{
	"id": "965921e8-c60e-4699-a021-a43d24dffb0b",
	"created_at": "2026-04-06T00:22:28.059557Z",
	"updated_at": "2026-04-10T03:20:50.249628Z",
	"deleted_at": null,
	"sha1_hash": "6b6e2300035f7ee2cac287cb7a252273afedf8ac",
	"title": "CyberSOC: Campo Loader detection perspectives",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2375472,
	"plain_text": "CyberSOC: Campo Loader detection perspectives\r\nPublished: 2021-03-23 · Archived: 2026-04-05 13:54:49 UTC\r\nIn the eye of our CyberSOC: Campo Loader, analysis and detection perspectives\r\nData in this article\r\nHow to detect and analyze Campo Loader? Answers from our CyberSOC.\r\nCampo Loader, a recent campaign\r\nVector of infection: maldoc\r\nDetection prospects\r\nSystem behaviors\r\nIOCs and MITRE ATT\u0026CK references\r\nMore articles\r\nCampo Loader, a recent campaign\r\nSince January 2021, our CyberSOC has noted the fairly active use of a loader(1). This loader was quickly named\r\n“Campo Loader” on the Internet because of the rather striking patterns in its URL, observed during network\r\ncommunications. \r\nNotably used to “drop” in the second stage Ursnif/Gozi, a banking trojan, these campaigns\r\nuse several exciting techniques and remain quite easily detectable with adequate security solutions.  \r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nPage 1 of 10\n\nFigure 1- Campaign Summary – Source: Orange Cyberdefense \r\nVery similar campaigns have also been observed since the summer of 2020 and documented by Morphisec in\r\nSeptember.  \r\nIt seems that this loader is still used to deliver Trickbot. However, we will note some differences with our case in\r\nthe format of the maldoc and the final load deployed. \r\nVector of infection: maldoc\r\nUnsurprisingly, the first vector of infection is an e-mail containing an attachment. More precisely, an Excel XLSB\r\n(Excel Spreadsheet-Binary) document. \r\nThis type of file is quite common for maldoc because it evades most AV (Anti-Viral) engines. Even after several\r\ndays of existence on VirusTotal (VT), files are still detected by less than 10 AV out of 64. \r\nFigure 2 – VirusTotal Detection Ratio; Source: virustotal.com\r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nPage 2 of 10\n\nWhen the file is opened, it prompts the user to activate the content, making him believe that this action will\r\ndecrypt the document and display its content.\r\nFigure 3 – Preview of the file File_812265.xlsb – Orange Cyberdefense \r\nThe usual tools such as olevba/oledump or XLMMacroDeobfuscator are not satisfactory in terms of static\r\nanalysis. So we adopt another well, more manual technique:  \r\nFigure 4 – Analysis of the file File_812265.xlsb – Orange Cyberdefense \r\nBy decompressing the file, we identify a spreadsheet in binary format (BIFF12) that looks interesting. Indeed, a\r\nfirst “Strings” on this file indicates a routine that seems quite malicious:  \r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nPage 3 of 10\n\nFigure 5 – Analysis of the file File_812265.xlsb – Orange Cyberdefense \r\nAt first glance, the use of the certutil.exe binary would therefore be present to decode several files’ contents. Then\r\nthe functions and strings “Shell32”, “rundll32.exe” as well as “ShellExecuteA” indicate that the role of this file is\r\nalso to execute DOS commands or even a DLL. \r\nWe go directly to the analysis of the document via Excel. It turns out that several Excel sheets are hidden. By\r\nunmasking the four hidden sheets, the correspondence with the previously displayed strings makes it possible to\r\nlink the sheet4.bin file to one of the hidden sheets. \r\nA second sheet will prove interesting for understanding this file. Indeed, sheet 2 is in charge of the execution of\r\nthe routine via an Auto_Open. \r\nFigure 6 – Analysis of the file File_812265.xlsb – Orange Cyberdefense \r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nPage 4 of 10\n\nHowever, the most interesting part is still missing. The associated Excel sheet is protected. \r\nTo bypass the protection, simply save the file in another format (e.g., Xslm). Thus binary files will be converted to\r\nXML format. Then, removing the protection is relatively easy. Indeed, a simple tag is responsible for this\r\nmechanism. By removing it, the protection of the sheet is no longer effective.\r\nFigure 7 – Protected Spreadsheet File_812265.xlsb – Orange Cyberdefense \r\nWe then identify several cells likely containing encoded content, which will turn out to be a PE (Portable\r\nExecutable). \r\nFigure 8 – Decoding the content File_812265.xlsb – Orange Cyberdefense \r\nThus, we have a good understanding of the actions of this first xslb file: \r\nDrop a. txt file containing data encoded in b64 \r\nDecoding of the file + drop of a new hex file via the binary certutil.exe \r\nDecoding of the second file via certutil.exe + drop of a PE. \r\nWe then validated our first static analysis based on a dynamic analysis by running the file in the Orange\r\nCyberdefense sandbox: \r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nPage 5 of 10\n\nFigure 9 – Orange Cyberdefense Sandbox Analysis File_812265.xlsb  \r\nThree files are well dropped: \r\nCyberSOC - Campo Loader\r\nC:\\Users\\Public\\11250.txt \r\nCyberSOC - Campo Loader\r\nC:\\Users\\Public\\11250.png2 \r\nCyberSOC - Campo Loader\r\nC:\\Users\\Public\\11250.png \r\nWe fall well on PE “packaged” (UPX was noted on some campaigns). This DLL is then executed via\r\nrundll32.exe. It seems to be the Campo loader.  \r\nThanks to an analysis of http/https queries, we noticed a GET query to this URL : \r\nhxxp[://]172[.]104[.]129[.]156/campo/o/o \r\nIt redirects (307 Temporary Redirect) to : \r\nhxxps[://]ciudadstereo[.]com[.]ec/wp-content/plugins/wp-calculated-fields/templates/01/out[.]dll \r\nThis DLL purpose, which we will attach to the Campo loader, is to download and execute a second DLL. \r\nNote that several repositories identified in similar campaigns often have open directories, allowing\r\nto identify other malicious DLLs and get an idea about the temporality of the attacks thanks to the Last-Modified field. \r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nPage 6 of 10\n\nFigure 10 – Repo Ursnif – Source: Orange Cyberdefense \r\nAnother important point related to the temporary redirection: a “campo” URL allows you to distribute\r\nmany payloads dynamically. Indeed, by analyzing several times the same sample, we obtained a different\r\nfinal DLL. \r\nFigure 11 – Http traffic linked to the Campo loader – Source: Orange Cyberdefense \r\nWithout going into too much detail in this last stage analysis, the DLL corresponds to Ursnif / Gozi, a banking\r\nTrojan. A quick sandbox analysis will allow us to identify the control servers and thus feed our information base. \r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nPage 7 of 10\n\nFigure 12 – Ursnif DLL Sandbox Analysis – Source: Orange Cyberdefense \r\nDetection prospects\r\nNetwork communications (Campo Loader) \r\nWhile analyzing many campaigns, we noticed that a pattern was coming back often enough in the URL to be used\r\nas a detection/hunting means. \r\nIndeed, the uri path corresponds with this regex: ” ^\\/(?:campo)\\/\\w{1}\\/\\w{1}$ “. \r\nHere are some examples of URLs we have identified: \r\nhxxp://172.104.143[.]130/campo/t/t \r\nhxxp://178.62.19[.]66/campo/v/v \r\nhxxp://pipkaboss[.]xyz/campo/b/b \r\nSome older campaigns also seem to follow this pattern: \r\n^\\/(?:campo)\\/[a-zA-Z0-9]{1,2}\\/[a-zA-Z0-9]{1,2}$, which will also be more flexible. \r\nExample :\r\nhxxp://androidflash[.]space/campo/DQ/s9 \r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nPage 8 of 10\n\nSystem behaviors\r\nThe use of “certutil.exe” to decode the first charge is quite striking and generic enough to be used as a means of\r\ndetection. Moreover, this approach fits within the Att\u0026CKMITRE matrix, with the “T1140:Deobfuscate/Decode\r\nFiles or Information” technique. \r\nA Sigma rule is already available on the GitHub of the same project.\r\nThis rule should be triggered by the two commands extracted from our sandbox analysis (below). While generic\r\nenough to include most of the LOLBAS/LOLBINS (Living Off The Land Binaries and Scripts) related to this\r\nMicrosoft binary. \r\nCampo Loader\r\nSeveral approaches can also be taken to DLL execution via “rundll32.exe“.  \r\nThe first one being the detection of DLL execution passing a . png file with its extension. This technique is more\r\nand more used and can be approached using the “T1036: Masquerading” and “T1218.011: Signed Binary Proxy\r\nExecution: Rundll32/” techniques.\r\nCampo Loader\r\nThe last detection method could be done via the process tree. By resuming the execution of the campaign in its\r\nentirety, we note a rather striking process tree from EXCEL.EXE: \r\nEXCEL.EXE \u003e rundll32.exe \u003e rundll32.exe \r\nIOCs and MITRE ATT\u0026CK references\r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nPage 9 of 10\n\nSource: Orange Cyberdefense \r\nTo download the IOCs and the MITRE ATT\u0026CK references, click here.  \r\nTo discover our SOC and CyberSOC offers, click here.   \r\n(1) Loader: A loader is a malware program responsible for executing a malicious load on the target system. This\r\nsecond load can be remote (accessible from an IP/URL) or directly included in the loader. The purpose of a loader\r\nis to propose methods for evading and targeting users (encryption, memory injection, anti-vm, anti-sandbox,\r\ngeographical analysis, system profiling, etc.). \r\nMore articles\r\nSource: https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/"
	],
	"report_names": [
		"in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives"
	],
	"threat_actors": [],
	"ts_created_at": 1775434948,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b6e2300035f7ee2cac287cb7a252273afedf8ac.pdf",
		"text": "https://archive.orkl.eu/6b6e2300035f7ee2cac287cb7a252273afedf8ac.txt",
		"img": "https://archive.orkl.eu/6b6e2300035f7ee2cac287cb7a252273afedf8ac.jpg"
	}
}