{
	"id": "d20f2596-17b8-4e6b-9186-868e1715d705",
	"created_at": "2026-04-06T00:15:26.785053Z",
	"updated_at": "2026-04-10T03:33:18.788511Z",
	"deleted_at": null,
	"sha1_hash": "968beef4c4f265e4770de347ab4ac18678f8d21d",
	"title": "A Baza Valentine’s Day | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1294717,
	"plain_text": "A Baza Valentine’s Day | Proofpoint US\r\nBy February 11, 2021 Proofpoint Threat Research Team\r\nPublished: 2021-02-11 · Archived: 2026-04-05 14:39:45 UTC\r\nIn 2020, Proofpoint observed an increase in BazaLoader campaign volume peaking in October. During that time, we\r\nobserved specific campaigns correlated to public reports of affiliate campaigns delivering BazaLoader and associated with\r\nRyuk ransomware infections. Notably, in January 2021, Proofpoint researchers observed a few of BazaLoader campaigns\r\nleveraging Valentine's Day themes such as flowers and lingerie. The attack chains required an unusual amount of human\r\ninteraction before a payload was delivered. While we track a fair amount of BazaLoader delivered by TA800 and TA572,\r\nthese campaigns are not associated with either TA800 or TA572 and are likely leveraged by other affiliates. \r\nBazaLoader Origin \r\nBazaLoader is a downloader written in C++ whose primary function is to download and execute additional modules. It was\r\nfirst observed in the wild in April 2020 and since has steadily been adopted by more actors. Proofpoint has observed at least\r\nsix variants of Bazaloader signaling active and continued development. One of the earliest BazaLoader variants Proofpoint\r\nresearchers identified used \".bazar\" top-level domains for command-and-control communication. The \".bazar\" TLDs are\r\nassociated with cryptocurrency DNS named Emercoin using Blockchain services reported in early April 2020. Today, we do\r\nnot see the same association to cryptocurrency infrastructure, but it is relevant to its provenance.  \r\nValentine’s Day  \r\nProofpoint researchers have spotted multiple BazaLoader campaigns in January and February 2021 involving the tactic of\r\nheavily relying on human interaction with different sites, PDF attachments, and email lures. There were a range of lure and\r\nsubject topics, including compact storage devices, office supplies, pharmaceutical supplies, and sports nutrition, but what\r\nstuck out were campaigns that were timely and relevant to the upcoming Valentine’s Day holiday. The campaigns were\r\nspread across a diverse set of companies and sectors.   \r\nValentine’s Day, while not abused to the level of other holidays, presents an opportunity for a variety of actors. The FBI\r\nBoston field office has posted public warnings of romance scams. While this is not a romance scam, it is an example of\r\nsocial engineering well-timed with the Valentine’s Day holiday.\r\nInfection Chain \r\n Figure 1: Infection Chain \r\nThe infection chain is consistent in the latest campaigns. The websites the user would browse to are fake, but the actors took\r\ncare to have the physical addresses in the below images match a near-legitimate location. For example, Ajour Lingerie is not\r\nlocated at 1133 50th St, Brooklyn, NY 11219, but this address is in physical proximity to a legitimate website and physical\r\nbusiness called the Lingerie Shop. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 1 of 13\n\nFigure 2: physical address to digital website \r\nLingerie at Ajour \r\nThis campaign delivered PDF attachments that references a specific customer order number and associated purchased items\r\nwhich entices the recipient to go to the Ajour Lingerie website. If the user visits the website and navigates to the \"Contact\r\nUs\" page, they are then given the option to enter the order number in the order ID. If entered, the contact page then redirects\r\nthe user to the landing page that links to and explains how to open the Excel sheet. The Excel sheet contains macros that, if\r\nenabled by the user, will download BazaLoader.  \r\n Figure 3: Email Lure \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 2 of 13\n\nFigure 4: Ajour Lingerie \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 3 of 13\n\nFigure 5: Landing Page \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 4 of 13\n\nFigure 6: Enable Content to deliver BazaLoader \r\nFlowers at Rose World \r\nThis campaign is nearly identical—enticing users to check an order number. The campaign delivered PDF attachments with\r\nreferences to purchases at the Rose World website. If the user visits the website, navigates to \"Contact Us\", and enters the\r\norder number in the order ID, the site will redirect the user to a landing page. This landing page links to and explains how to\r\nopen the Excel sheet. The Excel sheet contains macros that, if enabled, will download BazaLoader. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 5 of 13\n\nFigure 7: Rose World Customer Order Email \r\n \r\nFigure 8: Invoice with website \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 6 of 13\n\nFigure 9: Rose World contact page and enter your order number \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 7 of 13\n\nFigure 10: Enable Macros to receive Bazaloader \r\nConclusion: \r\nProofpoint researchers have observed a steady growth in actors using BazaLoader as a 1st stage downloader. In addition to\r\nthe uptick in BazaLoader distribution, there is active development of BazaLoader, particularly during the month of October\r\n2020.  These recent BazaLoader campaigns exemplify affiliate actors leveraging a loader that is increasingly popular and\r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 8 of 13\n\nmore reliant on human interaction. Further, the social engineering features rely on the timeliness of the Valentine’s\r\nDay holiday and the intrinsic user curiosity to see what they may have ordered. From a technical point of view, we have\r\nprovided a number of IOCs and ET signatures below as this malware family is used to execute on any number of actor or\r\naffiliate intentions, actions, and objectives.  \r\nIOCs  \r\nIOC \r\nIOC\r\nType \r\nDescription \r\nFirst\r\nObserved \r\nhxxps[://]cacla2006[.]org/achlom/hamin[.]php  URL  Excel Payload \r\nJanuary\r\n29, 2021 \r\n447b4c867b7147afe178d73adf8113fc33f6399f03707e4308efa36e0859bf86  SHA256  BazaLoader Hash \r\nJanuary\r\n29, 2021 \r\nhxxps://52[.]12[.]160[.]92/exceed/requested7/ppd15  C\u0026C  BazaLoader C\u0026C \r\nJanuary\r\n29, 2021 \r\nhxxps://34[.]220[.]204[.]73/exceed/requested7/ppd15  C\u0026C  BazaLoader C\u0026C \r\nJanuary\r\n29, 2021 \r\nhxxps[://]www[.]cutedigitalphotography[.]com/vitrum/caretas[.]php  URL  Excel Payload \r\nJanuary\r\n29, 2021 \r\nb6e5f8a1d01bfa0524707ed914409ccb6d28137f05467b3fccb52af02e510f34  SHA256  BazaLoader Hash \r\nJanuary\r\n29, 2021 \r\nhxxps[://]18[.]188[.]232[.]155/leading/crisis26/snow11  C\u0026C  BazaLoader C\u0026C \r\nJanuary\r\n29, 2021 \r\nhxxps[://]18[.]188[.]232[.]155/investigate/discharge/partially2  C\u0026C  BazaLoader C\u0026C \r\nJanuary\r\n29, 2021 \r\nhxxps[://]homeprojectplanning[.]com/germes/sanertl[.]php  URL  Excel Payload \r\nFebruary\r\n1, 2021 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 9 of 13\n\nfd142ad1919c5ca254b75745739a72aaec509afdd74715139ecc60266d7fdd3e  SHA256  BazaLoader Hash \r\nFebruary\r\n1, 2021 \r\nhxxps[://]52[.]12[.]160[.]92/blog/entry/361446  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n1, 2021 \r\nhxxps[://]52[.]12[.]160[.]92/goods/itemid/124324  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n1, 2021 \r\nhxxps[://]54[.]190[.]50[.]234/organization/round_table  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n1, 2021 \r\nhxxps[://]34[.]220[.]167[.]220/organization/round_table  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n1, 2021 \r\nhxxps[://]18[.]236[.]86[.]87/organization/round_table  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n1, 2021 \r\nhxxps[://]34[.]212[.]73[.]169/organization/round_table  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n1, 2021 \r\nhxxps[://]morrislibraryconsulting[.]com/favicam/gertnm[.]php  URL  Excel Payload \r\nFebruary\r\n8, 2021 \r\nb4acd05efadb07351ad853233220bf7f5dd13fbc26fd065d56925c05a42f1927  SHA256  BazaLoader Hash \r\nFebruary\r\n8, 2021 \r\nhxxps[://]34[.]210[.]71[.]206/news/article/12422  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n8, 2021 \r\nhxxps[://]34[.]210[.]71[.]206/artists/id/13131  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n8, 2021 \r\nhxxps[://]acegikbcggin[.]bazar/news/article/12422  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n8, 2021 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 10 of 13\n\nhxxps[://]acegilbcggio[.]bazar/news/article/12422  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n8, 2021 \r\nhxxps[://]horsehospital[.]com/assebles/hamnab[.]php  URL  Excel Payload \r\nFebruary\r\n8, 2021 \r\nb5d7dc4e53f5242e6354c9e20bba1e49d2b34261f706a8c9c9e1b6b18bff348b  SHA256  BazaLoader Hash \r\nFebruary\r\n8, 2021 \r\nhxxps[://]34[.]210[.]71[.]206/home/static  C\u0026C  BazaLoader C\u0026C \r\nFebruary\r\n8, 2021 \r\nET Signatures \r\nSID   Name  \r\n2844993   ETPRO TROJAN bazaloader Variant CnC Activity  \r\n2844992   ETPRO TROJAN bazaloader Variant CnC Activity  \r\n2844991   ETPRO TROJAN bazaloader Variant CnC Activity  \r\n2844795   ETPRO TROJAN bazaBackdoor Variant CnC (Checkin)  \r\n2844794   ETPRO TROJAN Possible bazaloader CnC Activity M3  \r\n2844766   ETPRO TROJAN Possible bazaloader CnC Activity M2  \r\n2844765   ETPRO TROJAN Possible bazaloader CnC Activity M1  \r\n2844764   ETPRO TROJAN SSL/TLS Certificate Observed (bazaloader)  \r\n2844763   ETPRO TROJAN SSL/TLS Certificate Observed (bazaloader)  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 11 of 13\n\n2844355   ETPRO TROJAN Observed bazaLoader User-Agent  \r\n2844246   ETPRO TROJAN bazar Backdoor CnC Activity  \r\n2843035   ETPRO TROJAN bazaBackdoor Variant CnC Activity M3  \r\n2843034   ETPRO TROJAN bazaBackdoor Variant CnC Activity M2  \r\n2843033   ETPRO TROJAN bazaLoader Variant CnC Activity M1  \r\n2842090   ETPRO TROJAN bazaLoader CnC (Download Request)  \r\n2842073   ETPRO TROJAN bazaBackdoor Variant CnC (Checkin)  \r\n2031085   ET TROJAN bazaloader Variant Activity  \r\n2031084   ET TROJAN bazaloader Variant Activity  \r\n2030988   ET TROJAN Observed Malicious SSL Cert (bazaLoader CnC)  \r\n2030820   ET TROJAN Observed Malicious SSL Cert (bazar Backdoor)  \r\n2030270   ET TROJAN Observed Malicious DNS Query (bazarLoader/Team9 Backdoor CnC Domain)  \r\n2030269   ET TROJAN Observed Malicious DNS Query (bazarLoader/Team9 Backdoor CnC Domain)  \r\n2030268   ET TROJAN Observed Malicious DNS Query (bazarLoader/Team9 Backdoor CnC Domain)  \r\n2030267   ET TROJAN Observed Malicious DNS Query (bazarLoader/Team9 Backdoor CnC Domain)  \r\n2030045   ET TROJAN bazaR CnC Domain in DNS Lookup  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 12 of 13\n\n2030044   ET TROJAN bazaR CnC Domain in DNS Lookup  \r\n2030043   ET TROJAN bazaR CnC Domain in DNS Lookup  \r\n2030042   ET TROJAN bazaR CnC Domain in DNS Lookup  \r\n2030041   ET TROJAN bazaR CnC Domain in DNS Lookup  \r\n2029973   ET INFO Observed DNS Query for EmerDNS TLD (.bazar)  \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nhttps://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day\r\nPage 13 of 13\n\n  https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day    \nFigure 10: Enable Macros to receive Bazaloader    \nConclusion:      \nProofpoint researchers have observed a steady growth in actors using BazaLoader as a 1st stage downloader. In addition to\nthe uptick in BazaLoader distribution, there is active development of BazaLoader, particularly during the month of October\n2020. These recent BazaLoader campaigns exemplify affiliate actors leveraging a loader that is increasingly popular and\n   Page 8 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day"
	],
	"report_names": [
		"baza-valentines-day"
	],
	"threat_actors": [
		{
			"id": "cf32661e-7543-4b57-8665-7f8101a000e9",
			"created_at": "2023-01-06T13:46:39.322379Z",
			"updated_at": "2026-04-10T02:00:03.287241Z",
			"deleted_at": null,
			"main_name": "TA800",
			"aliases": [],
			"source_name": "MISPGALAXY:TA800",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434526,
	"ts_updated_at": 1775791998,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/968beef4c4f265e4770de347ab4ac18678f8d21d.pdf",
		"text": "https://archive.orkl.eu/968beef4c4f265e4770de347ab4ac18678f8d21d.txt",
		"img": "https://archive.orkl.eu/968beef4c4f265e4770de347ab4ac18678f8d21d.jpg"
	}
}