{
	"id": "8a9e5747-4cf7-4d24-9bc8-d023f907c093",
	"created_at": "2026-04-06T00:08:31.729938Z",
	"updated_at": "2026-04-10T03:20:25.871599Z",
	"deleted_at": null,
	"sha1_hash": "565d024ad645f01ccf09ba22d105111b9627afaf",
	"title": "24/7 managed detection, response, and expert cybersecurity services - GoSecure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87707,
	"plain_text": "24/7 managed detection, response, and expert cybersecurity services -\r\nGoSecure\r\nArchived: 2026-04-05 16:45:06 UTC\r\nPreface\r\nOur Inbox Detection and Response (IDR) team has observed a new BazarLoader campaign targeting the information\r\ntechnology, aeronautic and financial industries. The IDR team has successfully blocked over 550 thousand BazarLoader\r\nmalspam emails throughout this campaign alone.\r\nGoSecure researchers received a sample from the IDR team which was suspected of being BazarLoader, named Report\r\nPreview15-10.exe, on 2020-10-06. Shortly after, GoSecure researchers received yet another BazarLoader sample on 2020-\r\n10-08 named Document2-85.exe, which exhibited similar behavior.\r\nAnalysis\r\nThe initial infection vector, which has been observed by our Inbox Detection and Response Team (IDR), is via malspam\r\ncontaining fake employment termination notices and anonymous surveys. The threat actor(s) primarily use Google Drive\r\nand Google Docs to distribute their malicious payloads. The employment termination malspam was observed on October 6,\r\n2020 and the anonymous survey malspam was observed on October 8, 2020. This can be seen in Figure 1 and Figure 2.\r\nFigure 1: BazarLoader Employment Termination Malspam\r\nFigure 2: BazarLoader Fake Anonymous Survey\r\nWe will firstly analyze the employment termination malspam.\r\nOnce the user clicks the link, they will be redirected to\r\nhxxps://docs[.]google[.]com/document/d/e/2PACX-1vR_9tGGWDcS1ZyIuiGpMQg2Sv9nRWempyUKuQ1iyJp_HHt1C87OPirnO7EImnOW6ILbrmHXUpl_OIxQ/pub to\r\ndownload an executable.\r\nThe executable Review_Report15-10.exe (3c27fca6d9cf1379eee93e6fea339e61) will appear as a\r\nPDF document to users who do not have extensions enabled in Windows, as seen in Figure 3.\r\nFigure 3: Stage 1 PDF Icon Lure\r\nTo help obfuscate its purpose, BazarLoader appears to be bound or obfuscated with legitimate resources from YUVPlayer (A\r\nLightweight YUV player which supports various YUV formats). An example of this can be seen in Figure 4.\r\nFigure 4: YUVPlayer Dialog Embedded Resource\r\nOnce executed, the legitimate application or dialogs will not be shown to the user. Instead, it will call\r\nadvapi32.CryptHashData using the string s_)q03vcOm95^+Rj3dG_Jx@k0GGwYOIddH_14025b520 as the data to create a hash\r\nusing the PROV_RSA_FULL Windows cryptographic provider. Once the hash is created, it will create a key using\r\nadvapi32.CryptDeriveKey . It will then obtain a handle to the current process for the purpose of allocating memory with\r\nPAGE_EXECUTE_READWRITE permissions. The next function is responsible for copying the shellcode from the .data section\r\nto the newly allocated memory location. Once the encrypted shellcode has been copied to executable memory, it will then\r\nuse advapi32.CryptEncrypt to decrypt the shellcode. Once the shellcode has been successfully decrypted, it will execute\r\nthe shellcode.\r\nFigure 5: BazarLoader Shellcode Decryption Routine\r\nhttps://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/\r\nPage 1 of 5\n\nFigure 6: Executing Stage 1 Decrypted Shellcode\r\nThe shellcode will obtain a handle to kernel32.LoadLibraryA , kernel32.GetProcAddress , kernel32.VirtualAlloc ,\r\nkernel32.VirtualProtect and ntdll.ZwFlushInstructionCache , by enumerating the Process Environment Block (PEB)\r\nusing the instruction mov rax,qword ptr gs: [60] . This is common with shellcode as it will need to resolve these APIs\r\ndynamically to interact with the Windows operating system.\r\nOnce completed, it will then call kernel32.VirtualALloc to prepare injecting a PE executable for the next stage. To build\r\nthe PE header, it will use the routine shown in Figure 7.\r\nFigure 7: Prepare Stage 2 PE\r\nOnce PE header has been partially copied (excluding MZ magic value), it will start to copy the .text section using the\r\nroutine shown in Figure 8.\r\nFigure 8: Copy .text Section\r\nOnce the .text section is copied, it will start resolving many different Windows APIs using kernel32.GetProcAddress .\r\nWhen the additional APIs have been resolved, it will then make the .text section it copied earlier executable using\r\nkernel32.VirtualProtect , as seen in Figure 9.\r\nFigure 9: Make .text Section Executable\r\nNOTE: *On different debugging sessions the virtual addressing changed during analysis. *\r\nInterestingly, the Portable Executable (PE) BazarLoader is copied into memory (without the MZ\r\nheader) and will start execution at the end of the .text section using a direct call . This can make unpacking the next\r\nstage confusing for reverse engineers as this is not where code in a PE file is supposed to begin. This code at the end of the\r\n.text section is solely responsible for making a call to the real Original Entrypoint (OEP) of the PE. It is important to note\r\nthat this is simply used as shellcode and not as a PE in memory. The other benefit of this technique is no calls to thread\r\nrelated APIs are required, making it more challenging for Endpoint Detection and Response (EDR) solutions to detect. This\r\ncan be seen in Figure 10.\r\nFigure 10: OEP Shellcode/PE Trickery\r\nAfter the previous trickery in the new memory space, it will start creating another PE in memory, but this time the header\r\ndoes start with the MZ magic value. After building the headers, it will copy each PE section one at a time, as seen in Figure\r\n11.\r\nFigure 11: Building .text Section for Stage 2\r\nOnce the PE has been extracted to memory, it will make a direct call instead of using Threading APIs (same trickery as\r\nbefore). This can be seen in Figure 12.\r\nFigure 12: Calling Stage 2 Shellcode\r\nBazarLoader's stage 2 shellcode will make use of encrypted stack strings for many purposes\r\nthroughout the rest of its code.\r\nBefore it continues with its malicious activity, it will check if the locale is Armenian (0x2b). Interestingly, instead of shutting\r\ndown gracefully when the Armenian locale is detected, it will execute a jmp instruction to an invalid address, causing an\r\naccess violation exception. We have seen Russian crimeware checking for the Armenian keyboard layout previously in\r\nmalware such as KPot, we hypothesize this could be similar behavior.\r\nTo avoid running more than one instance of itself, BazarLoader will create a mutex with a hard-coded UUID, then use\r\nkernel32.GetLastError to check for the error ERROR_ALREADY_EXISTS . If the mutex already exists, it will exit the process.\r\nThe call to kernel32.CreateMutexA can be seen in Figure 13.\r\nFigure 13: Mutex Creation\r\nInterestingly, BazarLoader will check for mutexes twice.\r\nOnce completed, it will decyrpt its C2 configuration, as seen in Figure 14.\r\nFigure 14: BazarLoader Stage 2 Decrypted Downloader ConfigOnce BazarLoader has determined the Armenian language is\r\nnot being used and another instance of itself is not running, it will make a HTTP HEAD request to hxxps://titlecs[.]com. It\r\nhttps://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/\r\nPage 2 of 5\n\nwill continue to do this until it receives a 200 response from the C2 server. The first request will be sent using\r\nwininet.HttpSendRequestA , as seen in Figure 15.Figure 15: HTTP HEAD RequestIt is important to note that the HTTP\r\nheader Update is not a standard header and can be considered anomalous.\r\nThis HEAD request can be seen in Figure 16.Figure 16: BazarLoader C2 Download Domain HEAD Request\r\nThe C2 server will respond with a 200 OK message.\r\nBazarLoader will also check if it is connected to the internet by making a request to microsoft[.]com, as seen in Figure 17.\r\nFigure 17: BazarLoader Internet Connectivity Check\r\nOnce completed, it will make a POST request to the second domain in its configuration, as seen in Figure 18.\r\nFigure 18: BazarLoader C2 Checkin\r\nOnce completed, it will make a HTTP GET request in order to obtain the next stage, as seen in Figure 19.\r\nFigure 19: BazarLoader Downloading Encrypted Payload\r\nDifferences Between Versions\r\nThere are a few notable differences between the first version of BazarLoader sent on 2020-10-06 (Employment Termination\r\nMalspam) and the one sent on 2020-10-08 (Survey Malspam). The main difference between the two versions is the malware\r\nauthor(s) now include the string Stupid Defender to mock researchers, the shellcode that was stored in the .data section is\r\nnow stored in the .rsc section, the functionality to get a pointer to the encrypted shellcode and to decrypt it have been\r\nbroken out into their own separate functions. This can be seen in Figures 20 and 21.\r\nFigure 20: Updated Main Shellcode Decryption/Execution RoutineFigure 21: Obtain Encrypted Pointer to Encrypted\r\nShellcode from the Resource SectionFigure 22: Encrypted Shellcode in Resource Section\r\nSummary\r\nBazarLoader is becoming increasingly popular amongst threat actors. We suspect the reason behind the malware\r\ndeveloper(s) success is their use of techniques such as avoiding the use of threading APIs and faking PE injection, when in\r\nreality, it is simply shellcode injection. These techniques are likely used to confuse Endpoint Detection and Response (EDR)\r\nsolutions.\r\n[/et_\r\npb_row]\r\nIndicators of Compromise\r\n**Indicator** **Description\r\nhxxps://titlecs[.]com/issues/284\r\nBazarLoader\r\nEncrypted\r\nPayload URL\r\nhxxps://titlecs[.]com/issues/282\r\nBazarLoader\r\nEncrypted\r\nPayload URL\r\nhxxp://ds46x1[.]com/1/run\r\nBazarLoader\r\nEncrypted\r\nPayload URL\r\nlabelcs[.]com BazarLoader\r\nDomain\r\n(Employment\r\nhttps://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/\r\nPage 3 of 5\n\nTermination\r\nMalspam)\r\nmixcinc[.]com\r\nBazarLoader\r\nDomain\r\n(Employment\r\nTermination\r\nMalspam)\r\nnicknamec[.]com\r\nBazarLoader\r\nDomain\r\n(Employment\r\nTermination\r\nMalspam)\r\n3c27fca6d9cf1379eee93e6fea339e61\r\nBazarLoader\r\nShellcode\r\nInjector\r\n(Preview15-\r\n10.exe)\r\n3ee60e0efeb5b349a5ba7325ce4a33dc\r\nBazarLoader\r\nShellcode\r\nInjector\r\n(Document2-\r\n85.exe)\r\nhxxps://docs[.]google[.]com/document/d/e/2PACX-1vR_9tGGWDcS1ZyIuiGpMQg2Sv9nRWempyUKuQ1iyJp_HHt1C87OPirnO7EImnOW6ILbrmHXUpl_OIxQ/p\r\nEmployment\r\nTermination\r\nMalspam\r\nPayload URL\r\nhxxps://docs[.]google[.]com/document/d/e/2PACX-1vQ7wK9C0fLCwS3voYLhGz3Gmy6g4UMKe_xZ1ds8xv7LonpviJBXefG9rBZuMPkmtytDYe_5rbDztBnK/pub\r\nSurvey\r\nMalspam\r\nPayload URL\r\nds45x1[.]com\r\nBazarLoader\r\nDomain (Surv\r\nMalspam)\r\nds46x1[.]com\r\nBazarLoader\r\nDomain (Surv\r\nMalspam)\r\nds47x1[.]com\r\nBazarLoader\r\nDomain (Surv\r\nMalspam)\r\nmarcene[.]jack[at]peytoneley[.]com\r\nBazarLoader\r\nMalspam Em\r\nshannon[.]ong35[at]myhunter[.]cuny[.]edu BazarLoader Malspam\r\nBazarLoader\r\nMalspam Em\r\nhttps://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/\r\nPage 4 of 5\n\nbessie[.]wilson[at]griply[.]com\r\nBazarLoader\r\nMalspam Em\r\n## Researchers\r\nLilly Chalupowski\r\nPaul Neuman\r\nSource: https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/\r\nhttps://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/"
	],
	"report_names": [
		"bazarloader-mocks-researchers-in-december-2020-malspam-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434111,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/565d024ad645f01ccf09ba22d105111b9627afaf.pdf",
		"text": "https://archive.orkl.eu/565d024ad645f01ccf09ba22d105111b9627afaf.txt",
		"img": "https://archive.orkl.eu/565d024ad645f01ccf09ba22d105111b9627afaf.jpg"
	}
}