New BUBBAS GATE Malware on Telegram Claims SmartScreen & AV/EDR Bypass

A new malware loader called “BUBBAS GATE” being actively promoted on underground forums and Telegram channels.

The malicious software was first advertised on June 22, 2025, through a post on a well-known cybercrime forum, with threat actors claiming it offers advanced evasion capabilities against modern security solutions.

While the loader’s actual effectiveness remains unverified, its promotional materials suggest sophisticated anti-detection mechanisms that could pose significant challenges to traditional cybersecurity defenses.

The developers behind BUBBAS GATE claim their loader incorporates several sophisticated evasion techniques designed to bypass both Microsoft SmartScreen and enterprise-grade Endpoint Detection and Response (EDR) systems.

According to the promotional materials, the malware avoids using standard Windows API calls, instead implementing indirect syscalls through a modified Vector Exception Handler (VEH) architecture.

The loader reportedly employs Process Environment Block (PEB) walking techniques combined with custom stack logic to maintain stealth during execution.

These methods allow the malware to interact with system resources without triggering common detection signatures that security products typically monitor.

The absence of traditional WinAPI usage represents a deliberate design choice to evade behavioral analysis engines that flag suspicious API call patterns.

Security experts note that such evasion techniques, while not entirely novel, demonstrate an evolution in malware development toward more sophisticated anti-analysis methods.

The combination of indirect syscalls and custom execution paths suggests the creators possess advanced knowledge of Windows internals and modern security product architectures.

Comprehensive Technical Features

BUBBAS GATE advertises extensive compatibility across multiple file formats and architectures, supporting both x64 and x86 executables, .NET applications spanning versions 2.0 through 4.0, and Rust-compiled binaries.

The loader also claims compatibility with Transport Layer Security (TLS) and C Runtime (CRT) supported binaries, indicating broad payload flexibility for cybercriminals.

The malware implements a proprietary encryption system that deliberately avoids standard cryptographic APIs such as bcrypt.dll, instead utilizing a custom AES-based implementation.

This approach aims to prevent security researchers from easily identifying encryption routines through standard API monitoring techniques.

Additional features promoted through Telegram listings include automatic persistence mechanisms that restart the malware every minute, anti-virtual machine detection capabilities, and the ability to display fake error windows to confuse victims.

The loader also offers administrative privilege escalation, file size padding to avoid detection heuristics, version information cloning to mimic legitimate software, and integrated IP logging functionality for tracking infections.

Market Position and Unverified Claims

According to Report, threat actors behind BUBBAS GATE have positioned their product at $200 per build, placing it in the mid-range category of malware-as-a-service offerings.

Notably, the developers provide what they term a “15-day Windows Defender warranty,” suggesting confidence in their evasion capabilities against Microsoft’s built-in security solution.

However, cybersecurity researchers emphasize that these claims remain entirely unverified. No independent validation has been provided by other threat actors or confirmed buyers within underground forums.

Additionally, security researchers have not yet identified any leaked samples of the malware in the wild, making it impossible to assess the actual effectiveness of the claimed features.

The lack of verification raises questions about whether BUBBAS GATE represents a legitimate new threat or potentially a scam targeting other cybercriminals.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.