{
	"id": "6985164e-947f-4d1c-9268-60ef6a9f5395",
	"created_at": "2026-04-06T00:18:52.630164Z",
	"updated_at": "2026-04-10T03:27:55.927576Z",
	"deleted_at": null,
	"sha1_hash": "50a30d3719804cf32375c7e607fdda2c32b95475",
	"title": "Campo Loader - Simple but effective",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1926158,
	"plain_text": "Campo Loader - Simple but effective\r\nArchived: 2026-04-05 19:47:53 UTC\r\nCampo Loader is a simple but effective malware distribution chain that has been used in tandem with BazarCall to\r\nspread malware such as TrickBot and BazarLoader.\r\nCampo loader has been a piece of malware I've been following for quite some time. I've seen the malware develop\r\nto the point as described within this post. I would like to say thank you to ViriBack \u0026 ExecuteMalware for\r\nassistance in crafting this post and as always a huge thank you to Steved3 for reviewing and editing this post.\r\nOverview\r\nCampo Loader, also known as Redirected, OpenField, and Baza Loader, is a tool used to deliver malware from a\r\nfirst stage payload. This malware has been seen spreading TrickBot, Gozi, and Zloader. Campo Loader appears to\r\nbe a malware distribution as a service operation, targeting specific countries per campaign. Countries that have\r\nbeen targeted include Italy, Japan and the United States. The malware begins with an email spam campaign known\r\nas Bazar Call.\r\nFigure 1: Bazar Call Lure\r\nhttps://fr3d.hk/blog/campo-loader-simple-but-effective\r\nPage 1 of 5\n\nAs shown in Figure 1, there's a reference of an ongoing subscription that is set to be automatically renewed. In\r\norder to cancel, the victim must call a phone number where they will be told to download and open a macro\r\nspreadsheet. A good example of this can be found within this video. When a victim enables the macros within the\r\nspreadsheet, the process of Campo Loader is starts. Campo Loader will use different processes to either infect the\r\nvictim with an executable or DLL. \r\nEXE Loader\r\nWhen Campo Loader drops an executable onto the victim it will use an intermediary DLL to download and\r\nexecute a payload provided by the C2. When a victim enables the macro content within the spreadsheets the\r\nfollowing macro is run:\r\nFigure 2: Spreadsheet Macros (Executable)\r\nThe spreadsheet drops a PDI file into the public directory. The macro in Figure 2 uses certutil to decode the\r\ndropped file into an executable DLL. The DLL that is produced from this is a intermediary file used to download\r\nand execute the final payload. Looking at the main code of the dropped DLL, we see the following:\r\nFigure 3: Main of dropped DLL\r\nWithin Figure 3, we can see the DLL first getting imports and then creating a directory to drop the final payload.\r\nAfter the directory has been created, it will proceed to execute a function I have named DownloadAndExecute.\r\nhttps://fr3d.hk/blog/campo-loader-simple-but-effective\r\nPage 2 of 5\n\nFigure 4: Download and execute function\r\nThe malware will use a simple socket function to create an HTTP POST request to the predefined C2, seen in line\r\nnumber 9. Campo Loader makes a first request to the C2 to check it's alive. If the loader C2 is alive, then Campo\r\nLoader will make a request to it, and proceed to download, and then drop the provided payload. This payload is\r\nthen executed with CreateProcessA within the function I have named CreateProcess (see Figure 4).\r\nDLL Loader\r\nCampo Loader will not use an intermediary DLL when it attempts to download and execute a DLL. The macro\r\ncode within the spreadsheet changes to accomodate a final payload of a DLL.\r\nhttps://fr3d.hk/blog/campo-loader-simple-but-effective\r\nPage 3 of 5\n\nFigure 5: Spreadsheet macros (DLL)\r\nAs seen in Figure 5 the process of download and execution of a DLL is much simpler than the executable process.\r\nThe spreadsheet macros begin by creating a directory where the malware will drop the payload. Then it proceeds\r\nto use the Windows function URLDownloadToFileA to retrieve the final payload and place it within the previously\r\ncreated directory. After the final payload has been retrieved the malware will then execute it with ShellExecuteA.\r\nPanel \u0026 Geofence\r\nWhat makes Campo Loader interesting is the C2 which the malware will retrieve its payload from. The malware\r\nalways requests a URL that contains the Spanish word campo, meaning countryside, hence the name Campo\r\nLoader. The C2 is thought to have some kind of geofence within it that will redirect the incoming request to\r\nwebsites such as Yahoo and UPS, if the request does not meet certain criteria. \r\nIf a request does meet a certain criteria, then the malware will either retrieve the payload from local storage, or\r\nredirect to a site that has been compromised with a web shell. This web shell is used to upload payloads to a site\r\nso that Campo Loader can then use it as a malware host. This process of redirection is synonymous with the name\r\non the C2 panel.\r\nFigure 6: C2 panel login\r\nThe C2 panel has a title of Redirected which may be a description of the C2s process of redirecting an incoming\r\nrequest to a separate malware host. The panel also seems to have the capability of email spam and other spreading\r\nmethods but these have not been observed to be in use.\r\nThese C2 panels have been moved from different host, below is a list of the hosts and dates of move.\r\nhttps://fr3d.hk/blog/campo-loader-simple-but-effective\r\nPage 4 of 5\n\n1. (09-09-2020) DigitalOcean\r\n2. (22-12-2020) Hetzner\r\n3. (24-12-2020) Linode\r\n4. (25-02-2021) ITLDC\r\n5. (17-03-2021) Sayda\r\nA history of C2s, IPs and hosts can be found in the following file (link) kindly provided by ViriBack.\r\nEpilogue\r\nCampo Loader is a demonstration of the phrase \"less is more\". The malware uses simplistic methods to effectively\r\ndeliver malware to victims. The combination of the malware being used with call scams will also make the\r\nprocess of detection much easier. Thank you for reading.\r\nIOCS:\r\n67f0f93d82bcc598f5ea9186cf76ec54\r\n8a3364bafa63166394862068b05f5469\r\nballpro.xyz\r\nSource: https://fr3d.hk/blog/campo-loader-simple-but-effective\r\nhttps://fr3d.hk/blog/campo-loader-simple-but-effective\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://fr3d.hk/blog/campo-loader-simple-but-effective"
	],
	"report_names": [
		"campo-loader-simple-but-effective"
	],
	"threat_actors": [
		{
			"id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38",
			"created_at": "2023-01-06T13:46:39.487358Z",
			"updated_at": "2026-04-10T02:00:03.344509Z",
			"deleted_at": null,
			"main_name": "BazarCall",
			"aliases": [
				"BazzarCall",
				"BazaCall"
			],
			"source_name": "MISPGALAXY:BazarCall",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434732,
	"ts_updated_at": 1775791675,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50a30d3719804cf32375c7e607fdda2c32b95475.pdf",
		"text": "https://archive.orkl.eu/50a30d3719804cf32375c7e607fdda2c32b95475.txt",
		"img": "https://archive.orkl.eu/50a30d3719804cf32375c7e607fdda2c32b95475.jpg"
	}
}