Fakebat, a malware variant previously seen in July 2024, resurfaced on November 8, 2024, through a malicious Google ad disguised as an authentic advertisement for the productivity application Notion.

Web browsers and search engines remain common entry points for malware delivery, with this incident highlighting the ongoing threat posed by Fakebat, also known as Eugenloader or PaykLoader.

This malicious ad redirected users through a tracking template to evade detection, ultimately leading them to a decoy site that closely mimicked Notion.

Following the initial infection, Fakebat deploys the LummaC2 Stealer as a subsequent payload, indicating a multi-stage infection process that enhances its effectiveness.

The obfuscation techniques employed by Fakebat include the use of .NET Reactor and AES encryption to decrypt resources, which are then injected into MSBuild.exe through process hollowing.

The malicious ad was crafted to appear legitimate, featuring the official Notion logo and website, showcasing how easily cybercriminals can impersonate trusted brands using click trackers.

Security researcher RussianPanda analyzed the installer used by Fakebat, revealing that it utilizes fingerprinting techniques to avoid detection by sandbox environments.

Although there has been a recent decline in malvertising incidents, this event serves as a stark reminder that threat actors can quickly revert to established tactics when the opportunity arises.

Indicators of compromise related to this incident include malicious URLs such as solomonegbe[.]com and notion[.]ramchhaya.com, along with various malicious payload identifiers and command and control servers.