VERY IMPORTANT

FakeBat, a loader previously known as Eugenloader and PaykLoader, has resurfaced after a three-month absence. The malware was distributed through a malicious Google ad impersonating the productivity application Notion. The attack chain involves a tracking template, cloaking domain, and a decoy site. FakeBat's payload is the LummaC2 stealer, which is injected into MSBuild.exe via process hollowing. The loader uses obfuscation techniques and the RastaMouse AMSI bypass script. This incident highlights the ongoing threat of malvertising and brand impersonation in Google ads, demonstrating how threat actors can quickly revert to proven methods of malware distribution.