{ "id": "3012d352-0907-4e20-ad73-7a24b1cfca31", "created_at": "2026-04-06T01:30:41.657341Z", "updated_at": "2026-04-10T03:24:24.137258Z", "deleted_at": null, "sha1_hash": "008426595d53b865407bf5556314b78d52d6272e", "title": "Fake DMCA and DDoS complaints lead to BazaLoader malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4382068, "plain_text": "Fake DMCA and DDoS complaints lead to BazaLoader malware\r\nBy Ionut Ilascu\r\nPublished: 2021-08-27 · Archived: 2026-04-06 00:53:08 UTC\r\nCybercriminals behind the BazaLoader malware came up with a new lure to trick website owners into opening malicious\r\nfiles: fake notifications about the site being engaged in distributed denial-of-service (DDoS) attacks.\r\nThe messages contain a legal threat and a file stored in a Google Drive folder that allegedly provides evidence of the source\r\nof the attack.\r\nFake legal threats\r\nThe DDoS theme is a variation of another lure, a Digital Millennium Copyright Act (DMCA) infringement complaint\r\nlinking to a file that supposedly contains evidence about stealing images.\r\nhttps://www.bleepingcomputer.com/news/security/fake-dmca-and-ddos-complaints-lead-to-bazaloader-malware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fake-dmca-and-ddos-complaints-lead-to-bazaloader-malware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nIn submissions seen by BleepingComputer, the threat actor used Firebase URLs to push BazaLoader. The goal is the same\r\nthough: use contact forms to deliver BazaLoader malware that often drops Cobalt Strike, which can lead to data theft or a\r\nransomware attack.\r\nMicrosoft has warned about this delivery method in April, when cybercriminals used it to deliver IcedID malware. The\r\nrecent campaigns are similar, only the payload and the lure have changed.\r\nWebsite developer and designer Brian Johnson posted last week about two of his clients getting legal notifications about\r\ntheir websites being hacked to run DDoS attacks against a major company (Intuit, Hubspot).\r\nThe sender threatened with legal action unless the recipients didn’t “immediately clean” their website of the malicious files\r\nthat helped deploy the DDoS attack.\r\n“I have shared the log file with the recorded evidence that the attack is coming from [example.com] and also detailed\r\nguidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our\r\nnetwork,” reads the fake notification.\r\nThe malicious sender also included a link to a file hosted in Google Drive claiming to provide evidence of the DDoS attack\r\nand its origin.\r\nHello,\r\nThis message was written to you in order to notify, that we are currently experiencing serious network problems and we\r\nhave detected a DDoS attack on our servers coming from the your website or a website that your company hosts\r\n(example.com). As a consequence, we are suffering financial and reputational losses.\r\nWe have strong evidence and belief that your site was hacked and your website files were modified, with the help of which\r\nthe DDoS attack is currently taking place. It is strictly advised for you as a website proprietor or as a person associated with\r\nthis website take immediate action to fix this issue.\r\nTo fix this issue, you should immediately clean your website from malicious files that are used to carry out the DDoS attack.\r\nI have shared the log file with the recorded evidence that the attack is coming from example.com and also detailed\r\nguidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our\r\nnetwork.\r\nClick on the link below to download DDos Attack evidence and follow the instructions to fix the issue:\r\nhttps://drive.google.com/uc?export=download\u0026id=removed\r\nPlease be aware that failure to comply with the instructions above or/and if DDoS attacks associated with example.com will\r\nnot stop within the next 24 hour period upon receipt of this message, we will be entitled to seek legal actions to resolve this\r\nissue.\r\nIf you will experience any difficulties trying to solve the issue, please reply immediately with your personal reference case\r\nnumber (included in the log report and instructions mentioned above) and I will do my best to help you resolve this problem\r\nasap.\r\nAustin Nguyen\r\nintuit.com IT security team\r\nProofpoint security researcher Matthew Mesa notes in a tweet that these messages are sent through the website’s contact\r\nform and deliver the BazaLoader malware hosted on a Google site.\r\nThe researcher also says that the lure is a variation of the copyright infringement theme, also submitted through the\r\nwebsite’s contact form.\r\nhttps://www.bleepingcomputer.com/news/security/fake-dmca-and-ddos-complaints-lead-to-bazaloader-malware/\r\nPage 3 of 5\n\nBleepingComputer has received several of these infringement notifications over the past few months with allegations of\r\nusing protected images without the owner’s consent.\r\nThe message provides a link to a file that supposedly lists the images used without permission. The data is hosted in\r\nGoogle’s Firebase cloud storage.\r\nTo make the matter seem urgent, the sender also says that the website owner is “possibly be liable for statutory damage as\r\nhigh as $120,000.” It is all a ruse to deliver malware, though.\r\nMy name is Marquel.\r\nYour website or a website that your organization hosts is infringing on a copyright protected images owned by myself.\r\nCheck out this document with the URLs to my images you utilized at www.bleepingcomputer.com and my earlier\r\npublication to get the proof of my copyrights.\r\nDownload it right now and check this out for yourself:\r\nhttps://firebasestorage.googleapis.com/v0/b/files-d6e6c.appspot.com/o/download-dlm39vbk30.html?\r\nalt=media\u0026token=d0b122e7-49bb-4c04-9b26-d2364ca615f2\u0026ID=381406677867196640\r\nI do think you've deliberately violated my legal rights under 17 USC Sec. 101 et seq. and could possibly be liable for\r\nstatutory damage as high as $120,000 as set forth in Section 504 (c) (2) of the Digital millennium copyright act (”DMCA”)\r\ntherein.\r\nThis message is official notice. I demand the removal of the infringing materials mentioned above. Take note as a service\r\nprovider, the Digital Millennium Copyright Act requires you, to remove and disable access to the infringing materials upon\r\nreceipt of this particular letter. In case you don't stop the utilization of the previously mentioned copyrighted materials a\r\nlegal action will likely be commenced against you.\r\nI have a strong belief that utilization of the copyrighted materials mentioned above as allegedly infringing is not permitted\r\nby the copyright proprietor, its agent, or the laws.\r\nI swear, under penalty of perjury, that the information in this message is correct and that I am the legal copyright proprietor\r\nor am certified to act on behalf of the proprietor of an exclusive right that is allegedly infringed.\r\nBest regards,\r\nMarquel Lowe\r\n08/17/2021\r\nMalware analyst Brad Duncan examined the file and found it was a ZIP archive with JavaScript that fetches the BazaLoader\r\nDLL, a backdoor attributed to the TrickBot gang that typically leads to a ransomware infection.\r\nThe malware then reaches to its command and control (C2) server and gets Cobalt Strike, a penetration-testing tool widely\r\nabused by cybercriminals to maintain persistence and deliver other payloads.\r\nAs seen from the samples above, the notifications are quite convincing and take advantage of the legitimacy of the contact\r\nform emails, which increases the chances of receiving a \"safe\" mark from email security solutions.\r\nLooking for signs of malicious intent (incomplete contact information, incorrect grammar, suspicious links) is a good way to\r\navoid falling for this social engineering trap.\r\nhttps://www.bleepingcomputer.com/news/security/fake-dmca-and-ddos-complaints-lead-to-bazaloader-malware/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fake-dmca-and-ddos-complaints-lead-to-bazaloader-malware/\r\nhttps://www.bleepingcomputer.com/news/security/fake-dmca-and-ddos-complaints-lead-to-bazaloader-malware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/fake-dmca-and-ddos-complaints-lead-to-bazaloader-malware/" ], "report_names": [ "fake-dmca-and-ddos-complaints-lead-to-bazaloader-malware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439041, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/008426595d53b865407bf5556314b78d52d6272e.pdf", "text": "https://archive.orkl.eu/008426595d53b865407bf5556314b78d52d6272e.txt", "img": "https://archive.orkl.eu/008426595d53b865407bf5556314b78d52d6272e.jpg" } }