{
	"id": "23b4c3ae-9917-4433-839b-4dfbfd3e6f8c",
	"created_at": "2026-04-06T00:15:22.1295Z",
	"updated_at": "2026-04-10T03:21:40.381349Z",
	"deleted_at": null,
	"sha1_hash": "553d4ab822f7980f7cfe7937788f2579e4791830",
	"title": "BazarBackdoor sneaks in through nested RAR and ZIP archives",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3910973,
	"plain_text": "BazarBackdoor sneaks in through nested RAR and ZIP archives\r\nBy Ionut Ilascu\r\nPublished: 2021-07-14 · Archived: 2026-04-05 17:30:44 UTC\r\nSecurity researchers caught a new phishing campaign that tried to deliver the BazarBackdoor malware by using the multi-compression technique and masking it as an image file.\r\nThe multi-compression or nested archive method is not new but gained in popularity recently as it can trick email security\r\ngateways into mislabeling malicious attachments as clean.\r\nIt consists of placing an archive within another. Researchers at Cofense say that this method can bypass some secure email\r\ngateways (SEGs), which can have a limit to how deep they check a compressed file.\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe new BazarBackdoor campaign deployed earlier this month and lured enterprise recipients with an “Environmental Day”\r\ntheme, officially celebrated on June 5.\r\nBoth attached nested ZIP and RAR archives in the attachment contained a JavaScript file that ultimately delivered Trickbot’s\r\nBazarBackdoor malware, a stealthy backdoor typically used on corporate targets to provide remote access to the threat actor.\r\nCofense analyzed the recent malspam campaign and found that the role of the highly obfuscated JavaScript file was to\r\ndownload a payload with an image extension.\r\nCofense explains that “nesting of various archive types is purposeful by the threat actor as it has the chance of hitting the\r\nSEG’s decompression limit or fails because of an unknown archive type.”\r\nObfuscated files can also pose problems to an SEG if there are several layers of encryption for the payload, increasing the\r\nchances of the malicious file passing undetected.\r\n“Once executed, the obfuscated JavaScript would download a [BazarBackdoor] payload with a .png extension via an HTTP\r\nGET connection,” Cofense says, adding that the payload is an executable with the wrong extension.\r\nOnce deployed on a victim computer, BazarBackdoor may download and execute the Cobalt Strike, a legitimate toolkit\r\ndesigned for post-exploitation exercises, to spread laterally in the environment.\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/\r\nPage 3 of 4\n\nAfter gaining access to high-value systems on the network, threat actors can launch ransomware attacks, steal sensitive\r\ninformation, or sell the access to other cybercriminals.\r\nEarlier this year, security researchers discovered a BazarBackdoor variant written in the Nim programming language,\r\nshowing the effort Trickbot developer goes to keep the malware undetected and relevant to cybercriminal activities.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/"
	],
	"report_names": [
		"bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives"
	],
	"threat_actors": [],
	"ts_created_at": 1775434522,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/553d4ab822f7980f7cfe7937788f2579e4791830.pdf",
		"text": "https://archive.orkl.eu/553d4ab822f7980f7cfe7937788f2579e4791830.txt",
		"img": "https://archive.orkl.eu/553d4ab822f7980f7cfe7937788f2579e4791830.jpg"
	}
}