{
	"id": "053c6a9d-1752-4ed8-9a62-a7eccdd4ab4d",
	"created_at": "2026-04-06T00:15:34.958867Z",
	"updated_at": "2026-04-10T03:23:52.232033Z",
	"deleted_at": null,
	"sha1_hash": "40138e48a38dbc9265d1e3c9ccb16aba051cde97",
	"title": "Phishing campaign threatens job security, drops Bazar and Buer Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1242447,
	"plain_text": "Phishing campaign threatens job security, drops Bazar and Buer\r\nMalware\r\nBy Elaine Dzuba\r\nPublished: 2020-11-09 · Archived: 2026-04-05 18:52:45 UTC\r\n2020-11-09\r\n7 min read\r\nThis blog originally appeared in November 2020 on the Area 1 Security website, and was issued in advance of\r\nCloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.\r\n“You’re fired……NOT!” An ongoing and rapidly evolving spear phishing campaign, hitting companies across\r\nindustry verticals, is threatening targets with false claims of employment termination due to economic impacts\r\nfrom the global pandemic, among numerous other coercive tactics. The goal of the attacker is to intimidate\r\nemployees into clicking on a link that will ultimately lead to Bazar or Buer malware infections by way of\r\nTrickbot.\r\nResearchers at Zscaler ThreatLabZ noted this is the first time they have seen the two malware strains together.\r\nAdditionally, they have associated this attack with the Trickbot gang, known to use a combination of different\r\nmalware groups and bots to conduct attacks.\r\nWhile Trickbot started out as a banking trojan, known for hijacking victims’ browser sessions once logged into\r\ntheir banking website, it has since been repeatedly repurposed for other objectives, including the ability to spread\r\nransomware. This particularly maniacal and disruptive aspect of Trickbot functionality makes it a top contender\r\nfor possible threats to the upcoming 2020 presidential election.\r\nhttps://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nPage 1 of 10\n\nWith ransomware as an option, Trickbot poses a significant threat to U.S. election infrastructure. The malware’s\r\noperators have the ability to compromise a massive number of voting machines during critical times in vote\r\ncounting, undermining trust in the result. That, or they may even be able to disrupt the voting process altogether\r\nby affecting entire voting locations, preventing large portions of the voter population from casting their ballots.\r\nThis could explain the recent wave of Trickbot takedown efforts. A report from KrebsonSecurity provided details\r\nof an operation that likely began on September 22nd and is conjectured to be a government counterstrike against\r\nthe actors behind Trickbot. This activity, first identified by Intel471 and possibly conducted by the U.S. Cyber\r\nCommand, attempted to disrupt Trickbot infrastructure by forcing the botnet’s controllers to issue bogus\r\nconfigurations.\r\nThese configurations swapped real controller IP addresses for the localhost address (127.0.0.1), preventing bots\r\nfrom calling home to receive commands. Not long after the phony configurations were sent, all known controllers\r\nappeared to have stopped properly responding to bot requests, suggesting the overall activity was a concerted,\r\nintentional effort to disrupt this pervasive botnet’s operations.\r\nAnother attempt was made on October 1st, presumably by U.S. Cyber Command, that similarly altered the\r\ncontroller IP addresses needed to receive commands. Compounding the effects of this effort, Microsoft also\r\nattempted disruptions of Trickbot infrastructure by obtaining a court order to disable the botnet’s IP addresses,\r\namong other actions. Most recently, Microsoft issued an update that they successfully took down 62 of the 69\r\nTrickbot servers around the world with the remaining being unorthodox IOT devices.\r\nHowever, these attempts reportedly would only have a short-term effect on Trickbot controllers since its operators\r\nuse decentralized infrastructure that communicates over Tor, with blockchain-based EmerDNS as a fallback that is\r\nresistant to takedowns. Additionally, Ars Technica reports that Trickbot controllers are beginning to host their\r\nmalware on other e-criminals’ servers.\r\nUnsurprisingly, not long after the various Trickbot takedown operations occurred, Area 1 Security identified a\r\nprolific phishing campaign that intended to spread Bazar and Buer payloads via Trickbot. Worse yet, this newer\r\nstealthy malware in Trickbot gang’s arsenal of tools can be used to deploy additional malware, including\r\nransomware.\r\nArea 1 Security researchers found evidence that the Bazar loader dropped in this campaign will not continue with\r\nthe infection if the locale of the victim’s device is in Russia, a common tactic seen with Trickbot. In fact, Cyber\r\nsecurity researchers believe Trickbot is the handiwork of cybercriminals operating out of Russia. Since at least\r\n2019, this group has been responsible for a surge in ransomware attacks targeting schools systems, local\r\ngovernments and even law enforcement agencies in the United States.\r\nWhile these e-criminal groups have always been operating at some level in recent years, their activity has surged\r\nin the lead-up to the 2020 Presidential election. This suggests that entities involved in the U.S. election are prime\r\ntargets for foreign adversaries, both nation-state and cybercriminal groups alike.\r\nLining up with the recent FBI/DNI press conference, Russian and Iranian state-sponsored groups are confirmed to\r\nhave exfiltrated voter registration information. Additionally, these nations are behind separate email spoofing\r\ncampaigns designed to undermine faith in the U.S. election.\r\nhttps://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nPage 2 of 10\n\nAt the moment, it is unclear if the phishing campaign that Area 1 Security identified is being carried out by any of\r\nthese groups or if it is purposefully targeting election administrators. Regardless, state and local election\r\nadministrators should be extra vigilant as they tend to be highly vulnerable to phishing attacks, as highlighted in a\r\nrecent Area 1 Security phishing report.\r\nThreatening Lures\r\nThis campaign employs a number of lures that threaten job security in order to intimidate targets into clicking on\r\nthe provided URL. The phishing messages are very simple in their demand and appear to originate from persons\r\nof authority within the targeted company, as seen in Figure 1.\r\nFigure 1. Phishing Messages That Threaten Job Security\r\nThe messages identified in this campaign are based on eliciting fear from the target audience, focusing on either\r\nemployment termination or customer complaints. The current work-from-home operating model, and the resultant\r\ndecrease in face-to-face contact, gives attackers the advantage by making email delivery of these types of\r\n“employment notifications” all the more believable.\r\nTargets of this campaign could potentially believe that the post COVID shake up in their organizations is the\r\nreason they’re being let go. With many businesses closing down unusable office space, combined with an\r\neconomic recession, there is enough plausibility for this wide-ranging attack to fool employees into believing that\r\ntheir position may be part of the now all-too-common budget cuts.\r\nIt's possible this Bazar and Buer campaign is part of the Trickbot operations that Microsoft and other partners are\r\ntrying to defeat. If so, the activity Area 1 Security observed only further proves just how difficult it can be to\r\nhttps://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nPage 3 of 10\n\ncounteract these complex operations. A litany of unique and ever-changing email accounts and IP addresses are at\r\nthe threat actor's disposal. Despite the previously mentioned efforts to neutralize Trickbot controllers, the\r\ninfrastructure used to support this particular campaign (if associated in any way) was hardly affected, where the\r\nattacker seems to have promptly resumed operations.\r\nWhile disruption operations may have worked a decade ago, the Trickbot gang and other groups that rely on their\r\nMalware-as-a-Service (MaaS) offering are equipped with the necessary skills to continue their attacks without a\r\nhitch. Current botnets have all the professionalism of any IT company. They’re able to manage disruptions and\r\nbring back services with continuity planning, backups, automated deployment, and a dedicated workforce.\r\nThe campaign noted above centered on termination-related documents available at a provided URL. When\r\nclicked, the link directs the victim’s browser to either Google Docs or Constant Contact. By not attaching the\r\nmalware as a file to the email, the attacker is able to bypass file scanning detections. Moreover, the use of\r\ncommon cloud-based hosting services allows the attacker to circumvent URL scanning techniques, as well as\r\nenables them to easily create new malicious links in the event that their URLs are identified as phishing pages.\r\nThe Google Docs or Constant Contact link in the email leads to a decoy preview page, as shown in Figure 2, that\r\nprompts the victim to open a list of terminated employees. The decoy also cleverly displays the often seen “If\r\ndownload does not start, click here”.  This link is where the malware is actually being hosted.\r\nFigure 2. Google Doc Decoy Preview Page with Redirect Link\r\nhttps://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nPage 4 of 10\n\nAnalysis of Malware\r\nAs seen in the figure below, after clicking on the link found in the online document, the victim is presented with a\r\ndialog box to run the file. The file is actually a malicious PE32+ executable that is designed to run on all Windows\r\nsystems.\r\nFigure 3. Gaining Run Permission\r\nAfter clicking “Run”, a series of events will take place on the victim’s device that will ultimately lead to\r\ninstallation of the Bazar backdoor or Buer loader.\r\nFirst, the PE32+ executable noted above will decrypt the payload using an RC4 cipher, a portion of which is\r\nprovided in Figure 4 below. The payload happens to be none other than Trickbot, and a different RC4 key is used\r\nfor each iteration of the malware.\r\nFigure 4. RC4 decryption of Trickbot Payload\r\nAs detailed in Figure 5, Area 1 Security researchers identified the string “dave” at the end of the Trickbot payload\r\nin memory, which is consistent with prior reporting on techniques employed by Emotet and Trickbot malware\r\ndevelopers. This string reveals the attacker’s use of a custom packer to compress and encrypt the file, making it\r\ndifficult for malware analysts to reverse engineer the payload.\r\nhttps://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nPage 5 of 10\n\nFigure 5. “Dave” signature\r\nDespite this anti-reversing technique, Area 1 Security discovered the Trickbot payload attempts to further infect\r\nthe victim device by decrypting and running the BazarLoader. Loaders are an essential function that allow\r\nattackers to gain a foothold in a network and enable subsequent, more persistent infection via their command and\r\ncontrol servers. This tactic opts for stealth by initially loading as little functionality as necessary.\r\nIn this case, the BazarLoader in turn attempts to download the Bazar backdoor via a blockchain dns lookup table.\r\nThis is a great tactic for attackers as it circumvents the need for traditional ISPs. Similar to bitcoin, Top Level\r\nDomains (TLDs) like .bit, .bazar, and .coin are not owned by a single authority but instead shared over peer-to-peer networks. This offers users the ability to bypass censorship and other government restrictions, but also\r\nprovides a platform for attackers to conduct illicit activities that are safe from countermeasures.\r\nAs shown in Figure 6, to download the backdoor, the loader loops through eight unique IP addresses and five\r\ndomains under the EmerDNS .bazar TLD.\r\nhttps://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nPage 6 of 10\n\nFigure 6. Outbound Connections to Download the Bazar Backdoor\r\nThe second level domains are comprised of 12 alphabetical characters that are generated using a specific domain\r\ngeneration algorithm. The malware runs through the list of generated .bazar domains to find one that is still\r\nactively hosting the backdoor.\r\nOnce the backdoor is downloaded and successfully run, that attacker can carry out any number of devious acts,\r\nincluding remotely executing commands, exfiltrating sensitive data, and deploying other payloads. These\r\nadditional payloads range anywhere from post-exploitation frameworks like CobaltStrike to ransomware like\r\nRyuk.\r\nIn fact, Trickbot is known to deliver Ryuk ransomware to devices via BazarLoader. In one instance, after the\r\ninitial Bazar infection, attackers exploited a recently disclosed vulnerability to escalate privileges and gain\r\ndomain-wide ransomware infection just 5 hours after sending their phishing message. This is unfortunately just\r\none of many possible outcomes that can result from successful infection via the phishing campaign Area 1\r\nSecurity has observed.\r\nRecommendations\r\nBy leveraging a number of stealthy techniques, the threat actors behind this campaign have been able to easily\r\nevade legacy vendors and cloud email providers. Linking to legitimate, cloud-based sites within the phishing\r\nhttps://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nPage 7 of 10\n\nmessages, combined with the use of takedown- and sinkhole-resistant EmerDNS TLDs, makes this a particularly\r\ndifficult campaign to detect.\r\nArea 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to\r\nuncover the clever tactics seen in this campaign, enabling us to block the messages in real time versus waiting\r\ndays or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop\r\nphishing attempts at delivery time. This means malware like Trickbot, the Bazar backdoor, and follow-on\r\ninfection with ransomware, never have the opportunity to make their way onto our customers’ devices. Our\r\nsolution has many advantages over post-delivery retraction in that the user is never exposed to the attack.\r\nIndicators of Compromise\r\nPhishing Email Subject Lines:\r\nRe: Termination List\r\nRE: termination,\r\nRe: my visit and call\r\nRe: meeting of\r\nRE: office\r\nRE: office,\r\nMalicious PE32+ Executable Linked to in Decoy Document:\r\nSha1: 895d84fc6015a9ad8d1507a99fb44350fb462c79\r\nSha256: a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b\r\nMd5: dbdb5ddd07075b5b607460ea441cea19\r\nSites Hosting Malicious PE32+ Executable:\r\nhxxps://tees321[.]com/Document3-90[.]exe\r\nhxxps://centraldispatchinc[.]com/Report10-13[.]exe\r\nhxxps://www[.]4rentorlando[.]com/Text_Report[.]exe\r\nMalicious Links in Phishing Messages:\r\nhxxps://files.constantcontact.com/0d2efd83801/50f95d03-8af1-4396-ac84-d6a7f1212026.pdf\r\nhxxps://docs[.]google[.]com/document/d/e/2PACX-1vQzFpGbLRNSIpbklM51_9P78DJbhxmMLeMzQUJxX9roupKMn3xYX1ZBEjP2Jo5_CHbzoqIdVnwPeazU/pub\r\nhttps://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nPage 8 of 10\n\nhxxps://docs[.]google[.]com/document/d/e/2PACX-1vRhLU8Ar86crHTwsP7rSyStmTABnsPtQ4q3Mic9UIZN-hz06cO8fuzsiiEus9seLQHDU4T51YGcejNU/pub\r\nhxxps://docs[.]google[.]com/document/d/e/2PACX-1vTVCHKzmdSD2wX03GTnyBToo4xvldfGqtFWZiz5bT5cTRozW4Xk5H6GER0GmscSPqnpyFtokphDl-\r\n_U/pub\r\nhxxps://files[.]constantcontact[.]com/5e536f60101/8c5d270a-897a-4ac8-845a-86c920bf229c[.]pdf\r\nhxxps://files[.]constantcontact[.]com/defde16c001/0aa90d3a-932f-4343-8661-22e4f6488705[.]pdf\r\nhxxps://docs[.]google[.]com/document/d/e/2PACX-1vSlUktRROV3hU60c_n8LWFpOQBdyJj-N10g4tn14hBfmdaiRGKL9rc4vnTRYdLErwU0AHt7WwbzwU9q/pub\r\nhxxps://docs[.]google[.]com/document/d/e/2PACX-1vRFLfuWRihaQHjGEPs8-\r\nDm7Y3VxEFRpiUJuJmD9Vm6y3xVSSG9Vc3XxRnbyHQzIoWQ_5REbdDbkOq0s/pub\r\nOutbound BazarLoader DNS Requests (Port 53):\r\n95[.]174[.]65[.]241:53\r\n195[.]16[.]195[.]195:53\r\n192[.]71[.]245[.]208:53\r\n176[.]126[.]70[.]119:53\r\n151[.]80[.]222[.]79:53\r\n94[.]16[.]114[.]254:53\r\n193[.]183[.]98[.]66:53\r\n51[.]254[.]25[.]115:53\r\nBlockchain Domains:\r\nbdfgimbfhgio[.]bazar\r\ndcehjldeghjn[.]bazar\r\nbdfgjlbfhgjn[.]bazar\r\nadehklafghkn[.]bazar\r\nceggilcgigin[.]bazar\r\nCloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale\r\napplications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at\r\nbay, and can help you on your journey to Zero Trust.\r\nhttps://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nPage 9 of 10\n\nVisit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.\r\nTo learn more about our mission to help build a better Internet, start here. If you're looking for a new career\r\ndirection, check out our open positions.\r\nEmail SecurityCloud Email SecurityPhishingMicrosoft\r\nSource: https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nhttps://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/"
	],
	"report_names": [
		"trickbot-spear-phishing-drops-bazar-buer-malware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434534,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40138e48a38dbc9265d1e3c9ccb16aba051cde97.pdf",
		"text": "https://archive.orkl.eu/40138e48a38dbc9265d1e3c9ccb16aba051cde97.txt",
		"img": "https://archive.orkl.eu/40138e48a38dbc9265d1e3c9ccb16aba051cde97.jpg"
	}
}