{
	"id": "fabe1e21-df35-46b8-a097-bfbab2b14d66",
	"created_at": "2026-04-06T01:31:38.412387Z",
	"updated_at": "2026-04-10T03:21:16.91324Z",
	"deleted_at": null,
	"sha1_hash": "2121990f4bc4d4b872ddfdd3d19f526687da6a62",
	"title": "Group Behind TrickBot Spreads Fileless BazarBackdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 146578,
	"plain_text": "Group Behind TrickBot Spreads Fileless BazarBackdoor\r\nArchived: 2026-04-06 00:48:53 UTC\r\nA new campaign is propagating a new malware named\r\n“BazarBackdoor,” a fileless backdoor reportedly created by the same threat actors behind TrickBot, as reported by\r\nBleepingComputernews article. The conclusion is drawn due to similarities in code, crypters, and infrastructure between the\r\ntwo malware variants.\r\nThe social engineering attacks that were used to spread the backdoor leverage topics such as customer complaints, Covid-19-themednews- cybercrime-and-digital-threats payroll reports, and employee termination lists for the emails they send out.\r\nThe messages have links to Google Docs files. Once the users click the links, they will be redirected to a landing page. The\r\npages state that the Word Document, Excel Spreadsheet, or PDF cannot be properly viewed. It then instructs the user to click\r\non a link to open the file.\r\nClicking on the link downloads an executable that masquerades through icons and names associated with the mentioned file\r\ntypes. For instance, the supposed customer complaint document will be downloaded as Preview.PDF.exe, which uses the\r\nPDF icon. Since the file extension is hidden by default, the file will convincingly appear as a PDF file.\r\nThe disguised executable serves as the loader for the backdoor. After launching the file, the loader sleeps for some time,\r\nthen connects to command and control (C\u0026C) servers to check-in and download the payload. The payload will then be\r\ninjected filelessly into C:\\Windows\\system32\\svchost.exe through process hollowing and process doppelgängingnews-cybercrime-and-digital-threats techniques. The backdoor will be installed on the computer.\r\nThis sets a scheduled task that launches the loader every time the user logs into Windows, which makes way for new\r\nversions of the backdoor to be downloaded and injected into svchost.exe. Security researchers Vitali Kremez and James\r\nrevealed that this malware was most likely created by the threat actors behind TrickBot trojan. This is because both malware\r\ntypes use the same crypter and email chain deliverables. Both malware also utilize the Emercoin DNS resolution service for\r\nC\u0026C server communication.\r\nDefense against fileless threats\r\nFileless threats are stealthy and difficult to detect because they take advantage of existing applications to infiltrate and attack\r\nsystems. However, users can still defend against these malware types by adhering to the following best practices:\r\nSecure possible entry points. Malicious sites, spamnews- cybercrime-and-digital-threats, and third-party components\r\nlike browser plug-ins can all be sources of fileless malware. Be cautious when downloading attachments and other\r\nhttps://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor\r\nPage 1 of 3\n\nfiles, and never click links from unfamiliar sources.\r\nReboot device and change passwords. In case of infection, users can stop fileless attacks that do  not employ\r\npersistence techniques by restarting the device. As an extra precaution, users should also change their passwords.\r\nUtilize behavior monitoring and analysis. These can detect and block malicious behaviors and routines associated\r\nwith malware, stopping threats before they can reach the system.\r\nTo further secure the system, the following security solutions are recommended:\r\nTrend Micro Apex One™products– Employs behavior analysis to protect systems against malicious scripts,\r\ninjection, ransomware, and memory and browser attacks related to fileless threats.\r\nTrend Micro Apex One Endpoint Sensorproducts – Through Endpoint Detection and Response (EDR) and X\r\nDetection and Response (XDR), monitors events and processes that trigger malicious activity.\r\nTrend Micro Worry-Free Servicesservices – Utilizes behavior monitoring to detect script-based, fileless threats,\r\npreventing malware from entering the system.\r\nIndicators of Compromise\r\nSHA-256 Detection Name\r\n11b5adaefd04ffdaceb9539f95647b1f51aec2117d71ece061f15a2621f1ece9  Trojan.Win64.TRICKBOT.CFI\r\n1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83 Trojan.Win64.TRICKBOT.CFJ\r\n37d713860d529cbe4eab958419ffd7ebb3dc53bb6909f8bd360adaa84700faf2 Trojan.Win64.TRICKBOT.CFL\r\n4e4f9a467dd041e6a76e2ea5d57b28fe5a3267b251055bf2172d9ce38bea6b1f Trojan.Win64.TRICKBOT.CFK\r\n55d95d9486d77df6ac79bb25eb8b8778940bac27021249f779198e05a2e1edae TrojanSpy.Win64.LOKI.A\r\n5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d Trojan.Win64.TRICKBOT.CFL\r\n5dbe967bb62ffd60d5410709cb4e102ce8d72299cea16f9e8f80fcf2a1ff8536 TrojanSpy.Win32.TRICKBOT.THAOFBO\r\n6cbf7795618fb5472c5277000d1c1de92b77724d77873b88af3819e431251f00 Trojan.Win32.TRICKBOT.TIGOCBAINS\r\n835edf1ec33ff1436d354aa52e2e180e3e8f7500e9d261d1ff26aa6daddffc55 TrojanSpy.Win64.LOKI.A\r\n859fa9acf0b8a989a1634a1eee309355438b9f6b6f73b69f12d53ac534618c6a Trojan.Win64.TRICKBOT.CFK\r\na76426e269a2defabcf7aef9486ff521c6110b64952267cfe3b77039d1414a41 Trojan.Win64.TRICKBOT.CFJ\r\nc55f8979995df82555d66f6b197b0fbcb8fe30b431ff9760deae6927a584b9e3 Trojan.Win64.TRICKBOT.CFL\r\nce478fdbd03573076394ac0275f0f7027f44a62a306e378fe52beb0658d0b273 Trojan.Win64.TRICKBOT.CFM\r\ne90ccb9d51a930f69b78aa0d2612c4af2741311088b9eb7731857579feef89c3 Trojan.Win64.TRICKBOT.CFL\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nhttps://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor\r\nPage 2 of 3\n\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor\r\nhttps://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor"
	],
	"report_names": [
		"group-behind-trickbot-spreads-fileless-bazarbackdoor"
	],
	"threat_actors": [],
	"ts_created_at": 1775439098,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2121990f4bc4d4b872ddfdd3d19f526687da6a62.pdf",
		"text": "https://archive.orkl.eu/2121990f4bc4d4b872ddfdd3d19f526687da6a62.txt",
		"img": "https://archive.orkl.eu/2121990f4bc4d4b872ddfdd3d19f526687da6a62.jpg"
	}
}