{ "id": "9fca5aea-e545-4d54-a44f-3ae981c64d6b", "created_at": "2026-04-06T00:07:15.597689Z", "updated_at": "2026-04-10T13:13:07.218568Z", "deleted_at": null, "sha1_hash": "4e469c5bff9404de9c94a6fab5d18af670f958ef", "title": "BazarLoader Actors Initiate Contact via Contact Forms", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1267038, "plain_text": "BazarLoader Actors Initiate Contact via Contact Forms\r\nPublished: 2022-03-09 · Archived: 2026-04-05 21:46:24 UTC\r\nWhile most cyberattacks are launched via email, attackers are always looking for new ways to make contact with\r\npotential victims. Recently, the threat intelligence team at Abnormal Security observed some attacks targeting our\r\ncustomers that started through an online contact form.\r\nBased on our analysis, we determined that these attacks were attempting to deploy BazarLoader malware.\r\nBazarLoader is most closely associated with the cybercrime group known as Wizard Spider, credited with\r\ndeveloping the Trickbot banking trojan and Conti ransomware.\r\nPrevious BazarLoader campaigns using customer inquiry forms were first identified in 2021, but those attempts\r\nused attention-seeking themes to garner artificial urgency. In many cases, the attackers threatened legal action for\r\nongoing copyright violations, with malware disguised as evidence of the misconduct. In these recent campaigns,\r\nthe actors chose a much lower-impact theme, pretending to be a potential customer in the ordinary course of\r\nbusiness.\r\nAttackers Use Online Contact Form to Initiate Communication\r\nBetween December 2021 and January 2022, we identified a series of phishing campaigns targeting several of our\r\ncustomers. At first glance, the overall volume of messages seemed low; however, as we continued researching\r\nthese attacks, it became clear that the volume was artificially deflated because email was not the initial\r\ncommunication method used.\r\nRather than directly sending a phishing email, the attacker in these cases initiated a conversation through an\r\norganization’s website contact form. In these initial contact form submissions, the attacker posed as an employee\r\nat a Canadian luxury construction company looking for a quote for a product provided by the target.\r\nThere are two primary purposes for choosing this method for initial communication.\r\n1. It disguises the communication as a request that could be reasonably expected to be received through an\r\nonline request form.\r\n2. It circumvents potential email defenses since the request would be delivered through a legitimate sender\r\nand does not contain any malicious content.\r\nOnce the contact form request has been submitted by the attacker, they simply wait until someone at the target\r\ncompany reaches out to them to follow up. From the perspective of an email system, the target company is\r\ninitiating conversation with the attacker rather than the other way around.\r\nAfter Successful Contact, Attackers Send a Malicious File\r\nhttps://abnormalsecurity.com/blog/bazarloader-contact-form\r\nPage 1 of 7\n\nAfter fully establishing their cover identity via email, the threat actors continued project negotiations in an effort\r\nto convince their victim to download a malicious file. Often this involved some level of social engineering to find\r\na download method not blocked by the victim’s security protocols, without arousing their suspicion.\r\nAttacker establishing their cover identity via email.\r\nWe’ve observed the attacker in these campaigns use two different file sharing services—TransferNow and\r\nWeTransfer—to try to deliver the malicious file to victims. If delivery fails using one of these methods, the\r\nattacker simply tries again using the other.\r\nhttps://abnormalsecurity.com/blog/bazarloader-contact-form\r\nPage 2 of 7\n\nLink to TransferNow to download the malware.\r\nBazarLoader Malware Analysis\r\nThe file shared by the threat actor is an .iso file with two components, both masquerading as a different file type.\r\nAt first glance, the .iso file appears to contain a shortcut to the folder with the project and a .log file bearing the\r\nname of a legitimate Windows file as an anti-detection technique. In actuality, the two are a windows .lnk file and\r\na .log file that is not DumpStack.log.\r\nMalware sent via TransferNow.\r\nBecause shortcut .lnk files allow their creator to specify command-line arguments to perform an action on the\r\nvictim’s device, cybercriminals can use them for nefarious means.\r\nComponents of the ISO file.\r\nIn this case, the .lnk file properties contain a command instruction to open a terminal window using regsvr32.exe\r\nto run the so-named file DumStack.log. In reality, it's a BazarLoader Dynamic-link library (DLL) file.\r\nhttps://abnormalsecurity.com/blog/bazarloader-contact-form\r\nPage 3 of 7\n\nhttps://abnormalsecurity.com/blog/bazarloader-contact-form\r\nPage 4 of 7\n\nWith a process injection technique, the DLL uses svchost.exe service to evade detection and establish a connection\r\nwith their command and control (C2) server at the IP address 13.107.21[.]200 using port 443.\r\nsvchost.exe process.\r\nConnection established with C2.\r\nConnection established using port 443.\r\nAt the time of this investigation, some of the C2 IP addresses were down, and the others were not able to\r\ndownload the second stage of the attack. This leaves some level of uncertainty as to the intended second stage\r\nmalware payload. However, past relationships between the IP address 13[.]107[.]21[.]200 illustrated in red in the\r\ngraph below reveal previous links to malware.\r\nhttps://abnormalsecurity.com/blog/bazarloader-contact-form\r\nPage 5 of 7\n\nMalware previously related to the IP address 13[.]107[.]21[.]200 has included the following:\r\nBased on this, it’s clear that the threat actors were attempting to execute a multi-stage attack with BazarLoader as\r\na first step.\r\nThe BazarLoader Bottom Line\r\nThe actors in this campaign attempted to improve their credibility by using customer contact forms to establish\r\ntheir identity as a trusted sender. Then, they sent emails from spoofed domains to impersonate a known business.\r\nThese spoofed domains were difficult to detect given that they are identical to the legitimate website other than the\r\ntop-level domain, which was changed from .com to .us to trick users.\r\nAfter infecting their victim with the dropper malware BazarLoader, the trail unfortunately goes cold. However, we\r\ncan make some educated guesses as to what they intended to happen next. BazarLoader is usually the first stage in\r\nhttps://abnormalsecurity.com/blog/bazarloader-contact-form\r\nPage 6 of 7\n\na more sophisticated, multi-stage malware attack, often used to deploy Conti ransomware or Cobalt Strike, for\r\nexample.\r\nThese tools, used separately or in conjunction, help threat actors penetrate networks. At that point, the possibilities\r\nfor chaos are myriad. Consequences range from unauthorized payments and fund dispersals to total system\r\nshutdown and even persistent long-term network intrusion.\r\nIndicators of Compromise (IOCs)\r\n104[.]215[.]148[.]63\r\n45[.]15[.]131[.]126\r\n148[.]163[.]42[.]203\r\n45[.]41[.]204[.]150\r\n193[.]169[.]86[.]84\r\n76[.]6[.]231[.]20\r\n131[.]253[.]33[.]200\r\n72[.]21[.]91[.]29\r\ndocs_1244.iso\r\n97806F6DA402F135FA0556ADF5809D6D3BC629E967A0771B9FEB5BA55267D560\r\nDumpStack.log\r\n8395B26BE4A7D57F9B60839257C3E7B9E6756DBBEB818DE6575987D6E041C8FD\r\nAttachments.lnk\r\nCE6E63191588E449DE4AB45FF4D32E1BBD1C67681C74C32DE3A4DB63331278CC\r\nSource: https://abnormalsecurity.com/blog/bazarloader-contact-form\r\nhttps://abnormalsecurity.com/blog/bazarloader-contact-form\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://abnormalsecurity.com/blog/bazarloader-contact-form" ], "report_names": [ "bazarloader-contact-form" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434035, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e469c5bff9404de9c94a6fab5d18af670f958ef.pdf", "text": "https://archive.orkl.eu/4e469c5bff9404de9c94a6fab5d18af670f958ef.txt", "img": "https://archive.orkl.eu/4e469c5bff9404de9c94a6fab5d18af670f958ef.jpg" } }