2023. These include panels and imposter pages for software](https://www.whoxy.com/company/59143234) impersonated in malvertisements. - ads-check[.]com - down[.]software - awesome-miner[.]software - winrar[.]software - qtorrent[.]software - ccleaner[.]software - mail-client[.]software - lightshot[.]software - top-wallet[.]software - pdf-tools[.]software - rufus-download[.]software - downloaders[.]software - any-desk[.]software - down1[.]software - download1[.]software - tor-browser[.]software - vlc-media[.]software - adscheck[.]net - rar-lab[.]software - filezilla[.]space - torrent-tools[.]software - notepad-editor[.]software - aimp[.]software - kmplayer[.]software - archiver-7zip[.]software - awesome-project[.]software - extremebot[.]software - trading-terminal[.]software - heartcores[.]net - digmefitness[.]net - psyclelondon[.]net - terminal-trading[.]software - id-cpu[.]software - download-rufus[.]software ----- #### Code Signing Certificate Acquisition and Collaboration with Other Actors Like Afron, Eugenfest likely acquires code signing certificates from other vendors on Exploit/XSS. Under the Payk_34 handle they can be seen vouching for a vendor by offering a screenshot of their transaction on XSS forum’s escrow service. _Figure 21 Eugenfest/Payk_34 vouched for an EV certificate provider on XSS forum. They provided a screenshot from the forum's escrow_ _service as evidence that they had previously purchased a certificate._ Another service provider likely collaborating with Eugenfest is “Balamut Service”, who provides code signing certificates and web development, among other services. _Figure 22 Overview of Balamut Service Offerings._ ----- On the web development front, they provide web pages for phishing, anti-crawler and assistance with pushing malicious ads through Google. _Figure 23 Web Development Description. Translation inserted for clarity._ ----- #### FakeBat November 2023 Update In November 2023, FakeBat operators posted an update to their Telegram channel (Figure 24). _Figure 24 November 2023 update in FakeBat Telegram channel._ The message translates to: _Landing pages can now be proxied and also set up on Cloudflare (Transmitted data does not get_ _corrupted)._ _A new method of file delivery bypassing the browser has been added. When you click the button, the_ _AppInstaller opens immediately, and the MSIX package downloads into it, bypassing the browser._ _This technology has only one downside: some revisions of Windows 10 cannot be installed this way._ _Tests have shown a drop in conversion from 52% to 48%, but again, much depends on the offer._ _Available only to those who purchase for a month._ ----- _Video - https://www.veed.io/view/c80e52dc-7668-4690-86ef-c0f689ca2264_ _Four-stage protection of the files themselves has been added:_ _Landing pages now operate on Cloudflare._ _Malicious code is not stored in the loader file._ _To get the code, there is a check by IP in the database._ _There is a check by User Agent (which is manually specified and embedded in the file, AV can obsess_ _over the link from which the malicious code is taken endlessly, but it will be useless)._ _Launch is possible only with the status "Downloaded."_ _99% of bots are put to rest._ _A New Year's theme has been added._ _All updates to current clients will be rolled out gradually._ _PS Only MSIX is available, we_ _can_ _accept new_ _clients only in about 5-6 days_ Information from the video clip was traced to multiple FakeBat PowerShell scripts uploaded to VirusTotal in November 2023. _Figure 25 VirusTotal Results_ Examining one of these scripts (mypackage_cloud.ps1, MD5 4bb29818c628e7b2756fbfe83f62ce4e) we see the common FakeBat structure for retrieving encrypted payloads and disabling defenses. ----- _Figure 26 FakeBat November 2023 PowerShell script._ 1. FakeBat has been observed to be consistently using $LoadDomen variable. 2. The check-in URL structure with the C2 remains the same “$LoadDomen/?status=start&av=$Names&domain=$domain&os=$urlEncodedOsCaption” 3. New antibot function: if the response from C2 is “404 HTTP Error”, the script exits, which means the server checks if the user’s IP, user-agent is recorded in the panel and has the status “Downloaded” (the user went to the malicious page and downloaded the MSIX installer). If the user’s IP is not in the panel, the PowerShell script exits. 4. The “putin” password to decrypt the GPG-encrypted file. Previously, FakeBat threat actor(s) used “putingod” as the password. The 3010cars[.]xyz domain closely matches the one provided in the sample video on their Telegram (3010cars[.]site). Both domains were registered by company “John Bolton”, a pseudonym we’ve linked to FakeBat. We identified approximately 36 domains tied to this pseudonym between September and November 2023. The full list can be found in the appendix. Further analysis of the November 2023 payload reveals the use of the IDAT loader technique previously observed [by a threat tracked as ClearFake, including use of DLL side-loading, Process Doppelgänging, and Heaven’s Gate](https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/) techniques. Examining the contents of mypackage.tar found in Figure 26, we immediately notice an encrypted file with an IDAT header (Figure 27 below). ----- _Figure 27 Contents of mypackage.tar_ Examining the accompanying Cl.dll file, it iterates over the IDAT headers until the tag is found, then grabs the next 4 bytes after the tag and XOR’s it with the data starting at byte 14. After XOR-ing the data, the payload is decompressed to reveal the second stage, a file which includes a configuration and encrypted final payload written to %TEMP%. The configuration contains the persistence location, the process for the final payload to be injected into, etc. _Figure 28 Configuration File_ ----- |BatLoader|FakeBat| |---|---| |• C2 Format: o /index//?servername=msi (e.g. d8uuw6/index/b1/?servername=msi) • Uses MSI CustomAction to execute PowerShell/Batch/Python scripts • Host fingerprinting (domain name, computer name, ARP) and custom payload logic during initial launch • Uses Pyarmor to obfuscate Python script (since February 2023)|• C2 format: o /?status=[start|install] o E.g. /?status=start • Uses MSI CustomAction to execute PowerShell/Batch • Not observed using Python scripts • Unsigned MSI files, signed MSIX • IDAT Loader • Some payloads encrypted during transit| In this case the final payload was SektopRAT also known as ArechClient2 (MD5: 025677d90ec6b21aa1be9a8f14642b26). In more recent cases, FakeBat was seen dropping both SektopRAT and RisePro stealer. While there seems to be similarities between the IDAT loader used in ClearFake campaigns, we do not attribute them to the same actor. It’s likely that either FakeBat or their customer(s) copied or acquired tooling to create payloads using this loader. We don’t see overlap in distribution (ClearFake uses fake browser updates, FakeBat fake software via ads) infrastructure or payloads between the two campaigns. ### A Brief Comparison Between BatLoader and FakeBat It is probable that Eugenfest, as an initial customer of Afron’s loader, was heavily inspired by the operation and sought to replicate it. Their past activity suggests they likely outsourced or are working with other actors to develop and maintain the admin panel and loader functionality and like Afron, maintain access to backend data from their panels. Despite the similarities, there are some differences with respect to code execution, script structure and C2 format which are summarized below. **BatLoader** **FakeBat** - C2 Format: - C2 format: `o` /index//?servername=msi `o` /?status=[start|install] (e.g. d8uuw6/index/b1/?servername=msi) `o` E.g. /?status=start - Uses MSI CustomAction to execute PowerShell/Batch/Python - Uses MSI CustomAction to execute PowerShell/Batch scripts - Not observed using Python scripts - Host fingerprinting (domain name, computer name, ARP) and - Unsigned MSI files, signed MSIX custom payload logic during initial launch - IDAT Loader - [Uses Pyarmor to obfuscate Python script (since February 2023)](https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif) - Some payloads encrypted during transit _Figure 29 Comparison between BatLoader (left) and FakeBat (right) loaders._ ----- ### Security Recommendations to Protect Against the BatLoader and FakeBat MaaS - Organizations need to start including browser-based attacks, including those that use malicious advertisements, as part of Phishing and Security Awareness Training (PSAT). Browser-based attacks are increasingly leading to hands-on ransomware intrusions and infostealers that enable ransomware intrusions later. - Make sure you are implementing attack surface reduction rules around script files such as .js and .vbs, but keep in mind that when these attacks arrive in .ISO files, the “Mark of the Web” is lost so Attack Surface Reduction rules won’t detect the files from the Internet. - Employ endpoint monitoring to ensure you can catch malicious execution, when social engineering attacks bypass user scrutiny – and make sure that endpoint coverage is fully comprehensive. - Employ logging to ensure you are capturing telemetry – especially for devices and services that don’t support an endpoint agent, including VPN, device enrollment, and server software for applications that don’t generate endpoint telemetry, like Citrix, IIS, and cloud services). [If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend](https://www.esentire.com/what-we-do/esentire-managed-detection-and-response) you partner with us for security services to disrupt threats before they impact your business. To learn more, [connect with an eSentire Security Specialist.](https://www.esentire.com/get-started) For additional information on BatLoader and FakeBat, please see our malware analysis and other reports on both threats: [https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader](https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader) [https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-](https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif) [ursnif](https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif) [https://www.esentire.com/blog/fakebat-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks](https://www.esentire.com/blog/fakebat-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks) ----- ## APPENDIX A: Translated Forum Posts for BatLoader and FakeBat ### Afron’s First Exploit Post (translated), Offering Fallout EK Installs _Installation of your software._ _Good day._ _I offer services for installing your software worldwide (Exception - Russian Federation, Kazakhstan, Belarus, Ukraine)._ _You can find countries like Saint Kitts and Nevis, Liechtenstein, Andorra, and other small countries, principalities, states with me._ _Service Rules:_ _I do not provide refunds. Exception - After the agreed installation start date, 3 days have passed, and there are no statistics of pairs and triples of_ _installations._ _Traffic stop is possible for orders of 1000 installations or more. Please check the functionality of your FUD (Fully Undetected) file in advance._ _When ordering traffic of 1000 installations or more, 1 traffic stop of up to 6 hours is possible for every 1000 installations. For example, for an order_ _of 3000 installations, 3 traffic stops are possible, each not more than 6 hours, or you can use all 3 stops at once for 18 hours (6 hours * 3 stops =_ _18 hours)._ _I reserve the right to refuse service to any potential customer without providing reasons._ _By paying for installations, you automatically agree to my rules._ _Frequently Asked Questions:_ _Question: Traffic source?_ _Answer: Exchanges._ _Question: What statistics are installations counted by?_ _Answer: Installations are counted based on the Fallout exploit bundle statistics._ _Question: Minimum order?_ _Answer: 200 installations._ _Question: How quickly will my order be executed?_ _Answer: It depends on your country, discussed in JABBER._ _Question: Why is there no refund, and what if I'm not satisfied with the quality of the loads? You sell loads at a markup!_ _Answer: The traffic goes to a bundle, and the bundle only installs your file. I don't use a loader, so this is a guarantee that I sell installations only to_ _one party. Therefore, there is NO refund!_ _Question: Bro, my file doesn't call home. The bundle fakes the load statistics no worse than Picasso. I just checked the crypt; I have outbound traffic_ _on my wallet. Are you here to work or rip people off?_ _Answer: Your file may not call home because it doesn't have a way out of the low integrity level. In this case, you need to use a loader to install your_ _software._ _Prices for 1000 installations of your software._ _America:_ _United States of America: $1000_ _Canada: $1000_ _Mexico: $800_ _Europe:_ _United Kingdom: $1000_ _Germany: $800_ _Austria: $800_ _Ireland: $800_ ----- _Netherlands: $700_ _France: $700_ _Italy: $700_ _Spain: $700_ _Poland: $700_ _Oceania:_ _Australia: $1000_ _Asia:_ _Japan: $1000_ _Indonesia: $800_ _Philippines: $800_ _Turkey: $700_ _Israel: $700_ _Contact:_ _000911000@nologs[.]club_ _000911000@xmpp[.]jp_ _000911000@0nl1ne[.]at_ _P.S. I answer questions in Jabber (OTR), the top is only for reviews._ _PP.SS. I'm waiting for the deposit details from support@exploit[.]in in the escrow._ ### Exploit Forum Post for DefeatDefenderLoader Posted: 3/12/2022 Retrieved: 2022 _We've been in this field for over a year. Initially, we worked with bundles, but since that's no longer relevant, we_ _created our own loader. We've been using it for over a year and decided to bring it to the market._ _Brief description of functionality:_ _Launching exe/dll with administrator or system privileges._ _Full bypass of Windows Defender._ _No alerts from SmartScreen - the loader is trusted._ _Full bypass of Chrome, even if the user has maximum security settings._ _Delivering different payloads if a corporate network is detected on the system._ _The loader is provided in the form of a silent installer in MSI format._ _The loader works on Windows 10-11 systems._ _We are also developing our own bot with hidden functionality and many other features. We can provide a trial and_ _usage details (contact us for more information)._ _The loader is intended for use with landing pages. Sending spam is strictly prohibited. For spam purposes, create a_ _landing page where your people from the spam will visit, and then I will allow it._ ----- _The rental cost is $4500 per month. I'm willing to accommodate people if you encounter launch problems and_ _need an extension of the rental for free._ _I agree to use an escrow service for the transaction, and the buyer will cover the fees._ _Contact Information:_ _Telegram: https://t[.]me/DefeatDefenderLoader"_ ### Exploit Forum Post for BatLoader Posted:5/13/2022 Retrieved: 2022 _[RENT] Bank-Bot HVNC/Socks/Stealer/Injection/FormGrabber + Loader with bypass for Google Alerts/SmartScreen/Windows_ _Defender._ _Good day,_ _I'm offering for rent:_ _1. Loader with bypass for Google Alerts/SmartScreen/Windows Defender._ _2. Bot with form grabbing/injection/Hide-VNC/socks/cookies/Stealer modules._ _The rental cost includes everything:_ _* Servers for the admin panel._ _* Proxy server for proxying requests._ _* Backup domains._ _* Crypt._ _Now the loader starts without the UAC prompt. Finally, the loader works with user privileges. We request admin privileges from_ _the user at the very end. The payload will be executed only if the user has admin privileges._ _From user privileges, there will be a callback to the admin panel. If the loader is stuck there, it means there are no admin_ _privileges on the machine._ _We can load the payload on machines without admin privileges as well, but the price will be different._ _- The loader is always signed with a valid EV certificate (no one else offers this on the forum)._ _- Finally, there is full detection of corporate networks on the loader (the payload is unloaded based on this)._ _- Loader conversion rate is up to 80% of those who download it._ _- Guaranteed functionality on Windows 10-11 systems._ _- Full bypass of Windows Defender, SmartScreen, and Chrome._ _- The loader finally works with user privileges without the UAC prompt._ _- The loader can load any payloads, starting from .EXE, .DLL, and ending with Powershell .ps scripts and Python .py scripts._ _- In conjunction with the loader, we provide a Bot (HVNC/Socks/Stealer/Injection/FormGrabber). The bot's callback from the_ _loader accounts for approximately 50%._ _- We add more than 20 exclusions to Windows Defender._ _The process of converting a surfer into a bot:_ ----- _The surfer searches and finds your advertisement, clicks, lands on the White Page, passes all checks, and your cloaker displays_ _the Black Page on which the surfer downloads the loader._ _The loader is tailored individually for each tenant, meaning I perform a complete installation of donor software. In the end, the_ _surfer receives what they came for, whether it's the Brave browser, Zoom, or some lesser-known PDF Reader._ _Accordingly, along with the necessary software for the surfer, the Bank Bot is installed in their system. There is also the possibility_ _to install the bot in parallel with your additional payload._ _Loader functionality for Google Ads:_ _* The loader works on Windows 10/11._ _* Launching exe/dll/msi with administrator or system privileges._ _* Full bypass of Windows Defender._ _* No alerts from SmartScreen (trusted loader)._ _* Full bypass of Google Chrome, even if the user has maximum security settings._ _* Different payloads are delivered depending on the network structure:_ _1. User network:_ _- Loading one or several payloads._ _2. Corporate network:_ _- Loading payloads only if the machine is in a domain._ _- The machine name must not match the Domain parameter._ _- ARP table contains 3+ records (parameter can be adjusted) with addresses of local subnets (192.168., 10., 172.)._ _- The domain must not be equal to WORKGROUP._ _Bank Bot functionality:_ _* The bot works on Windows 7/8/8.1/10/11._ _* Injection into Edge/FireFox/Chrome (the required injection format is ISFB)._ _* Form Grabber (real-time grabbing of forms from the browser)._ _* Stealer (stealing passwords from Chrome/Edge/Firefox)._ _* HVNC (Hidden VNC. When you open a browser on the victim's machine, the user won't see anything) (Chrome, Firefox)._ _* Socks (setting up socks on the bot)._ _* Cookie (grabbing cookies from browsers)._ _Frequently Asked Questions:_ _* Is the loader resident?_ _- No. But it is possible to load multiple payloads._ _* Can the loader be rented for spam?_ _- No. The loader won't perform spam._ _* Is daily or weekly rental possible?_ _- No. I won't spend time on testers._ _* Do you provide a landing page?_ ----- _- No. But I can give you some advice in this direction._ _* Is it necessary to encrypt the loader and bank bot?_ _- No. Encryption is included in the rental cost._ _* Do I need to rent a server for the loader/bank bot admin panel?_ _- No. The admin panel of the loader and bank bot is installed on my servers._ _* Do I need to buy domains to set up proxy servers to avoid abuse on the admin panel?_ _- No. I cover all expenses, servers, proxies, domains, and encryption._ _* What is the callback rate?_ _- Typically, it's around 50%. It depends on whether there are third-party AVs on the machine._ _* Is it possible to bypass other AVs?_ _- At the moment, it guarantees bypassing SmartScreen/Windows Defender._ _* What is the bot's lifespan in the system?_ _- Almost forever; the bot is added to the Windows Defender exclusion list. Scanning the system upon the user's request will also_ _yield nothing. The claimed lifespan only applies to Windows Defender._ _* Is it possible to bypass "File is downloaded rarely, it may be malicious" in Google Chrome?_ _- Yes, this alert is bypassed by the loaders._ _Rental terms:_ _1. I accept payment either directly or through an escrow service._ _2. You verify the claimed functionality (48 hours for testing). During testing, loading traffic is PROHIBITED! If everything claimed_ _is present, you release the funds from the escrow, otherwise, you retrieve the money._ _Rental price:_ _* $4000 per month (4 weeks)._ _Contact:_ _* Send your Jabber or Tox contact in a private message. I do not use other messengers._ _P.S. I only respond to questions in Jabber or Tox._ ### Exploit Forum Post for BatLoader, Updated – Retrieved 09/14/2023 _I offer for rent:_ _1. Non-resident loader for Google/Bing Ads with bypassing Google Alerts/Smart Screen/Windows Defender. (We_ _are the authors)_ _2. Resident loader (referred to as "anchor") for corporate networks (We are the authors)_ _3. DanaBot banking trojan, software author is JimmBee._ ----- _I offer work based on a percentage:_ _1. You transfer $3000 one-time (through the guarantee of this forum) to demonstrate the seriousness of your_ _intentions._ _2. You get the opportunity to use everything I offer for rent, including the resident loader for corporate networks._ _3. Launch of the Payload with user/admin privileges._ _4. The terms of work for a percentage and the percentage itself are discussed individually with each interested_ _party._ _The process of converting surfers into bots:_ _The surfer searches on a search engine, sees your advertisement, clicks on it, lands on a White Page, passes all_ _checks. Your cloaker displays a Black Page, on which the surfer downloads the loader._ _The loader is customized individually for each tenant, i.e., I perform a full installation of the donor software. The_ _surfer ultimately gets what they came for, whether it's the Brave browser, Zoom, or some lesser-known PDF Reader._ _After the loader is launched, it starts working with user privileges (only if you work for a percentage), then it_ _requests admin privileges. It detects the environment in which the loader was launched, whether it's a regular_ _machine or a corporate network, and installs the Payload along with the desired software._ _Depending on the environment in which the loader is launched, it is possible to load completely different Payloads._ _For regular machines, I recommend loading the DanaBot banking trojan, and for corporate networks, my anchor_ _(resident loader)._ _Do you have custom software? No problem, the loader can load it in parallel or only that software. Any whim, but at_ _your expense._ _Functionality of the non-resident loader for Google/Bing Ads:_ _- The loader works on Windows 10/11._ _- Launches exe/dll/ps1/py with admin privileges (launch with user privileges is only possible when working for a_ _percentage)._ _- Completely bypasses Windows Defender._ _- No Smart Screen alerts (the loader is signed with an EV certificate)._ _- Fully bypasses Google Chrome, even if the user has maximum security settings._ _- Provides different Payloads depending on the environment in which the loader is launched:_ _1. Regular machine:_ _- Loads one or more Payloads._ _2. Corporate network:_ _- Loads Payload only if the machine is in a domain._ _- The machine name must not be equal to the Domain parameter._ ----- _- The ARP table contains 3+ entries (parameter can be changed) with addresses of local subnets (192.168., 10.,_ _172.)._ _- The domain must not be equal to WORKGROUP._ _Functionality of the resident loader for corporate networks:_ _- The loader works on Windows 10/11._ _- Launches exe/dll with user/admin privileges._ _Functionality of the DanaBot banking trojan:_ _- Works on Windows 7/8/8.1/10/11._ _- Injection._ _- Keylogger._ _- Formgrabber CH/ED/IE/FF/OP._ _- Stealer CH/ED/IE/FF/OP._ _- HVNC._ _- Socks._ _- Cookie._ _- And much more, read further in the DanaBot Banking Trojan thread._ _Frequently Asked Questions (loader/anchor):_ _- Is it possible to rent the loader for spamming?_ _- No, the loader won't work for spamming._ _- Is it possible to rent by the day/week?_ _- No, I won't spend time on testers._ _- Do you provide Landing Pages?_ _- Yes, this service is paid separately._ _- Do you need to crypt the loader/anchor?_ _- No, encryption is included in the rental price._ _- Do you need to rent a server for the loader/anchor admin panel?_ _- No, the admin panel for the loader/anchor is installed on my servers._ _- Do you need to buy domains to set up proxy servers to avoid abuse on the admin panel?_ _- No, I cover all expenses, servers, proxies, domains, encryption._ _- What's the payout percentage?_ _- Usually starts from 50%. It depends on whether there are third-party AVs on the machine._ ----- _- Is it possible to bypass Google Chrome's "File is rarely downloaded, it may be malicious" alert?_ _- Yes, this alert is bypassed by the loader._ _Rental terms:_ _1. I accept payment either directly or through the guarantee of this forum (payment for the guarantee's services is_ _at your expense)._ _2. Payment is accepted only for the loader/anchor; payment for the DanaBot banking trojan is made directly to the_ _author JimmBee, and you will receive the details only through PM._ _3. You verify the claimed functionality (48 hours for verification). During the verification, it is FORBIDDEN to load_ _traffic!_ ### Exploit Forum Post for Eugenfest’s FakeBat Posted:12/17/2022 Retrieved: 09/14/2023 _Two versions of the loader are available for rent:_ _MSI:_ _Bypasses Google Alerts (if the domain is trusted)_ _Bypasses Windows Defender_ _Embeds exceptions for your malware in the defender_ _Protection against VirusTotal_ _Completely severs the connections between your malware and the loader; AVs do not detect the connections_ _File size ranges from 2-3 MB and beyond_ _Adapts to official software, meaning the software downloaded by the user, which is then installed on the system_ _Video with an example of operation: Video Link_ _Cons: You need to use an EV certificate to bypass SmartScreen, or you can warm up the file (your choice)_ _Padings for the build are added_ _Pricing:_ _Monthly: $2500_ _Weekly: $1000_ _MSIX:_ _Bypasses Google Alerts by default_ _Protection against VirusTotal_ _Completely severs the connections between your malware and the loader; AVs do not detect the connections_ _File size ranges from 2-3 MB and beyond_ ----- _Adapts to official software, meaning the software downloaded by the user, which is then installed on the system_ _Bypasses Microsoft SmartScreen by default_ _The file is signed with a valid certificate_ _Video with an example of operation: Video Link_ _Padings for the build are added_ _Cons:_ _No possibility to embed exceptions for Windows Defender_ _Your malware needs to be better encrypted because the loader does not trigger Defender_ _Pricing:_ _Monthly: $4000_ _Weekly: $1500_ _Injecting admin privileges at startup to add exceptions for Defender (available for $300 as a separate service)_ _Meta stealer shows 85%+ success rate from loader startup_ _Introduction of the project: checking for all possible alerts, setting up integration with the landing page, monitoring_ _loader files and changing them as alerts appear, issuance on our side_ _Service pricing:_ _Varies depending on the complexity of the project, starting from $3000 and higher without considering the loader_ _Panel features:_ _Convenient web panel_ _Collects various data, including IP, country, OS, browser, landing page, installed antivirus_ _Statuses: Downloaded, Launched, Installed_ _Blacklist by countries_ _Blacklist by devices_ _Subscription time displayed on the main page_ _Easy on-the-fly build change from the admin panel_ _Added protection via API Key; you can turn off the build on the fly_ _API Key for the panel; you can't log in without it_ _Contact Information:_ _Tox ID for Admin:_ _0BF0BA66030916F61BB7D9E954FB98A8F973DB6531F18EB6CEE006D7E275B906BC58EB71F358_ ----- _Tox ID for Support:_ _7CB85C41D6E3FC9602FB8D79B955820AC4EEF41F29F2177B9750C129935F216FE0573DA8899F_ _Telegram Admin: https://t[.]me/payk_work_ _Telegram Support: https://t[.]me/spektr234_ _Please verify the contacts, or it's better to verify through the forum's private messages._ _Disclaimer:_ _This software is provided "as is," without any warranties, express or implied, including but not limited to the_ _implied warranties of merchantability, fitness for a particular purpose, and non-infringement of rights. In no event_ _shall the authors or copyright holders be liable for any claims, damages, or other liability, whether in an action of_ _contract, tort, or otherwise, arising from, out of, or in connection with the software or the use or other dealings in_ _the software._ _Users agree to use this software for educational purposes only. Any commercial use, abuse, or illegal use of the_ _software is strictly prohibited. Users are solely responsible for any consequences resulting from their use of this_ _software._ _Users take full responsibility for using this software, including any negative consequences that may arise from its_ _use._ ----- |APPENDIX B: Handles|Linked to Eugenfest| |---|---| |Handle|Source| |Payk_34|XSS Forum| |Eugenfest|Exploit Forums| |Eugenfest|Nexus.gg| |Eugenfest|Lzt Market| |Eugenfest|Carder UK Forums| |@Eugenfestkey_bot|Telegram| |@fest_bay_buy_bot|Telegram| |Eugene Fest|BHF Forums| |@payk_work|Telegram| |@lola.cuferz|Vimeo| |@wabowej290|Vimeo| |festik|BHF Forums| |festik|DarkMoney| |festik|OpenCard| |festik|BDF Forums| |festik|Migalki| |M1rages|WWH Club| |M1rages|Blackbiz| |M1rages|Carder PK| |M1rages|Moon Forum| |M1rages|Dublikat| |M1rages|Bbiz| |M1rages|Miped| ## APPENDIX B: Handles Linked to Eugenfest **Handle** **Source** Payk_34 XSS Forum Eugenfest Exploit Forums Eugenfest Nexus.gg Eugenfest Lzt Market Eugenfest Carder UK Forums @Eugenfestkey_bot Telegram @fest_bay_buy_bot Telegram Eugene Fest BHF Forums @payk_work Telegram @lola.cuferz Vimeo @wabowej290 Vimeo festik BHF Forums festik DarkMoney festik OpenCard festik BDF Forums festik Migalki M1rages WWH Club M1rages Blackbiz M1rages Carder PK M1rages Moon Forum M1rages Dublikat M1rages Bbiz M1rages Miped ----- |Domain Name|Created| |---|---| |ads-check[.]com|22-Nov-22| |down[.]software|22-Nov-22| |awesome-miner[.]software|24-Nov-22| |winrar[.]software|24-Nov-22| |qtorrent[.]software|24-Nov-22| |ccleaner[.]software|8-Dec-22| |mail-client[.]software|8-Dec-22| |lightshot[.]software|9-Dec-22| |top-wallet[.]software|9-Dec-22| |pdf-tools[.]software|9-Dec-22| |rufus-download[.]software|10-Dec-22| |downloaders[.]software|12-Dec-22| |any-desk[.]software|20-Dec-22| |down1[.]software|20-Dec-22| |download1[.]software|23-Dec-22| |tor-browser[.]software|23-Dec-22| |vlc-media[.]software|23-Dec-22| |adscheck[.]net|8-Jan-23| |rar-lab[.]software|8-Jan-23| |filezilla[.]space|11-Jan-23| |torrent-tools[.]software|12-Jan-23| |notepad-editor[.]software|13-Jan-23| |aimp[.]software|13-Jan-23| ## APPENDIX C: Other Network Indicators ### Domains associated with Ads_CHECKLLC **Domain Name** **Created** ads-check[.]com 22-Nov-22 down[.]software 22-Nov-22 awesome-miner[.]software 24-Nov-22 winrar[.]software 24-Nov-22 qtorrent[.]software 24-Nov-22 ccleaner[.]software 8-Dec-22 mail-client[.]software 8-Dec-22 lightshot[.]software 9-Dec-22 top-wallet[.]software 9-Dec-22 pdf-tools[.]software 9-Dec-22 rufus-download[.]software 10-Dec-22 downloaders[.]software 12-Dec-22 any-desk[.]software 20-Dec-22 down1[.]software 20-Dec-22 download1[.]software 23-Dec-22 tor-browser[.]software 23-Dec-22 vlc-media[.]software 23-Dec-22 adscheck[.]net 8-Jan-23 rar-lab[.]software 8-Jan-23 filezilla[.]space 11-Jan-23 torrent-tools[.]software 12-Jan-23 notepad-editor[.]software 13-Jan-23 aimp[.]software 13-Jan-23 ----- |kmplayer[.]software|13-Jan-23| |---|---| |archiver-7zip[.]software|13-Jan-23| |awesome-project[.]software|16-Jan-23| |extremebot[.]software|16-Jan-23| |trading-terminal[.]software|19-Jan-23| |heartcores[.]net|8-Feb-23| |digmefitness[.]net|8-Feb-23| |psyclelondon[.]net|8-Feb-23| |terminal-trading[.]software|9-Feb-23| |id-cpu[.]software|9-Feb-23| |download-rufus[.]software|9-Feb-23| |Domain Name|Email|Name|Company|Created| |---|---|---|---|---| |ftofailhvgnfxgvgkjsj[.]com|wbhulhrpjymgnmumpl@pptrvv[.]com|Dlaoijs Uoksia|Private Person|28-Sep-21| |teambatfor[.]com|ilhtdcgyfpztdqvkqf@pptrvv[.]com|Dlaoijs Uoksia|Private Person|28-Sep-21| |girlspremiumporno[.]com|nqbbjenocsmxquokmm@mrvpt[.]com|Dlaoijs Uoksia|Private Person|26-Sep-21| |teamviewer-t[.]com|ltslheaztbibeshnfw@adfskj[.]com|Dlaoijs Uoksia|Private Person|26-Sep-21| |teamviewer-a[.]com|sdmtuktdtxmhgvvkoq@sdvrecft[.]com|Dlaoijs Uoksia|Private Person|23-Sep-21| |vhdos100[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|22-Sep-21| |zoomvideo-a[.]com|sdmtuktdtxmhgvvkoq@sdvrecft[.]com|Dlaoijs Uoksia|Private Person|23-Sep-21| |discord-a[.]com|sdmtuktdtxmhgvvkoq@sdvrecft[.]com|Dlaoijs Uoksia|Private Person|23-Sep-21| |zooms-video[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|21-Sep-21| |etjmejjcxjtwweitluuw[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|21-Sep-21| |fkqqhmkavarmsxnucflq[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|20-Sep-21| |discord-o[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|19-Sep-21| kmplayer[.]software 13-Jan-23 archiver-7zip[.]software 13-Jan-23 awesome-project[.]software 16-Jan-23 extremebot[.]software 16-Jan-23 trading-terminal[.]software 19-Jan-23 heartcores[.]net 8-Feb-23 digmefitness[.]net 8-Feb-23 psyclelondon[.]net 8-Feb-23 terminal-trading[.]software 9-Feb-23 id-cpu[.]software 9-Feb-23 download-rufus[.]software 9-Feb-23 ### Domains associated with seledka[.]prostokvash@rambler[.]ru/ Dlaoijs Uoksia **Domain Name** **Email** **Name** **Company** **Created** ftofailhvgnfxgvgkjsj[.]com wbhulhrpjymgnmumpl@pptrvv[.]com Dlaoijs Uoksia Private Person 28-Sep-21 teambatfor[.]com ilhtdcgyfpztdqvkqf@pptrvv[.]com Dlaoijs Uoksia Private Person 28-Sep-21 girlspremiumporno[.]com nqbbjenocsmxquokmm@mrvpt[.]com Dlaoijs Uoksia Private Person 26-Sep-21 teamviewer-t[.]com ltslheaztbibeshnfw@adfskj[.]com Dlaoijs Uoksia Private Person 26-Sep-21 teamviewer-a[.]com [sdmtuktdtxmhgvvkoq@sdvrecft[.]com](about:blank) Dlaoijs Uoksia Private Person 23-Sep-21 vhdos100[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 22-Sep-21 zoomvideo-a[.]com sdmtuktdtxmhgvvkoq@sdvrecft[.]com Dlaoijs Uoksia Private Person 23-Sep-21 discord-a[.]com sdmtuktdtxmhgvvkoq@sdvrecft[.]com Dlaoijs Uoksia Private Person 23-Sep-21 zooms-video[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 21-Sep-21 etjmejjcxjtwweitluuw[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 21-Sep-21 fkqqhmkavarmsxnucflq[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 20-Sep-21 discord-o[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 19-Sep-21 ----- |teamviewer-o[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|19-Sep-21| |---|---|---|---|---| |ugrikambal[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|19-Sep-21| |zoomvideo-offers[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|19-Sep-21| |pornoloveshd[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|17-Sep-21| |pornobossvideo[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|17-Sep-21| |zoomvideo-online[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|17-Sep-21| |updatemsicheck[.]com|seledka[.]prostokvash@rambler[.]ru|Dlaoijs Uoksia|dsoaikjmdn o|16-Sep-21| |updatescript[.]online|seledka[.]prostokvash@rambler[.]ru|dsoaikjmdn o|dsoaikjmdn o|18-Sep-21| |Domain|Email|Created| |---|---|---| |pornoxxxclu[.]com|abdel@info-electronics[.]com|5-Jan-22| |pornoxxxclubz[.]com|abdel@info-electronics[.]com|4-Jan-22| |pornoxxxclubs[.]com|abdel@info-electronics[.]com|3-Jan-22| |hytvejdhypibwwvqiaxc[.]com|abdel@info-electronics[.]com|26-Sep-21| |shhkxdewbjavgrfgkqoy[.]com|abdel@info-electronics[.]com|25-Sep-21| |yybysufealtubvyvuvdj[.]com|abdel@info-electronics[.]com|23-Sep-21| |aofacfbgxiuuxxsbiajb[.]com|abdel@info-electronics[.]com|23-Sep-21| |lyrqaoorgcrkwrmiwaat[.]com|abdel@info-electronics[.]com|19-Sep-21| |mohypixvrhydduxrrvjm[.]com|abdel@info-electronics[.]com|18-Sep-21| |dxieibgdelreujkvlxyb[.]com|abdel@info-electronics[.]com|17-Sep-21| |teamvieweronlines[.]com|abdel@info-electronics[.]com|17-Sep-21| |zoomonliness[.]com|abdel@info-electronics[.]com|17-Sep-21| |zoom-offer[.]com|abdel@info-electronics[.]com|15-Sep-21| |discord-offer[.]com|abdel@info-electronics[.]com|15-Sep-21| |teamviewer-offers[.]com|abdel@info-electronics[.]com|15-Sep-21| teamviewer-o[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 19-Sep-21 ugrikambal[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 19-Sep-21 zoomvideo-offers[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 19-Sep-21 pornoloveshd[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 17-Sep-21 pornobossvideo[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 17-Sep-21 zoomvideo-online[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 17-Sep-21 updatemsicheck[.]com seledka[.]prostokvash@rambler[.]ru Dlaoijs Uoksia dsoaikjmdn o 16-Sep-21 updatescript[.]online seledka[.]prostokvash@rambler[.]ru dsoaikjmdn o dsoaikjmdn o 18-Sep-21 ### Domains associated with abdel@info-electronics[.]com **Domain** **Email** **Created** pornoxxxclu[.]com abdel@info-electronics[.]com 5-Jan-22 pornoxxxclubz[.]com abdel@info-electronics[.]com 4-Jan-22 pornoxxxclubs[.]com abdel@info-electronics[.]com 3-Jan-22 hytvejdhypibwwvqiaxc[.]com abdel@info-electronics[.]com 26-Sep-21 shhkxdewbjavgrfgkqoy[.]com abdel@info-electronics[.]com 25-Sep-21 yybysufealtubvyvuvdj[.]com abdel@info-electronics[.]com 23-Sep-21 aofacfbgxiuuxxsbiajb[.]com abdel@info-electronics[.]com 23-Sep-21 lyrqaoorgcrkwrmiwaat[.]com abdel@info-electronics[.]com 19-Sep-21 mohypixvrhydduxrrvjm[.]com abdel@info-electronics[.]com 18-Sep-21 dxieibgdelreujkvlxyb[.]com abdel@info-electronics[.]com 17-Sep-21 teamvieweronlines[.]com abdel@info-electronics[.]com 17-Sep-21 zoomonliness[.]com abdel@info-electronics[.]com 17-Sep-21 zoom-offer[.]com abdel@info-electronics[.]com 15-Sep-21 discord-offer[.]com abdel@info-electronics[.]com 15-Sep-21 teamviewer-offers[.]com abdel@info-electronics[.]com 15-Sep-21 ----- |vnpoteigytgnnpfcjfdf[.]com|abdel@info-electronics[.]com|15-Sep-21| |---|---|---| |datalystoy[.]com|abdel@info-electronics[.]com|14-Sep-21| |offer-teamviewer[.]com|abdel@info-electronics[.]com|14-Sep-21| |offer-zoom[.]com|abdel@info-electronics[.]com|14-Sep-21| |kyvxtkuvghffbnkyaoic[.]com|abdel@info-electronics[.]com|14-Sep-21| |clkbevpidcdpwomsusvi[.]com|abdel@info-electronics[.]com|13-Sep-21| |checksoftupdate[.]com|abdel@info-electronics[.]com|12-Sep-21| |egoeedkmacyfovdadiun[.]com|abdel@info-electronics[.]com|12-Sep-21| |qeuptaiipealjuhotxjw[.]com|abdel@info-electronics[.]com|11-Sep-21| |sntpxhoaeujkmavavarm[.]com|abdel@info-electronics[.]com|10-Sep-21| |zoomvideo-offer[.]com|abdel@info-electronics[.]com|9-Sep-21| |teamviewer-offer[.]com|abdel@info-electronics[.]com|9-Sep-21| |oxliukycgapnhwxckbbi[.]com|abdel@info-electronics[.]com|9-Sep-21| |bobskijonofnkhbnoyfr[.]com|abdel@info-electronics[.]com|8-Sep-21| |loiyvxttcdjbfjotkogw[.]com|abdel@info-electronics[.]com|31-Aug-21| |wktmdwltncxmttfxskip[.]com|abdel@info-electronics[.]com|29-Aug-21| |klbaccpoqquilwmyaxcy[.]com|abdel@info-electronics[.]com|25-Aug-21| |srnooqsyspcxjtwjeydg[.]com|abdel@info-electronics[.]com|24-Aug-21| |umyepsquetgehkloltov[.]com|abdel@info-electronics[.]com|23-Aug-21| |jvuhcxipuqbrierereqm[.]com|abdel@info-electronics[.]com|21-Aug-21| |tcfoywhpcoyompmnbpps[.]com|abdel@info-electronics[.]com|20-Aug-21| |pornhubpremiuma[.]com|abdel@info-electronics[.]com|11-Aug-21| |lmlrvvgxbcfxvyplnito[.]com|abdel@info-electronics[.]com|11-Aug-21| |pornostarspremiums[.]com|abdel@info-electronics[.]com|8-Aug-21| |cmhxwbkplijrlvswubai[.]com|abdel@info-electronics[.]com|4-Aug-21| |vauodyrnlktmtlqnjifk[.]com|abdel@info-electronics[.]com|9-Jul-21| vnpoteigytgnnpfcjfdf[.]com abdel@info-electronics[.]com 15-Sep-21 datalystoy[.]com abdel@info-electronics[.]com 14-Sep-21 offer-teamviewer[.]com abdel@info-electronics[.]com 14-Sep-21 offer-zoom[.]com abdel@info-electronics[.]com 14-Sep-21 kyvxtkuvghffbnkyaoic[.]com abdel@info-electronics[.]com 14-Sep-21 clkbevpidcdpwomsusvi[.]com abdel@info-electronics[.]com 13-Sep-21 checksoftupdate[.]com abdel@info-electronics[.]com 12-Sep-21 egoeedkmacyfovdadiun[.]com abdel@info-electronics[.]com 12-Sep-21 qeuptaiipealjuhotxjw[.]com abdel@info-electronics[.]com 11-Sep-21 sntpxhoaeujkmavavarm[.]com abdel@info-electronics[.]com 10-Sep-21 zoomvideo-offer[.]com abdel@info-electronics[.]com 9-Sep-21 teamviewer-offer[.]com abdel@info-electronics[.]com 9-Sep-21 oxliukycgapnhwxckbbi[.]com abdel@info-electronics[.]com 9-Sep-21 bobskijonofnkhbnoyfr[.]com abdel@info-electronics[.]com 8-Sep-21 loiyvxttcdjbfjotkogw[.]com abdel@info-electronics[.]com 31-Aug-21 wktmdwltncxmttfxskip[.]com abdel@info-electronics[.]com 29-Aug-21 klbaccpoqquilwmyaxcy[.]com abdel@info-electronics[.]com 25-Aug-21 srnooqsyspcxjtwjeydg[.]com abdel@info-electronics[.]com 24-Aug-21 umyepsquetgehkloltov[.]com abdel@info-electronics[.]com 23-Aug-21 jvuhcxipuqbrierereqm[.]com abdel@info-electronics[.]com 21-Aug-21 tcfoywhpcoyompmnbpps[.]com abdel@info-electronics[.]com 20-Aug-21 pornhubpremiuma[.]com abdel@info-electronics[.]com 11-Aug-21 lmlrvvgxbcfxvyplnito[.]com abdel@info-electronics[.]com 11-Aug-21 pornostarspremiums[.]com abdel@info-electronics[.]com 8-Aug-21 cmhxwbkplijrlvswubai[.]com abdel@info-electronics[.]com 4-Aug-21 vauodyrnlktmtlqnjifk[.]com abdel@info-electronics[.]com 9-Jul-21 ----- |websekir[.]com|abdel@info-electronics[.]com|7-Jul-21| |---|---|---| |ifnprhfyflwgthmewfnm[.]com|abdel@info-electronics[.]com|7-Jul-21| |fqnvtmqsbrrxrltbkpxn[.]com|abdel@info-electronics[.]com|5-Jul-21| |novgubfisdtbtdpdvseg[.]com|abdel@info-electronics[.]com|28-Jun-21| |iicyxgjntvhqqwawfury[.]com|abdel@info-electronics[.]com|27-Jun-21| |jtdxusbkrdkforusyisi[.]com|abdel@info-electronics[.]com|26-Jun-21| |xdnvxapnkomttrggytcb[.]com|abdel@info-electronics[.]com|25-Jun-21| |pornohabspremium[.]com|abdel@info-electronics[.]com|23-Jun-21| |ifbtkwenidpwcpidnuri[.]com|abdel@info-electronics[.]com|23-Jun-21| |hpvyrsupwexkdagpwipb[.]com|abdel@info-electronics[.]com|22-Jun-21| |mjjtncwnvemxhreqxpmq[.]com|abdel@info-electronics[.]com|21-Jun-21| |lmpvjicjvvfuyhefeohy[.]com|abdel@info-electronics[.]com|20-Jun-21| |syklkgebottfhusikojb[.]com|abdel@info-electronics[.]com|19-Jun-21| |ykcqxqltrjtnckeovymb[.]com|abdel@info-electronics[.]com|17-Jun-21| |bsaxotnpiaadlgapkmua[.]com|abdel@info-electronics[.]com|16-Jun-21| |ixtjopopsynvxsvbjvtj[.]com|abdel@info-electronics[.]com|14-Jun-21| |gdugytcwkepvykcqxpmu[.]com|abdel@info-electronics[.]com|13-Jun-21| |teejdhytvemagqdfalah[.]com|abdel@info-electronics[.]com|12-Jun-21| |qwernxwrilhvhnaeuikn[.]com|abdel@info-electronics[.]com|11-Jun-21| |tdfkntyofkrhcemrlphx[.]com|abdel@info-electronics[.]com|10-Jun-21| |xlvddtbgobmrrmmlirjl[.]com|abdel@info-electronics[.]com|9-Jun-21| |srwhpvikxwoxfmgotrje[.]com|abdel@info-electronics[.]com|6-Jun-21| |qwqnvhnqevofauhlolmv[.]com|abdel@info-electronics[.]com|5-Jun-21| |jkahgubfctyrtqjfgtto[.]com|abdel@info-electronics[.]com|4-Jun-21| |wmwubjmjjhrtngbtwkhg[.]com|abdel@info-electronics[.]com|3-Jun-21| |usmsmsmsvapiikmcrnup[.]com|abdel@info-electronics[.]com|2-Jun-21| websekir[.]com abdel@info-electronics[.]com 7-Jul-21 ifnprhfyflwgthmewfnm[.]com abdel@info-electronics[.]com 7-Jul-21 fqnvtmqsbrrxrltbkpxn[.]com abdel@info-electronics[.]com 5-Jul-21 novgubfisdtbtdpdvseg[.]com abdel@info-electronics[.]com 28-Jun-21 iicyxgjntvhqqwawfury[.]com abdel@info-electronics[.]com 27-Jun-21 jtdxusbkrdkforusyisi[.]com abdel@info-electronics[.]com 26-Jun-21 xdnvxapnkomttrggytcb[.]com abdel@info-electronics[.]com 25-Jun-21 pornohabspremium[.]com abdel@info-electronics[.]com 23-Jun-21 ifbtkwenidpwcpidnuri[.]com abdel@info-electronics[.]com 23-Jun-21 hpvyrsupwexkdagpwipb[.]com abdel@info-electronics[.]com 22-Jun-21 mjjtncwnvemxhreqxpmq[.]com abdel@info-electronics[.]com 21-Jun-21 lmpvjicjvvfuyhefeohy[.]com abdel@info-electronics[.]com 20-Jun-21 syklkgebottfhusikojb[.]com abdel@info-electronics[.]com 19-Jun-21 ykcqxqltrjtnckeovymb[.]com abdel@info-electronics[.]com 17-Jun-21 bsaxotnpiaadlgapkmua[.]com abdel@info-electronics[.]com 16-Jun-21 ixtjopopsynvxsvbjvtj[.]com abdel@info-electronics[.]com 14-Jun-21 gdugytcwkepvykcqxpmu[.]com abdel@info-electronics[.]com 13-Jun-21 teejdhytvemagqdfalah[.]com abdel@info-electronics[.]com 12-Jun-21 qwernxwrilhvhnaeuikn[.]com abdel@info-electronics[.]com 11-Jun-21 tdfkntyofkrhcemrlphx[.]com abdel@info-electronics[.]com 10-Jun-21 xlvddtbgobmrrmmlirjl[.]com abdel@info-electronics[.]com 9-Jun-21 srwhpvikxwoxfmgotrje[.]com abdel@info-electronics[.]com 6-Jun-21 qwqnvhnqevofauhlolmv[.]com abdel@info-electronics[.]com 5-Jun-21 jkahgubfctyrtqjfgtto[.]com abdel@info-electronics[.]com 4-Jun-21 wmwubjmjjhrtngbtwkhg[.]com abdel@info-electronics[.]com 3-Jun-21 usmsmsmsvapiikmcrnup[.]com abdel@info-electronics[.]com 2-Jun-21 ----- |jealmlcfbufmqbqrauho[.]com|abdel@info-electronics[.]com|1-Jun-21| |---|---|---| |gjttxcfragwmworlsitr[.]com|abdel@info-electronics[.]com|31-May-21| |jeasbiecuybemhxksjjq[.]com|abdel@info-electronics[.]com|30-May-21| |bmesarsofaqpxnbtyyst[.]com|abdel@info-electronics[.]com|28-May-21| |nbomgpwekyvxtkumyesh[.]com|abdel@info-electronics[.]com|28-May-21| |rcoixeaaquuetirqsmhf[.]com|abdel@info-electronics[.]com|27-May-21| |ubfmagagaxiqdpwldfdv[.]com|abdel@info-electronics[.]com|24-May-21| |ilajsuyhbegomyqxckui[.]com|abdel@info-electronics[.]com|23-May-21| |tqvgouhfyydajdwewxuv[.]com|abdel@info-electronics[.]com|21-May-21| |rvpidccqxpmugpdnrqjf[.]com|abdel@info-electronics[.]com|20-May-21| |mbnyridtpvhnkhkpckhn[.]com|abdel@info-electronics[.]com|17-May-21| |jealmlcfbufmqwqnvymb[.]com|abdel@info-electronics[.]com|16-May-21| |husbbrkpvrqjomuyhdpd[.]com|abdel@info-electronics[.]com|15-May-21| |txjwlgkqcddbdwdfmawj[.]com|abdel@info-electronics[.]com|14-May-21| |qpspsdtevijlyxaaerug[.]com|abdel@info-electronics[.]com|13-May-21| |traffictrackerabj[.]com|abdel@info-electronics[.]com|12-May-21| |xlvddbpswohcbwxcosce[.]com|abdel@info-electronics[.]com|12-May-21| |cvrqiyjfuxfgbcnarxxl[.]com|abdel@info-electronics[.]com|11-May-21| |ptncgkjslowionfuavkf[.]com|abdel@info-electronics[.]com|10-May-21| |cbpeajewhmxbyhqxjqcs[.]com|abdel@info-electronics[.]com|9-May-21| |uhlrmxnbascpbupdhypl[.]com|abdel@info-electronics[.]com|7-May-21| |cpidyredfdshhkpymtqq[.]com|abdel@info-electronics[.]com|6-May-21| |wtrajutnmkgoxfdyhqcw[.]com|abdel@info-electronics[.]com|5-May-21| |gjusxadcucubsblcvhhk[.]com|abdel@info-electronics[.]com|3-May-21| |mjjtncwnvemxhreqxpmn[.]com|abdel@info-electronics[.]com|3-May-21| |cpidxonrihdjtwgbshwt[.]com|abdel@info-electronics[.]com|2-May-21| jealmlcfbufmqbqrauho[.]com abdel@info-electronics[.]com 1-Jun-21 gjttxcfragwmworlsitr[.]com abdel@info-electronics[.]com 31-May-21 jeasbiecuybemhxksjjq[.]com abdel@info-electronics[.]com 30-May-21 bmesarsofaqpxnbtyyst[.]com abdel@info-electronics[.]com 28-May-21 nbomgpwekyvxtkumyesh[.]com abdel@info-electronics[.]com 28-May-21 rcoixeaaquuetirqsmhf[.]com abdel@info-electronics[.]com 27-May-21 ubfmagagaxiqdpwldfdv[.]com abdel@info-electronics[.]com 24-May-21 ilajsuyhbegomyqxckui[.]com abdel@info-electronics[.]com 23-May-21 tqvgouhfyydajdwewxuv[.]com abdel@info-electronics[.]com 21-May-21 rvpidccqxpmugpdnrqjf[.]com abdel@info-electronics[.]com 20-May-21 mbnyridtpvhnkhkpckhn[.]com abdel@info-electronics[.]com 17-May-21 jealmlcfbufmqwqnvymb[.]com abdel@info-electronics[.]com 16-May-21 husbbrkpvrqjomuyhdpd[.]com abdel@info-electronics[.]com 15-May-21 txjwlgkqcddbdwdfmawj[.]com abdel@info-electronics[.]com 14-May-21 qpspsdtevijlyxaaerug[.]com abdel@info-electronics[.]com 13-May-21 traffictrackerabj[.]com abdel@info-electronics[.]com 12-May-21 xlvddbpswohcbwxcosce[.]com abdel@info-electronics[.]com 12-May-21 cvrqiyjfuxfgbcnarxxl[.]com abdel@info-electronics[.]com 11-May-21 ptncgkjslowionfuavkf[.]com abdel@info-electronics[.]com 10-May-21 cbpeajewhmxbyhqxjqcs[.]com abdel@info-electronics[.]com 9-May-21 uhlrmxnbascpbupdhypl[.]com abdel@info-electronics[.]com 7-May-21 cpidyredfdshhkpymtqq[.]com abdel@info-electronics[.]com 6-May-21 wtrajutnmkgoxfdyhqcw[.]com abdel@info-electronics[.]com 5-May-21 gjusxadcucubsblcvhhk[.]com abdel@info-electronics[.]com 3-May-21 mjjtncwnvemxhreqxpmn[.]com abdel@info-electronics[.]com 3-May-21 cpidxonrihdjtwgbshwt[.]com abdel@info-electronics[.]com 2-May-21 ----- |pornohubpromo[.]site|abdel@info-electronics[.]com|27-Apr-21| |---|---|---| |hctvtvhndvfocyposuho[.]com|abdel@info-electronics[.]com|24-Mar-21| |erkjwcpuavgrgcrwsavg[.]com|abdel@info-electronics[.]com|17-Feb-21| |Domain|Registar|Created|Updated|Expiry| |---|---|---|---|---| |2311forget[.]xyz|NICENIC INTERNATIONAL GROUP CO., LIMITED|23-Nov-23|23-Nov-23|23-Nov-24| |2311foreign[.]xyz|NICENIC INTERNATIONAL GROUP CO., LIMITED|23-Nov-23|-|23-Nov-24| |3010cars[.]site|NICENIC INTERNATIONAL GROUP CO., LIMITED|30-Oct-23|4-Nov-23|30-Oct-24| |98762341tdgi[.]xyz|NICENIC INTERNATIONAL GROUP CO., LIMITED|6-Oct-23|11-Oct-23|6-Oct-24| |2311forget[.]site|NICENIC INTERNATIONAL GROUP CO., LIMITED|23-Nov-23|-|23-Nov-24| |2311forget[.]online|NICENIC INTERNATIONAL GROUP CO., LIMITED|23-Nov-23|-|23-Nov-24| |3010cars[.]xyz|NICENIC INTERNATIONAL GROUP CO., LIMITED|30-Oct-23|4-Nov-23|30-Oct-24| |3010offers[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|30-Oct-23|30-Oct-23|30-Oct-24| |3010offers[.]xyz|NICENIC INTERNATIONAL GROUP CO., LIMITED|30-Oct-23|30-Oct-23|30-Oct-24| |3010offers[.]site|NICENIC INTERNATIONAL GROUP CO., LIMITED|30-Oct-23|-|30-Oct-24| |3010offers[.]online|NICENIC INTERNATIONAL GROUP CO., LIMITED|30-Oct-23|30-Oct-23|30-Oct-24| |3010cars[.]online|NICENIC INTERNATIONAL GROUP CO., LIMITED|30-Oct-23|-|30-Oct-24| |2610kjhsda[.]xyz|NICENIC INTERNATIONAL GROUP CO., LIMITED|26-Oct-23|26-Oct-23|26-Oct-24| |2610asdkj[.]xyz|NICENIC INTERNATIONAL GROUP CO., LIMITED|26-Oct-23|26-Oct-23|26-Oct-24| |2610kjhsda[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|26-Oct-23|26-Oct-23|26-Oct-24| |2610asdkj[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|26-Oct-23|26-Oct-23|26-Oct-24| |2610asdkj[.]site|NICENIC INTERNATIONAL GROUP CO., LIMITED|26-Oct-23|26-Oct-23|26-Oct-24| |2610kjhsda[.]site|NICENIC INTERNATIONAL GROUP CO., LIMITED|26-Oct-23|26-Oct-23|26-Oct-24| |2610kjhsda[.]online|NICENIC INTERNATIONAL GROUP CO., LIMITED|26-Oct-23|26-Oct-23|26-Oct-24| |2610asdkj[.]online|NICENIC INTERNATIONAL GROUP CO., LIMITED|26-Oct-23|26-Oct-23|26-Oct-24| pornohubpromo[.]site abdel@info-electronics[.]com 27-Apr-21 hctvtvhndvfocyposuho[.]com abdel@info-electronics[.]com 24-Mar-21 erkjwcpuavgrgcrwsavg[.]com abdel@info-electronics[.]com 17-Feb-21 ### Suspected FakeBat Domains Associated with “John Bolton” Pseudonym **Domain** **Registar** **Created** **Updated** **Expiry** 2311forget[.]xyz NICENIC INTERNATIONAL GROUP CO., LIMITED 23-Nov-23 23-Nov-23 23-Nov-24 2311foreign[.]xyz NICENIC INTERNATIONAL GROUP CO., LIMITED 23-Nov-23 - 23-Nov-24 3010cars[.]site NICENIC INTERNATIONAL GROUP CO., LIMITED 30-Oct-23 4-Nov-23 30-Oct-24 98762341tdgi[.]xyz NICENIC INTERNATIONAL GROUP CO., LIMITED 6-Oct-23 11-Oct-23 6-Oct-24 2311forget[.]site NICENIC INTERNATIONAL GROUP CO., LIMITED 23-Nov-23 - 23-Nov-24 2311forget[.]online NICENIC INTERNATIONAL GROUP CO., LIMITED 23-Nov-23 - 23-Nov-24 3010cars[.]xyz NICENIC INTERNATIONAL GROUP CO., LIMITED 30-Oct-23 4-Nov-23 30-Oct-24 3010offers[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 30-Oct-23 30-Oct-23 30-Oct-24 3010offers[.]xyz NICENIC INTERNATIONAL GROUP CO., LIMITED 30-Oct-23 30-Oct-23 30-Oct-24 3010offers[.]site NICENIC INTERNATIONAL GROUP CO., LIMITED 30-Oct-23 - 30-Oct-24 3010offers[.]online NICENIC INTERNATIONAL GROUP CO., LIMITED 30-Oct-23 30-Oct-23 30-Oct-24 3010cars[.]online NICENIC INTERNATIONAL GROUP CO., LIMITED 30-Oct-23 - 30-Oct-24 2610kjhsda[.]xyz NICENIC INTERNATIONAL GROUP CO., LIMITED 26-Oct-23 26-Oct-23 26-Oct-24 2610asdkj[.]xyz NICENIC INTERNATIONAL GROUP CO., LIMITED 26-Oct-23 26-Oct-23 26-Oct-24 2610kjhsda[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 26-Oct-23 26-Oct-23 26-Oct-24 2610asdkj[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 26-Oct-23 26-Oct-23 26-Oct-24 2610asdkj[.]site NICENIC INTERNATIONAL GROUP CO., LIMITED 26-Oct-23 26-Oct-23 26-Oct-24 2610kjhsda[.]site NICENIC INTERNATIONAL GROUP CO., LIMITED 26-Oct-23 26-Oct-23 26-Oct-24 2610kjhsda[.]online NICENIC INTERNATIONAL GROUP CO., LIMITED 26-Oct-23 26-Oct-23 26-Oct-24 2610asdkj[.]online NICENIC INTERNATIONAL GROUP CO., LIMITED 26-Oct-23 26-Oct-23 26-Oct-24 ----- |11234jkhfkujhs[.]xyz|NICENIC INTERNATIONAL GROUP CO., LIMITED|19-Oct-23|19-Oct-23|19-Oct-24| |---|---|---|---|---| |11234jkhfkujhs[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|19-Oct-23|19-Oct-23|19-Oct-24| |11234jkhfkujhs[.]site|NICENIC INTERNATIONAL GROUP CO., LIMITED|19-Oct-23|19-Oct-23|19-Oct-24| |11234jkhfkujhs[.]online|NICENIC INTERNATIONAL GROUP CO., LIMITED|19-Oct-23|19-Oct-23|19-Oct-24| |98762341tdgi[.]site|NICENIC INTERNATIONAL GROUP CO., LIMITED|6-Oct-23|6-Oct-23|6-Oct-24| |98762341tdgi[.]online|NICENIC INTERNATIONAL GROUP CO., LIMITED|6-Oct-23|6-Oct-23|6-Oct-24| |756-ads-info[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|28-Sep-23|28-Sep-23|28-Sep-24| |875jhrfks[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|25-Sep-23|25-Sep-23|25-Sep-24| |756-ads-info[.]site|NICENIC INTERNATIONAL GROUP CO., LIMITED|28-Sep-23|28-Sep-23|28-Sep-24| |756-ads-info[.]xyz|NICENIC INTERNATIONAL GROUP CO., LIMITED|28-Sep-23|28-Sep-23|28-Sep-24| |999-ads-info[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|28-Sep-23|28-Sep-23|28-Sep-24| |343-ads-info[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|28-Sep-23|28-Sep-23|28-Sep-24| |clk-brood[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|19-Aug-23|20-Sep-23|19-Aug-24| |0909kses[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|25-Sep-23|25-Sep-23|25-Sep-24| |dns-inform[.]top|NICENIC INTERNATIONAL GROUP CO., LIMITED|19-Aug-23|7-Sep-23|19-Aug-24| |clk-brood[.]online|NICENIC INTERNATIONAL GROUP CO., LIMITED|19-Aug-23|31-Aug-23|19-Aug-24| 11234jkhfkujhs[.]xyz NICENIC INTERNATIONAL GROUP CO., LIMITED 19-Oct-23 19-Oct-23 19-Oct-24 11234jkhfkujhs[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 19-Oct-23 19-Oct-23 19-Oct-24 11234jkhfkujhs[.]site NICENIC INTERNATIONAL GROUP CO., LIMITED 19-Oct-23 19-Oct-23 19-Oct-24 11234jkhfkujhs[.]online NICENIC INTERNATIONAL GROUP CO., LIMITED 19-Oct-23 19-Oct-23 19-Oct-24 98762341tdgi[.]site NICENIC INTERNATIONAL GROUP CO., LIMITED 6-Oct-23 6-Oct-23 6-Oct-24 98762341tdgi[.]online NICENIC INTERNATIONAL GROUP CO., LIMITED 6-Oct-23 6-Oct-23 6-Oct-24 756-ads-info[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 28-Sep-23 28-Sep-23 28-Sep-24 875jhrfks[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 25-Sep-23 25-Sep-23 25-Sep-24 756-ads-info[.]site NICENIC INTERNATIONAL GROUP CO., LIMITED 28-Sep-23 28-Sep-23 28-Sep-24 756-ads-info[.]xyz NICENIC INTERNATIONAL GROUP CO., LIMITED 28-Sep-23 28-Sep-23 28-Sep-24 999-ads-info[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 28-Sep-23 28-Sep-23 28-Sep-24 343-ads-info[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 28-Sep-23 28-Sep-23 28-Sep-24 clk-brood[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 19-Aug-23 20-Sep-23 19-Aug-24 0909kses[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 25-Sep-23 25-Sep-23 25-Sep-24 dns-inform[.]top NICENIC INTERNATIONAL GROUP CO., LIMITED 19-Aug-23 7-Sep-23 19-Aug-24 clk-brood[.]online NICENIC INTERNATIONAL GROUP CO., LIMITED 19-Aug-23 31-Aug-23 19-Aug-24 ----- -----