Keypoints
- FakeBat (aka Eugenloader/PaykLoader) reappeared via a malicious Google ad impersonating the Notion site.
- Attackers used tracking templates and cloaking domains to make the ad look legitimate and bypass automated detection.
- The malvertising chain directed victims through solomonegbe[.]com to a decoy domain notion[.]ramchhaya.com before delivering the installer.
- Initial stages used obfuscated PowerShell with sandbox fingerprinting and a known RastaMouse AMSI bypass script.
- The loader is protected with .NET Reactor, decrypts an AES-embedded resource, and injects the payload into MSBuild.exe via process hollowing.
- The final payload is the LummaC2 stealer (user ID: 9zXsP2) with multiple command-and-control domains listed in the report.
MITRE Techniques
- [T1203] Exploitation for Client Execution – Used to gain initial access via malicious ads and fake installers. [‘an ad appearing at the top of a Google search for ‘notion’’]
- [T1071] Application Layer Protocol – Multiple C2 domains are used to maintain communication with infected hosts. [‘LummaC2 Stealer C2s: rottieud[.]sbs, relalingj[.]sbs …’]
- [T1059] Command and Scripting Interpreter – PowerShell is used for first- and second-stage execution and payload deployment. [‘classic first stage FakeBat PowerShell’]
- [T1218] Signed Binary Proxy Execution / Defense Evasion – The loader uses obfuscation and process injection techniques to avoid detection and run inside legitimate processes. [‘injects it into MSBuild.exe via process hollowing’]
- [T1003] Credential Dumping / Credential Access – The LummaC2 stealer harvests user credentials after installation. [‘LummaC2 Stealer’]
Indicators of Compromise
- [Domains] Malvertising chain and decoy sites – solomonegbe[.]com, notion[.]ramchhaya.com (used in the redirect/cloaking chain)
- [C2 Domains] LummaC2 command-and-control examples – rottieud[.]sbs, relalingj[.]sbs, and 7 more C2 domains listed in the article
- [File Hashes] Malicious installer and payload hashes – 34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de (Notion installer), de64c6a881be736aeecbf665709baa89e92acf48c34f9071b8a29a5e53802019 (LummaC2 decrypted payload)
- [URLs] Malicious distribution links – furliumalerer[.]site/1.jar, pastebin[.]pl/view/raw/a58044c5
- [Filenames] Dropped/used files – 1.jar (PaykRunPE loader)
The FakeBat loader returned after months of absence by appearing as a sponsored Google result that mimicked Notion. Attackers relied on tracking templates and cloaking domains to present a legitimate-looking ad; only targeted victims were sent the malicious chain while others were redirected to the real notion.so site.
Analysis showed a multi-stage infection: obfuscated PowerShell stagers with sandbox checks, use of the RastaMouse AMSI bypass, and a .NET-based loader that decrypts an AES-embedded resource and uses process hollowing into MSBuild.exe. The decrypted payload was identified as the LummaC2 stealer (user ID 9zXsP2), supported by multiple C2 domains and hashes published in the report.
This incident is a reminder that malvertising and brand impersonation remain effective; defenders should monitor ad redirects, block listed domains and hashes, and look for signs of PowerShell execution and process hollowing to detect similar campaigns early.