{
	"id": "86b90b89-9572-43de-aa12-8bfc7f67e135",
	"created_at": "2026-04-06T00:10:05.927513Z",
	"updated_at": "2026-04-10T03:27:55.862018Z",
	"deleted_at": null,
	"sha1_hash": "2420a5ac229323bde7f484a4d9c605c183cc9f8b",
	"title": "BazaFlix: BazaLoader Fakes Movie Streaming Service | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3828920,
	"plain_text": "BazaFlix: BazaLoader Fakes Movie Streaming Service | Proofpoint US\r\nBy May 26, 2021 Selena Larson and Matthew Mesa\r\nPublished: 2021-05-24 · Archived: 2026-04-05 17:21:12 UTC\r\nKey Findings \r\n1. BazaLoader affiliates continue to use elaborate infection chains requiring significant victim interaction to\r\ndistribute BazaLoader malware. \r\n2. Emails directed the victim to call a customer service line which sent them to a website containing malicious\r\ncontent. \r\n3. The threat actor created a robust fake movie streaming service called BravoMovies, complete with fake movie\r\ntitles as a landing page. \r\nOverview\r\nProofpoint researchers identified a BazaLoader campaign requiring significant human interaction to execute and install\r\nthe BazaLoader backdoor. The threat actor leveraged phone-based customer service representatives to direct victims to\r\nunknowingly download and install the malware. This campaign is representative of a broader trend leveraged by the\r\nBazaLoader threat actors using call centers as part of an intricate attack chain.\r\nThe entertainment-themed campaign was first observed in early May 2021 and masqueraded as a streaming\r\nentertainment service, complete with a slick website featuring fake movies. The campaign demonstrates an inversely\r\nproportional relationship between successful infection rates and asking people to complete complicated steps – the more\r\nsteps required by the user, the less likely they are to complete the attack chain. However, despite being counterintuitive,\r\nthe techniques used by the threat actors in this, and similar, campaigns help bypass fully automated threat detection\r\nsystems. Additionally, leveraging a streaming service cancellation lure preys on a growing trend of users cancelling\r\nonline entertainment following major growth in the industry during 2020.\r\nCampaign Details\r\nBazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first\r\nobserved BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for\r\ndisruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong\r\noverlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick\r\nmalware, also known as Trickbot.\r\nInfection Chain\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 1 of 14\n\nIn the recent BazaLoader campaign, messages purport to be from various senders with subjects such as:\r\nYour trial period M0012064753012345 is going to be expired soon. Thankfully you made a decision to stick with\r\nus!\r\nDemo stage is expired! Your account #M0272028060812345 will be automatically transferred to premium plan!\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 2 of 14\n\nFigure 1: Initial BazaLoader email masquerading as an entertainment streaming service\r\nThe emails contain phone numbers and references to the \"BravoMovies\" company. The messages purport to inform the\r\ntarget their credit card will be charged unless they cancel their subscription to the service. If the user calls the phone\r\nnumber provided in the email, a customer service representative will verbally guide the user to the company's alleged\r\nwebsite. The website is a convincing representation of a movie and television streaming service. The threat actors used\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 3 of 14\n\nfake movie posters obtained from various open-source resources including an advertising agency, the creative social\r\nnetwork Behance, and the book “How to Steal a Dog.”\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 4 of 14\n\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 5 of 14\n\nFigure 2: BravoMovies landing page\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 6 of 14\n\nWhen the user visits the site mentioned, navigates to the Frequently Asked Questions component of the website, and\r\nfollows the directions to unsubscribe via the “Subscribtion” page, they will be directed to the download of an Excel\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 7 of 14\n\nSheet.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 8 of 14\n\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 9 of 14\n\nFigure 3: FAQ page with cancellation instructions\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 10 of 14\n\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 11 of 14\n\nFigure 4: Fake subscription cancellation page\r\nThe Excel sheet contains macros that, if enabled, will download BazaLoader.\r\nFigure 5: Malicious Excel Sheet\r\nAt this time, Proofpoint has not observed the second-stage payload in this campaign.\r\nRelated Campaigns\r\nProofpoint has observed BazarLoader threat actors using the method of phone-based customer service representatives to\r\ndirect malicious downloads since February 2021. Security researchers have dubbed this method “BazarCall”. Proofpoint\r\nhas previously observed BazaLoader email threat campaigns requiring significant human interaction in order to execute\r\nthe malware. The previous campaigns included subscription pharmaceutical services and lingerie and flower orders.\r\nAdditionally, Proofpoint researchers have observed similar infection chains leading to the distribution of The Trick\r\ninstead of BazaLoader. By leveraging attack chains that require a lot of human interaction, threat actors can bypass some\r\nautomated threat detection services that only flag on malicious links or attachments in email. Proofpoint anticipates the\r\nthreat actors behind BazaLoader and The Trick will continue to use these techniques in future campaigns.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 12 of 14\n\nConclusion\r\nUsing entertainment subscription themes may be a timely and effective method for convincing users to engage with the\r\nemail content and follow-on malicious documents. During the COVID-19 pandemic in 2020, subscriptions to online\r\nstreaming services skyrocketed, surpassing one billion users globally last year. But according to recent 2021 data,\r\nconsumers are using fewer services while churning through free subscriptions and cancelling when their trials run out.\r\nBazaLoader threat actors are taking advantage of this human behavior trend in the identified campaign.\r\nIndicators of Compromise\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nFirst\r\nObserved\r\nurbancinema[.]net Domain\r\nLanding\r\nPage\r\n2021-05-\r\n05\r\nbravomovies[.]net Domain\r\nLanding\r\nPage\r\n2021-05-\r\n01\r\nbvcinema[.]net Domain\r\nLanding\r\nPage\r\n2021-05-\r\n06\r\n47.91.77[.]83 IP\r\nBravoMovies\r\nWebsite Host\r\n2021-05-\r\n05\r\n8.209.65[.]249 IP\r\nBravoMovies\r\nWebsite Host\r\n2021-05-\r\n01\r\n8.209.92[.]183 IP\r\nBravoMovies\r\nWebsite Host\r\n2021-05-\r\n04\r\n8.209.75[.]180 IP\r\nBravoMovies\r\nWebsite Host\r\n2021-05-\r\n04\r\n8.211.4[.]26 IP\r\nBravoMovies\r\nWebsite Host\r\n2021-05-\r\n06\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 13 of 14\n\n8.211.6[.]4 IP\r\nBravoMovies\r\nWebsite Host\r\n2021-05-\r\n06\r\n8.209.67[.]183 IP\r\nBravoMovies\r\nWebsite Host\r\n2021-05-\r\n10\r\n47.91.74[.]88 IP\r\nBravoMovies\r\nWebsite Host\r\n2021-05-\r\n15\r\n176.111.174[.]60 IP\r\nBazaLoader\r\nExcel\r\nPayload Host\r\n2021-05-\r\n04\r\nhxxps://18.237.242[.]195/g1_262/bt_64_g1_262 URL\r\nBazaLoader\r\nC2\r\n2021-05-\r\n04\r\nhxxp://noise1[.]xyz/campo/n/o URL\r\nBazaLoader\r\nExcel\r\nPayload\r\n2021-05-\r\n04\r\n9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4 SHA256\r\nBazaLoader\r\nHash\r\n2020-04-\r\n25\r\nET Signatures: \r\n2033033 - ET TROJAN BazaLoader CnC Activity  \r\n2033034 - ET TROJAN Observed Malicious SSL Cert\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service\r\nPage 14 of 14\n\n https://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service     \nWhen the user visits the site mentioned, navigates to the Frequently Asked Questions component of the website, and\nfollows the directions to unsubscribe via the “Subscribtion” page, they will be directed to the download of an Excel\n   Page 7 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service"
	],
	"report_names": [
		"bazaflix-bazaloader-fakes-movie-streaming-service"
	],
	"threat_actors": [
		{
			"id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38",
			"created_at": "2023-01-06T13:46:39.487358Z",
			"updated_at": "2026-04-10T02:00:03.344509Z",
			"deleted_at": null,
			"main_name": "BazarCall",
			"aliases": [
				"BazzarCall",
				"BazaCall"
			],
			"source_name": "MISPGALAXY:BazarCall",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434205,
	"ts_updated_at": 1775791675,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2420a5ac229323bde7f484a4d9c605c183cc9f8b.pdf",
		"text": "https://archive.orkl.eu/2420a5ac229323bde7f484a4d9c605c183cc9f8b.txt",
		"img": "https://archive.orkl.eu/2420a5ac229323bde7f484a4d9c605c183cc9f8b.jpg"
	}
}