The Return of the Bat: FakeBat’s Payk RunPE Arsenal

eSentire’s TRU discovered a FakeBat loader infection delivered via malvertising that used a fake Trello MSIX installer to execute an obfuscated PowerShell stage and selectively retrieve further payloads from Telegra[.]ph. The operation downloads an AMSI bypass, fetches and decrypts GPG/AES-encrypted payloads (including Payk RunPE and possible SectopRAT/ArechClient2), and performs process injection/hollowing into legitimate processes. #FakeBat #PaykRunPE

Keypoints

Initial access via malvertising and a fake Trello MSIX installer (Trello-Full-Installer-x64.msix) leading to execution of an obfuscated PowerShell script.
The MSIX contained an obfuscated PowerShell stage (Refresh2.ps/Refresh2.ps1) that contacts a C2 using a specific browser User‑Agent string.
The second-stage script downloads an AMSI bypass from GitHub, then retrieves .dat/.gpg payload links hosted on a Telegra[.]ph page and uses bundled gpg.exe to decrypt them.
Final payloads include Payk RunPE (RunPE process injection) and likely SectopRAT/ArechClient2; one chain injects into MSBuild.exe via an IDAT loader, another uses RunPE to hollow RegAsm.exe.
Payk RunPE samples are packed with .NET Reactor, include AntiVM checks to avoid sandbox/VM analysis, and store an AES-encrypted payload in resources with base64-encoded passphrases and resource names.
Attackers implement selective delivery from C2 (avoiding researcher IPs) and use specific User‑Agent/network indicators, emphasizing network-based detection opportunities.
Researchers found multiple Payk RunPE hashes (20 samples referenced) and specific MD5s for the initial MSIX and PowerShell artifacts.

MITRE Techniques

[T1189] Drive-by Compromise – Malvertising and fake installer used to deliver the initial payload (‘FakeBat spreads through a technique known as malvertising, which involves exploiting online advertising platforms, including Google Ads, to spread malware.’)
[T1059.001] PowerShell – The MSIX contains and executes an obfuscated PowerShell script as the primary stage (‘The MSIX file contains the obfuscated PowerShell script (Refresh2.ps…)’)
[T1027.002] Software Packing – Final payloads are obfuscated/packed (Use of .NET Reactor) to hinder analysis (‘Payk RunPe is obfuscated with .NET Reactor’)
[T1071.001] Application Layer Protocol: Web Protocols – The script communicates with C2 over HTTP(S) using a distinctive user-agent string (‘…communicates with the C2 server via a user-agent “Mozilla/5.0 (Macintosh; Intel Mac OS X 14_1) …”’)
[T1105] Ingress Tool Transfer – Secondary stages and encrypted payloads are retrieved from remote hosting (Telegra[.]ph .dat/.gpg links and bundled gpg.exe) (‘retrieves the webpage and searches for links ending in “.dat” and “.gpg”’)
[T1562.001] Disable or Modify Tools: AMSI Bypass – The second-stage script downloads an AMSI bypass from GitHub to evade detection (‘The script downloads the Anti-Malware Scan Interface (AMSI) bypass script from GitHub’)
[T1055.012] Process Hollowing – Final payloads are injected into legitimate processes (IDAT loader into MSBuild.exe; RunPE into RegAsm.exe) (‘injected into the MSBuild.exe process via the IDAT loader technique’ and ‘injected via process hollowing … into RegAsm.exe’)
[T1497.001] Virtualization/Sandbox Evasion – Payload implements AntiVM checks for common VM processes to terminate execution in monitored environments (‘The payload contains the AntiVM function, that checks for running processes such as: Vmtoolsd, vboxservice, Vmwareuser, Vmwaretrat’)

Indicators of Compromise

[File name] initial installer and script – Trello-Full-Installer-x64.msix (fake Trello MSIX installer), Refresh2.ps/Refresh2.ps1 (obfuscated PowerShell)
[File hash] MD5 examples – 61714d10ee99d136957e524173000884 (MSIX), 67f4237d0a28cd6e6c5bac4286c92d93 (Refresh2.ps) and 20 Payk RunPE hashes on VirusTotal
[Domain/URL] payload hosting and tooling – Telegra[.]ph (page hosting .dat/.gpg payload links), GitHub raw URLs hosting AMSI bypass script
[Binary name/path] bundled tooling and target processes – gpg.exe located under VFSAppDatalocal in the MSIX, targeted injection into MSBuild.exe and RegAsm.exe

Threat actors delivered FakeBat via malvertising using a counterfeit Trello MSIX installer that unpacked an obfuscated PowerShell stage. The first-stage script (Refresh2.ps/.ps1) used a specific browser user-agent to query a C2 and implemented a selective-delivery check to avoid researcher IPs. When allowed, the second-stage PowerShell downloaded an AMSI bypass from GitHub, fetched encrypted payload links (.dat/.gpg) from a Telegra[.]ph page, and used a bundled gpg.exe to decrypt the retrieved data.

Decrypted payloads included a RunPE-style Payk sample and what appears to be SectopRAT/ArechClient2. The Payk RunPE binaries were packed with .NET Reactor, contained base64-encoded strings for resource names and passphrases, and stored an AES-encrypted payload inside resources; the loader derives an AES key from the embedded passphrase and decrypts the payload before injection. Injection methods observed include an IDAT loader that injects into MSBuild.exe and process-hollowing (RunPE) into RegAsm.exe.

Analysis also found anti-analysis measures: an AntiVM routine that checks for VM/sandbox processes (Vmtoolsd, vboxservice, Vmwareuser, Vmwaretrat) and selective C2 delivery to hinder research. These combined techniques—obfuscated PowerShell, AMSI bypass, remote encrypted payload retrieval, packing, anti‑VM checks, and in-memory process injection—compose a multi-stage chain designed to persist and evade detection while executing final payloads in legitimate process contexts.