{ "id": "1e9cd276-fde5-44e7-9c85-c779498b9e40", "created_at": "2026-04-06T01:30:40.182501Z", "updated_at": "2026-04-10T03:27:55.904317Z", "deleted_at": null, "sha1_hash": "75d544d4e56924a04a6036f64bc7ac994c67724a", "title": "Campo, a New Attack Campaign Targeting Japan - Mal-Eats", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1670730, "plain_text": "Campo, a New Attack Campaign Targeting Japan - Mal-Eats\r\nBy @mal_eats\r\nPublished: 2021-05-10 · Archived: 2026-04-06 01:14:01 UTC\r\nSince around March 2021, campaigns in Japan using an infrastructure called campo/openfield have been observed.\r\nThis campaign has the potential to deliver subsequent malware depending on the infected organization, and some\r\ncases eventually could result in ransomware incidents overseas.\r\nWe keep tracking this attack campaign, and it started to be observed at least around October 2020 as far as we are\r\naware. We anticipate that attackers will continue to be active in the future, and we are concerned that this could\r\nlead to serious impacts including ransomware encryption in the worst case. Therefore, in order to prepare for such\r\nthreats, we will share in this blog the characteristics of campaigns for Japan and how to check for malware\r\nexecution traces based on our research.\r\n目次\r\n1 Update history\r\n2 Observation cases of this campaign in Japan\r\n3 Big picture of attack campaign\r\n4 Features of Emails\r\n5 Features of the linked server\r\n6 Features of document files\r\n7 Features of Campo Loader malware\r\n8 Features of Openfield\r\n9 Features of the DFDownloader malware\r\n10 Consideration of follow-up malwares\r\n11 Relevance to other campaigns\r\n12 How to check for malware execution traces\r\n13\r\n14 Acknowledgments\r\n15\r\n16 IoCs (As of May 10)\r\nUpdate history\r\nDate Details\r\n2021/5/11 Published this blog\r\nObservation cases of this campaign in Japan\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 1 of 27\n\nReports of suspicious emails in Japan have been shared on social networking sites. \r\nThe reports are shown below in chronological order.\r\n2020/10/14\r\nhttps://twitter.com/bomccss/status/1316163808319041536\r\n2021/3/10\r\nhttps://twitter.com/bomccss/status/1369612781209591813\r\n2021/3/24\r\nhttps://twitter.com/bomccss/status/1374526482890944515\r\n2021/3/31\r\nhttps://twitter.com/bomccss/status/1377280535710494729\r\n2021/4/6\r\nhttps://twitter.com/bomccss/status/1379240664362143744\r\n2021/4/7\r\nhttps://twitter.com/bomccss/status/1379602541495738371\r\n2021/4/8\r\nhttps://twitter.com/bomccss/status/1379970130642235392\r\n2021/4/9\r\nhttps://twitter.com/bomccss/status/1380327966765314050\r\nBig picture of attack campaign\r\nThe big picture of the attack campaign is as shown in Figure1. The attack begins with incoming Japanese emails.\r\nThe body of the email contains a URL link and a password, and when the user accesses the URL link, they can\r\ndownload a ZIP file with the password. After extracting this zip file and opening the document file to enable the\r\ncontent, a downloader called Campo Loader is dropped and executed, then starts communication. In addition, it\r\ninfects DFDownloader as a follow-up malware which can download and execute additional payloads by\r\ncommunicating with the C2 server.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 2 of 27\n\nFigure1. The big picture of the attack campaign\r\nWe believe that the attacker is using an anti-bot service called “BlackTDS” to communicate with the both host of\r\nthe URL link and the host of the Campo Loader. This service enables communications for research activities to\r\nredirect to unintentionally legitimate sites. Details of how this service works are described later.\r\nThe DFDownloader used in this campaign against Japan has the ability to download and execute additional\r\nmalware, but at this time we have not observed any following payloads yet. The DFDownloader has not yet been\r\nreported overseas. Hence, the final payload via DFDownloader is not known.\r\nOn the other hand, similar cases of infection with the follow-up malware via Campo Loader have been reported\r\noverseas.\r\nTrickbot\r\nUrsnif\r\nBazarLoader -\u003e CobaltStrike, AnchorDNS\r\nPhobosRansom\r\nWe also believe that the attackers in past campaigns attempting to infect Zloader may have been the same attacker\r\ngroup. We will discuss these at the end of this paper.\r\nFeatures of Emails\r\nAn example of emails is shown in Figure 2. In the attack campaign for Japan, the email is written in Japanese. As\r\nfor the content of the email, it pretends to be a real company representative and asks the user to download a ZIP\r\nfile with a password linked to it in the form of an invoice. The email address is different from a legitimate\r\ncorporate email address, and the attacker is pretending to be a corporation. We have confirmed that the passwords\r\nfor the linked files in the email are all the same as far as we can currently observe. Furthermore, based on the\r\nemail headers, we assume that the attacker is using Roundcube Webmail, an open source webmail, to deliver the\r\nmessage.\r\nFigure2. Email samples in Japanese\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 3 of 27\n\nFeatures of the linked server\r\nWe have confirmed that all the linked URLs where the passworded ZIPs are located have https. It also has the\r\nfollowing features. The IP address associated with the domain name is often common.\r\nAs a result of our investigation, it is possible that this server is using an anti-bot service called “BlackTDS”. This\r\nservice is described on the official website as “the best solution for cleaning traffic and protecting bots” (Figure 3),\r\nbut in fact it is reported by ProofPoint to be abused by attackers as Drive-by as a service [1].\r\nFigure3. BlackTDS\r\n[1]Drive-by as a service: BlackTDS\r\nhttps://www.proofpoint.com/us/threat-insight/post/drive-service-blacktds\r\nIn this campaign for Japan, the following filtering of the service may be used.\r\nFiltering by IPs that fully support IPv6\r\nFiltering by ISP\r\nFiltering by referrer\r\nFiltering by hardware ID.\r\nFiltering by hardware ID – Filtering by anti-bot database with more than 440,000 IP anti-viruses,\r\nmoderators, search engines, and checker bots\r\nTherefore, BlackTDS makes it difficult to retrieve files by security researchers and sandboxes. In other words, it\r\nincreases the difficulty of the investigation.\r\nFeatures of document files\r\nIn the case of the campaign for Japan, when extracting a ZIP file with a password downloaded from a link in an\r\nemail and opening the document file, a template with a Japanese design is displayed, as shown in Figure4.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 4 of 27\n\nFigure4. Example of a malicious document file in Japanese\r\nSince the design of the document file may be common to other malware, it may be difficult to determine whether\r\nit is related to this attack by appearance. It is also possible that the design may change in the future.\r\nThe following sections provide an overview of the behavior  and the latest document file behavior at the time of\r\nwriting (April 2021).\r\nOverview of malicious document Behaviour\r\nIf the Office product has default settings, when a user opens a document file and clicks on “Enable Content”, an\r\nExcel 4.0 macro (referred to as “macro”) is executed and the file is dropped with the text embedded in the\r\ndocument file.\r\nIn the document file that we have seen in the series of attacks, the sheet where the macro is set is hidden, and the\r\nsheet contains the string to execute the macro. (shown in Figure5, Figure6)\r\nAlso, due to the “Auto_Open” setting of the document file book, malicious macros will be automatically executed\r\nwhen the document file is opened.(shown in Figure5, Figure6)\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 5 of 27\n\nFigure5. Example of macro functions on April 9, 2021\r\nFigure6. Another example of macro functions on April 9, 2021\r\nThe string saved by the SAVE.AS function is decoded using certutil.exe and saved under a different file name.\r\n(Campo Loader) After that, Campo Loader is executed using rundll32.exe with CALL function etc. (Figure7).\r\nFigure7. Example of macro functions on April 9, 2021\r\nThese series of behaviors are implemented by directly calling the functions of the standard Windows modules\r\n(DLL) in addition to macros.\r\nDocument files used in the April 9\r\nThe following shows the flow from the most recent (April 9) document file observed to the execution of Campo\r\nLoader (Figures 8 and 9).\r\nFigure8. Infection flow when a document file is opened\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 6 of 27\n\nFigure9. Process tree when a document file is opened\r\nThe flow of operation is as follows. \r\n1. When the document file is opened and the content is activated, the malicious macro is activated.\r\n2. The string embedded in the sheet of the document file will be saved as %PUBLIC%\\14118.doy. *1\r\n3. The string embedded in the sheet of the document file will be saved as %PUBLIC%\\14118.xlsb. *2 \r\n4. The contents of %PUBLIC%\\14118.doy will be BASE64 decoded and the result will be saved as\r\n%PUBLIC%\\14118.biy.\r\n5. A fake input form will be displayed (Figure10).\r\n6. rundll32.exe will execute Campo Loader(%PUBLIC%\\14118.biy). In this case, DF1 is specified as the\r\nargument and the DF1 function is called.\r\n*1 The numbers in the file name are generated randomly from 9999 to 19999 by a function, but in reality,\r\nthe numbers are fixed values, as they were when the attacker saved the file.\r\n*2 This file is just created and is not actually needed for the attack.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 7 of 27\n\nFigure10. Fake input form\r\nFeatures of Campo Loader malware\r\nCampo Loader (a.k.a NLoader) is a malware that is executed after being dropped from a document file. This\r\nmalware is a downloader, and it has the ability to perform HTTP communication to obtain and execute additional\r\npayloads. Since it accesses a path containing “/campo/” during communication, Orange Cyberdefense named this\r\nmalware “Campo Loader”[2] and came to be used on social networking sites. \r\nCampo Loader appears to have been updated in early March, and the features of HTTP communication have\r\nchanged. This blog will explain the latest one.\r\n[2] 「In the eye of our CyberSOC: Campo Loader, analysis and detection perspectives」, Orange\r\nCyberdefense, 2021/03/23\r\nhttps://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/\r\nWhen the Campo Loader is executed, it first creates a directory. As shown in the figure below, the directory name\r\nto be created is hard-coded.\r\nFigure11. Function of creating a directory\r\nNext, send the string “ping” to the server using the POST method (Figure12). The server to be communicated with\r\nat this time is called the “Openfield server” in the following.\r\nFigure12. Example of a request generated by Campo Loader.\r\nIn this stage of communication, the Openfield server returns a URL as a response (see below for details). For this\r\nreason, Campo Loader checks if the response starts with “h”, and if it does not, it terminates the process\r\n(Figure13).\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 8 of 27\n\nFigure13. Checking the character of “h”\r\nIf the response starts with an “h”, send a second “ping” message to that URL using the POST method. As a result,\r\nan additional payload will be downloaded and saved as a file. The name of the file to be saved is also hard-coded\r\n(Figure14).\r\nFigure14. Example of hardcoded URLs\r\nThen rundll32.exe will be used to call the function in the DLL file you downloaded. The name of the function to\r\nbe called is usually the “DF” function *. This call argument is also hard-coded. \r\nCampo Loader is also available as an exe file that can be downloaded and executed. In past cases in Japan, Campo\r\nLoader has directly executed malware such as Ursnif and Zloader. However, recent campaigns for Japan have\r\ntended to use DLL versions, and have shifted to downloading and executing to the DFDownloader described later\r\nin this article.\r\n*Note that Campo Loader uses function names such as “DF” and “DF1” as the export function, but\r\nDFDownloader, the malware described later, also uses the same name “DF” as the function name, so be careful\r\nnot to confuse Campo Loader and DFDownloader in this section.\r\nFeatures of Openfield\r\nThe Openfield server indicates the server where the payload is hosted for Campo Loader to get. One of the main\r\nfeatures is the inclusion of the string “/campo/” in the URL when getting the payload. In this section, we will\r\nexplain the contents of the response and the results of our investigation for this server.\r\nResponse from Openfield Server\r\nBy sending “ping” in the HTTP body by the POST method under the “campo” directory, the next URL to access\r\ncan be obtained (Figure15 and 16).In past cases, we observed cases where the response indicated a redirection, but\r\nnowadays, the response generally includes the URL.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 9 of 27\n\nFigure15. Example of the response 1\r\nFigure16. Example of the response 2\r\nThere is a possibility that BlackTDS is used for the Openfield server as well as “5. Features of the linked server”.\r\nHence, if the BlackTDS service determines that the connection is coming from cyber security  researchers, it will\r\nredirect the user to a legitimate site such as Yahoo or GNU.\r\nThe URL to be passed to Campo Loader as a response can be one of the following two cases. \r\n1. A URL that indicates a different directory on the same server (such as under /uploads/files/)\r\n2. URLs of other Openfield servers.\r\nIn addition, we have observed cases in which malware was placed on compromised servers in past campaigns for\r\nJapan and overseas.\r\nCharacteristics of IP address and Domain name combination\r\nBoth IP addresses and domain names have been used for URLs in the past, but recently attackers have tended to\r\nuse domain names. Domain names are registered with the Namecheap service, and have the regularity of “word +\r\nnumber + xyz domain”. Our research also shows that the range of IP addresses associated with domain names is\r\n176.111.174.0/24. (shown in Table1.)\r\nTable1.  Examples of combination of domain name and resolved IP address used for the Openfield\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 10 of 27\n\nTarget Domain names IP Addresses\r\nNot Japan bfdnews[.]xyz 176.111.174[.]72\r\nNot Japan groupeu[.]xyz 176.111.174[.]72\r\nNot Japan allcafe[.]xyz 176.111.174[.]72\r\nNot Japan gainme[.]xyz 176.111.174[.]53\r\nJapan ship4[.]xyz 176.111.174[.]53\r\nJapan gopigs[.]xyz 176.111.174[.]53\r\nNot Japan beauty1[.]xyz 176.111.174[.]53\r\nNot Japan about2[.]xyz 176.111.174[.]57\r\nJapan board3[.]xyz 176.111.174[.]57\r\nJapan cake3[.]xyz 176.111.174[.]58\r\nJapan dance4[.]xyz 176.111.174[.]61\r\nNot Japan hall4[.]xyz 176.111.174[.]62\r\nNot Japan keep2[.]xyz 176.111.174[.]62\r\nNot Japan lie3[.]xyz 176.111.174[.]59\r\nNot Japan out2[.]xyz 176.111.174[.]60\r\nNot Japan noise1[.]xyz 176.111.174[.]60\r\nThe origin and function of the Openfield server\r\n“Openfield” is the name given by the Cryptolaemus Team (@Cryptolaemus1), an international security research\r\nteam, to identify this server.\r\nThe name comes from the fact that the directory listing feature of the web server has been enabled, and the\r\ncontents could be viewed (commonly referred to as “open directory”). In our research, we confirmed that the list\r\nof contents on the Openfield server had been viewable. However, this setting has been modified.(shown in\r\nFigure17)\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 11 of 27\n\nFigure17. Directory listing of the Openfield server\r\nThe Openfield server also has a login panel. As shown in Figure17 (left), the Openfield server may have functions\r\nrelated to sending mail, since the names “smtp” and “mails” are used in the directory.(Figure18)\r\nFigure18. The login panel of the Openfield server\r\nFeatures of the DFDownloader malware\r\nDFDownloader is the second stage malware that is downloaded and executed by Campo Loader. This malware is a\r\ndownloader and is responsible for downloading and executing the next stage of malware. In addition to\r\ndownloading and executing, it also has the ability to persist and update itself, making it more feature-rich than\r\nCampo Loader. In addition, DFDownloader has embedded version information, and since it is frequently\r\nupgraded, it is expected to be used continuously in the future. In the following sections, we will explain the\r\noperation of DFDownloader. As we will explain later, we have confirmed that some overseas cases do not use\r\nDFDownloader.\r\nAnti-Sandbox Function\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 12 of 27\n\nDFDownloader has an anti-sandbox feature: DFDownloader will first check the total amount of memory on your\r\nsystem, and if it is less than 4 GiB, it will kill the process. There are also several loops in the sleep function, and\r\nthese functions may prevent the process from running properly in a sandboxed environment.(Figure19)\r\nFigure19. Memory checking\r\nEncryption\r\nAs shown in Figure20, DFDownloader keeps the string to be used encrypted with XOR. These strings contain\r\ninformation about C2 and the functions to be used. The XOR routines for decrypting these strings are also used\r\nwhen decrypting the response from the server.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 13 of 27\n\nFigure20. Example of XOR strings\r\nCommunication flow\r\nThe communication flow by DFDownloader is shown in the figure below. There are four types of data formats\r\nthat DFDownloader uses when it communicates with the C2 server.\r\nFigure 21: Communication flow of DFDownloader\r\n① Communication of SYS identifiers\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 14 of 27\n\nDFDownloader sends the information collected by the first infected host using the POST method (see the figure\r\nbelow). The information sent at this time is encoded in Base64, and contains identifiers and other information.\r\nFigure22. First communication example (SYS identifier)\r\nThe details of the information sent to the server are shown in the table below. For these requests, the server usually\r\nreturns a response with the HTTP status code “200 OK”.\r\nTable2 The details of the sending data\r\nValue samples Description\r\nSYS Identifier\r\n10 OS Major Version\r\n17763 OS Build Number\r\nDESKTOP-AABSVH71760622929 Computername and Volume serial number\r\ntest Username\r\n64 OS-bit number\r\n1.28r DFDownloader version number \r\n0 0 or 1\r\n7545391 N/A\r\n②Communication with BIN identifier\r\nThe second communication using the BIN identifier (see the figure below).\r\nFigure23. Second traffic example (BIN identifier)\r\nWhen you receive a response from the server, DFDownloader decrypts the response with XOR and checks if the\r\nfirst byte starts with “MZ” (the magic number of the PE file). If it is a PE file, it saves the received data as a file,\r\nand then registers the value in the registry using the path of the created file (as shown below).\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 15 of 27\n\nFigure 24. Example of registry values\r\nThis registration in the registry will cause the DFDownloader to run when the user logs on to the terminal, this\r\nmeans persistence of the infection. We have confirmed that this communication causes the DFDownloader to be\r\nupdated. When this happens, it saves new files, rewrites the registry values, and deletes old files and directories.\r\n③Communication with PNG Identifier\r\nThe third communication using the PNG identifier.\r\nFigure25. Third communication example (PNG identifier)\r\nDepending on the value received from the server in this communication, the process branches as shown in the\r\ntable below. Some parts of the branching process are still under development, and it is expected that additional\r\nfunctions will be added in future versions.\r\nTable 3 Commands\r\nValue Description\r\n0x31\r\nSave and execute the file (DLL or EXE) to be retrieved in the following communication; the function\r\nname can be specified in the case of DLL\r\n0x32\r\nSave and execute the file (DLL) to be acquired in the following communication. \r\nIn this case, the DFDownloader process exits after execution.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 16 of 27\n\n0x33 unimplemented\r\n0x34 unimplemented\r\n④Communication with the BN identifier\r\nFinally, the communication using the BN identifier (see the figure below). In this communication, depending on\r\nthe result of communication ③, the payload to be executed in each branch is obtained from the server. As\r\nmentioned earlier, the payload to be obtained is a DLL file or an EXE file.\r\nFigure 26. Fourth communication example (BN identifier)\r\nThen, a new process is created by the CreateProcessA function; if it is an EXE file, it is executed as is; if it is a\r\nDLL file, rundll32.exe is used. Since loop processing is implemented in this malware, even if this couldn’t get the\r\nexpected response from the server, the communication in ③ and ④ will occur again and again. ( The\r\ncommunication interval is not constant.)\r\nConsideration of follow-up malwares\r\nAt the time of writing (April 2021), we have not been able to confirm any follow-up payloads. However, similar\r\ncases have been reported overseas, and we assume that infections by this campaign may spread in Japan like these\r\ncases in the future. Also, before the use of Campo Loader and DFDownloader, we have seen attack campaigns by\r\nthe same attacker group, so it is not difficult to guess the attack trend. In this section, we will discuss the malware\r\nthat can be infected based on overseas cases and past cases.\r\nThe following figure shows the malware that may be infected subsequently based on similar cases so far. There\r\nhave been cases where the Campo Loader has been infected with the malware shown in the blue box in the figure\r\nbelow, and we think that this infection may progress in the same way from the DFDownloader.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 17 of 27\n\nFigure27. Consideration of infection step of follow-up malwares\r\nAs you can see, various types of impact can be expected depending on the type of malware, such as information\r\ntheft, remote access, and ransomware.\r\nPrevious attacks on Japan using Campo Loader\r\nWe have observed cases of Ursnif and Zloader infection [3] before this attack campaign In Japan.  In this case, the\r\nOpenfield server was used, but not the Campo Loader or DFDownloader. It is possible that this attack campaign\r\nmay also infect Ursnif and Zloader like past cases.\r\n[3] 「2020/10/14(火) 添付ファイル付不審メール「【お振込口座変更のご連絡】」(ZLoader)の\r\n調査」, bomb_blog, 2020/10/28\r\nhttps://bomccss.hatenablog.jp/entry/2020/10/28/125630\r\nThe other cases of using Campo Loader except Japan\r\nThere are several reported cases of the use of Campo Loader.  In these cases, the URL returned as a response to\r\nthe Campo Loader is malware.\r\nAnother similar case except Japan is an attack campaign called “Bazar Call”. In this campaign, users call a contact\r\nlisted in an email, which leads them to a link in a document file that leads to infection. [4] \r\nThis campaign also uses the Campo Loader, which is dropped from the document file as in this attack campaign,\r\nruns and accesses the Openfield server to download and execute the BazarLoader (Figure 28).\r\nFigure 28. Example of communication to get the BazarLoader in the BazarCall campaign.\r\n(Source: https://www.malware-traffic-analysis.net/2021/04/16/index2.html)\r\n[4] BazarCall malware uses malicious call centers to infect victims\r\nhttps://www.bleepingcomputer.com/news/security/bazarcall-malware-uses-malicious-call-centers-to-infect-victims/\r\nIn other cases, there have been reports of Trickbot and Phobos Ransomware infections from the older Campo\r\nLoader; these cases were reported around September-October 2020, but the malware is still active, so we have to\r\nbe careful.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 18 of 27\n\n[5]「Deep Analysis – The EKING Variant of Phobos Ransomware」, Fortinet, 2020/10/13\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware\r\n[6] 「TRICKBOT AND EMOTET DELIVERY THROUGH WORD MACRO」, Morphisec, 2020/9/16\r\nhttps://blog.morphisec.com/trickbot-emotet-delivery-through-word-macro\r\nRelevance to other campaigns\r\nThis section explains the relevance to other campaigns that were discovered during the research process.\r\nRelevance to the BazarCall campaign\r\nAs an example, the fake input form displayed when opening the document file used in the April 9 attack on Japan\r\nis almost the same as a fake input form mentioned in the report [7] released by Sophos on April 15. (Figure29, and\r\n30)\r\n[7] “BazarLoader deploys a pair of novel spam vectors”, Sophos, 2021/04/15\r\nhttps://news.sophos.com/en-us/2021/04/15/bazarloader/\r\nFigure29. Fake input form shown in the April 9 attack campaign for Japan.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 19 of 27\n\nFigure 30. Fake input form mentioned in the report published by Sophos.\r\n(Source : https://news.sophos.com/en-us/2021/04/15/bazarloader/)\r\nFurthermore, the behavior of the document files used in the series of attacks for Japan is almost the same as well\r\n(Figure31 and 32).\r\nFigure 31. Process tree of the document file in the April 9 attack campaign against Japan.\r\nFigure32. Process tree mentioned in the report published by Sophos.\r\n(Source : https://news.sophos.com/en-us/2021/04/15/bazarloader/)\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 20 of 27\n\nSimilarity of packers \r\nThere are multiple variations of the packer used in Campo Loader and DFDownloader, and some of the packers\r\nare similar to those used in Trickbot and BazarLoader.\r\nThe figure below shows part of the code of the packer used in Campo Loader and DFDownloader (1.28r). The\r\npacker uses the CryptoAPI to encrypt the malware itself, with the CryptImportKey function importing the RSA2\r\nkey and CryptEncrypt processing the data in RC4 cipher.\r\nFigure 33. Example of Campo Loader’s packer\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 21 of 27\n\nFigure 34. Example of DFDownloader’s packer.\r\nThese source codes show similar characteristics to the packer used by BazarLoader, as described in Cybereason’s\r\nblog [8], and the packer used by Trickbot, as described in VIPRE Labs’ blog [9]. These similarities also indicate\r\nthat Trickbot and BazarLoader might be related to this attack campaign.\r\n[8] A Bazar of Tricks: Following Team9’s Development Cycles\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\n[9] 「Trickbot’s Tricks」Posted by VIPRE Labs\r\nhttps://labs.vipre.com/trickbots-tricks/\r\nHow to check for malware execution traces\r\nThe following is how to check the malware execution traces.\r\nAutomatic Startup Settings\r\nRegistry\r\nDFDownloader registers a DLL file in the registry for persistence. \r\nDFDownloader is executed when the user logs on to the terminal.\r\nTable 4. Registry values\r\nItem Value\r\nRegistry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 22 of 27\n\nValue Shell\r\nData type REG_SZ\r\nData (e.g.) explorer.exe, regsvr32.exe C:\\ProgramData\\nmvhg\\nmvhg.dll\r\nFigure 35. Example of the registry values\r\nNetwork Traffic and Proxy Logs\r\nCommunication of Campo Loader\r\nUse the POST method with no User-Agent in the HTTP header.\r\nThe domain name tends to be the xyz domain.\r\nThe URL can be expressed by regular expression as  “\\/campo\\/([a-z0-9]{1,2})\\/([a-z0-9]{1,3})”.\r\nFigure 36. Campo Loader communication example\r\nCommunication of DFDownloader\r\nThe POST method is used with no User-Agent in the HTTP header.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 23 of 27\n\nThe domain name tends to use the xyz domain.\r\nThe Content-Length of a request is about 40 to 100 bytes.\r\nServer responses are encrypted with XOR, and the XOR key is a different value for each infected host.\r\nExample: “DESKTOP-AABSVH71760622929”.\r\nFigure 37. Example of DFDownloader communication 1\r\nFigure 38. Example of DFDownloader communication 2\r\nCreated Files\r\nPlease check if any of the following files have been created.\r\n*Please note that the name and destination of the file can be easily changed by an attacker.\r\nDocument files\r\nThe folder path used to store the files is consistently “C:\\Users\\Public\\”, and the file name changes\r\ndepending on the attack campaign.\r\nThe table below shows the generated files for the document files we checked.\r\nTable 5. Examples of generated files by document file\r\nFile Description\r\nC:\\Users\\Public\\14118.doy\r\nFile dropped by document file.\r\nUsed in a campaign for Japan on April 9, 2021.\r\nC:\\Users\\Public\\14118.xlsb\r\nFile dropped by document file.\r\nUsed in a campaign for Japan on April 9, 2021.\r\nC:\\Users\\Public\\14118.biy\r\nThe file generated by Base64 decoding the data in\r\n“C:\\Users\\Public\\14118.doy” (Campo Loader). \r\nUsed in a campaign for Japan on April 9, 2021.\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 24 of 27\n\nCampo Loader\r\nThe saved file path and file name are hard-coded in the Campo Loader that is dropped from the document\r\nfile.\r\nThe folder path used to store the files is consistently “C:\\ProgramData\\”\r\nThe files generated by Campo Loader are as shown in the table below.\r\nTable 6. Examples of files generated by Campo Loader\r\nFiles Description\r\nC:\\ProgramData\\jyqwkf\\jyqwkf.dll\r\nDLL file downloaded by Campo Loader.\r\nUsed in a campaign for Japan on April 9, 2021.\r\nC:\\ProgramData\\yosgu\\yosgu.dll\r\nDLL file downloaded by Campo Loader.\r\nUsed in a campaign for Japan on April 2 and 8, 2021.\r\nDFDownloader\r\nThe file path and filename saved by DFDownloader are randomly generated.\r\nDepending on the communication result, the folder and file may be deleted.\r\nThe following table shows the files generated by DFDownloader.\r\nTable 7. Examples of files generated by DFDownloader\r\nFiles Description\r\nC:\\ProgramData\\\u003crandom string\u003e\\\u003crandom string\u003e.dll\r\n(e.g.)C:\\ProgramData\\nmvhg\\nmvhg.dll\r\nDLL file downloaded by DFDownloader\r\nC:\\ProgramData\\\u003crandom string\u003e\\\u003crandom string\u003e.exe\r\n(e.g.) C:\\ProgramData\\nmvhg\\nmvhg.exe\r\nEXE file downloaded by DFDownloader \r\nAcknowledgments\r\nWe would like to thank the following security researchers for sharing their information with us in writing this\r\nblog.\r\nCryptolaemus Team (@Cryptolaemus1)\r\nExecuteMalware (@executemalware)\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 25 of 27\n\nbom (@bomccss)\r\nわが (@waga_tw)\r\nmoto_sato (@58_158_177_102)\r\nMalware Traffic Analysis\r\nhttps://www.malware-traffic-analysis.net/\r\nIoCs (As of May 10)\r\nDocument file\r\n7d1ff39fc6daab153ad6477554415336578256257aa81fd796a48b89c7a8b2e8\r\nCampo Loader\r\nb8212f866c5cdf1a823031e24fe10444aab103d8fb55a25821e1c7c7366e580f\r\nDFDownloader\r\n8589e2d840c3ed5adbdc160724bdb3c2e703adeec1ec1e29983960c9c00c4469\r\nWhere to communicate with Campo Loader\r\nSince Openfield servers are also used by malware other than Campo Loader, the following may include\r\ncommunication destinations used by BazarCall and others. In addition, other Openfield URL information can be\r\nfound at URLhaus.\r\nhxxp://nightsalmon[.]xyz/campo/b/b\r\nhxxp://foreverbold[.]xyz/campo/b/b\r\nhxxp://superstartart[.]xyz/campo/b/b\r\nhxxp://steeltits[.]xyz/campo/z/z\r\nhxxp://steeltits[.]xyz/campo/LHq/cD\r\nhxxp://139.162.150[.]121/campo/b/j\r\nhxxp://185.14.31[.]147/campo/j1/j2\r\nhxxp://ship4[.]xyz/campo/i/i\r\nhxxp://gopigs[.]xyz/campo/k/k\r\nhxxp://board3[.]xyz/campo/h/h2\r\nhxxp://cake3[.]xyz/campo/c4/c4\r\nhxxp://dance4[.]xyz/campo/c5/c5\r\nhxxp://cake3[.]xyz/uploads/files/120.dll\r\nhxxp://chance5[.]xyz/uploads/files/1.dll\r\nhxxp://dance4[.]xyz/uploads/files/120-cr.dll\r\nWhere to communicate with DFDownloader\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 26 of 27\n\nshowstoreonline[.]com\r\nmoviesmenia[.]com\r\navydabiz[.]com\r\nkingdomcoffee[.]com\r\ndomaindnsresolver[.]xyz\r\ndomainutility[.]xyz\r\ndomainservicing[.]xyz\r\ndomainsupply[.]xyz\r\nSource: https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nhttps://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/\r\nPage 27 of 27\n\n https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/ \nValue Shell \nData type REG_SZ \nData (e.g.) explorer.exe, regsvr32.exe C:\\ProgramData\\nmvhg\\nmvhg.dll\nFigure 35. Example of the registry values \nNetwork Traffic and Proxy Logs \nCommunication of Campo Loader \nUse the POST method with no User-Agent in the HTTP header.\nThe domain name tends to be the xyz domain. \nThe URL can be expressed by regular expression as “\\/campo\\/([a-z0-9]{1,2})\\/([a-z0-9]{1,3})”.\nFigure 36. Campo Loader communication example \nCommunication of DFDownloader \nThe POST method is used with no User-Agent in the HTTP header.\n Page 23 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/" ], "report_names": [ "campo_new_attack_campaign_targeting_japan" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38", "created_at": "2023-01-06T13:46:39.487358Z", "updated_at": "2026-04-10T02:00:03.344509Z", "deleted_at": null, "main_name": "BazarCall", "aliases": [ "BazzarCall", "BazaCall" ], "source_name": "MISPGALAXY:BazarCall", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439040, "ts_updated_at": 1775791675, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/75d544d4e56924a04a6036f64bc7ac994c67724a.pdf", "text": "https://archive.orkl.eu/75d544d4e56924a04a6036f64bc7ac994c67724a.txt", "img": "https://archive.orkl.eu/75d544d4e56924a04a6036f64bc7ac994c67724a.jpg" } }