{
	"id": "2340595f-6bd9-4a78-b36f-bb59087d0eb9",
	"created_at": "2026-04-06T00:07:31.788044Z",
	"updated_at": "2026-04-10T03:27:55.928743Z",
	"deleted_at": null,
	"sha1_hash": "9833bebaf9b7151df5b54d69c5ba6ded5a8ad97d",
	"title": "BazarCall Method: Call Centers Help Spread BazarLoader Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2808204,
	"plain_text": "BazarCall Method: Call Centers Help Spread BazarLoader\r\nMalware\r\nBy Brad Duncan\r\nPublished: 2021-05-19 · Archived: 2026-04-05 19:40:18 UTC\r\nExecutive Summary\r\nBazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to an infected\r\nWindows host. After a client is infected, criminals use this backdoor access to send follow-up malware, scan the\r\nenvironment and exploit other vulnerable hosts on the network.\r\nThe threat actor behind BazarLoader uses different methods to distribute this malware to potential victims. In\r\nearly February 2021, researchers began reporting a call center-based method of distributing BazarLoader. This\r\nmethod utilizes emails with a trial subscription-based theme that encourages potential victims to call a phone\r\nnumber. A call center operator then answers and directs victims to a website to unsubscribe from the service. Call\r\ncenter operators offer to personally guide victims through a process designed to infect vulnerable computers with\r\nBazarLoader. An example of the process can be found in this YouTube video.\r\nThis call center-based process of infecting computers with BazarLoader has been dubbed the \"BazarCall\" method\r\n(sometimes referred to as \"BazaCall\" method).\r\nPalo Alto Networks Next-Generation Firewall customers are protected from this threat with a Threat Prevention\r\nsecurity subscription.\r\nChain of Events for Infections Using the BazarCall Method\r\nBazarCall infections follow a distinct pattern of activity. See Figure 1 for a flow chart showing the chain of events.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 1 of 15\n\nFigure 1. BazarCall chain of events\r\nChain of Events for an Infection Using the BazarCall Method:\r\nA trial subscription-themed email with a phone number to a call center for assistance.\r\nVictim calls the phone number from the email.\r\nCall center operator guides the victim to a fake company website.\r\nVictim downloads a Microsoft Excel file from the website.\r\nThe call center operator instructs the victim to enable macros on the downloaded Excel file.\r\nThe vulnerable Windows computer is infected with BazarLoader malware.\r\nThe call center operator then tells the victim that the unsubscription is successful.\r\nBazarLoader generates command and control (C2) traffic from the infected Windows host.\r\nBackdoor access through BazarLoader leads to post-infection activities.\r\nThese emails state that the victim’s trial subscription is ending, and the victim’s credit card will be charged. Phone\r\nnumbers in these emails change at least daily, and occasionally we have seen two or more numbers appear during\r\na single day.\r\nPosing as A Victim\r\nA video has been posted on YouTube documenting someone posing as a victim and having a center operator guide\r\nthem through the fake unsubscription process. We contacted this call center on at least five different occasions,\r\nand the operator was a different person each time. All operators were seemingly non-native English speakers. Two\r\nof the operators were female, and three were male. Each operator followed the same basic script, but there were\r\nvariations.\r\nThe following conversation took place on Wednesday, April 14, 2021 using a phone number from the email shown\r\nbelow in Figure 2.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 2 of 15\n\nFigure 2. Email used by the person posing as a victim.\r\nOperator: Customer service. How may I help you?\r\nVictim: Hi. I got an email today from a company called Paradise Books. It says I have a subscription, and my\r\ncredit card will be charged. But I've never dealt with Paradise Books. I don't remember doing anything or going to\r\na website for Paradise Books or anything like that.\r\nOperator: Okay, sir. Do you have a subscription number?\r\nVictim: Yes, hold on. It's 040*********. [Note: The last 9 digits of this number are purposely not shown here\r\nbecause this number identifies the recipient's email address.]\r\nOperator: Okay, I can repeat that back to you. It is 040*********.\r\nVictim: Yes.\r\nOperator: Yes sir, just hold on a moment let me check our system.\r\nVictim: Okay.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 3 of 15\n\n[hold music]\r\nOperator: Hello?\r\nVictim: Yes.\r\nOperator: Okay. It seems this account was opened by John Edwards, but your email starts with [victim's first\r\nname].\r\nVictim: Yes, I'm [victim's first name]. I don't know any John Edwards.\r\nOperator: Okay, sir. You'll need to cancel the subscription. So what you need to do is go to worldbooks dot US.\r\nOperator: Worldbooks [states each letter phonetically] dot US.\r\nVictim: Hold on a second. Let me get that in my web browser.\r\nOperator: Yes? Can I read it back again?\r\nVictim: No thank you. I have it. [typing sounds]\r\nOperator: Hello?\r\nVictim: Yes, hold on. It looks like it's loading.\r\nOperator: Have you seen the website yet?\r\nVictim: Okay, here we go. It says \"World Books.\" So I've got a web page. I've never seen this site before.\r\nOperator: No problem. We can just cancel the subscription. What you need is your subscriber number that you told\r\nme earlier.\r\nVictim: Okay.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 4 of 15\n\nFigure 3. BazarCall website from April 14, 2021.\r\nOperator: Can you see the subscribe button?\r\nVictim: Yes.\r\nOperator: When you click on that, you should be able to see unsubscribe.\r\nVictim: Okay, I'm clicking the subscribe button.\r\nOperator: Can you see unsubscribe?\r\nVictim: I see a line that says, \"Do you want to unsubscribe?\"\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 5 of 15\n\nFigure 4. BazarCall website subscribe page with link to unsubscribe.\r\nOperator: That is where you need to go. Can you click it?\r\nVictim: Okay.\r\nOperator: And then you enter the subscription number.\r\nVictim: Gotcha. [typing sounds]\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 6 of 15\n\nFigure 5. BazarCall website unsubscribe page.\r\nOperator: Once you do that, you will receive a confirmation document.\r\nVictim: Okay, it's asking me what do I want to do with subscription 16184 something XLSB?\r\nFigure 6. BazarCall website unsubscribe page returns an Excel file.\r\nOperator: That is the confirmation document. That's where you have your confirmation code.\r\nVictim: Should I open it? Should I save it? Or what?\r\nOperator: You can open it, if you need the confirmation. The confirmation code is important. In case anything\r\nhappens, you can call us and give us the confirmation code.\r\nVictim: Okay.\r\nOperator: So we can solve the issue.\r\nVictim: Gotcha. Alright.\r\nOperator: Did you get it?\r\nVictim: Alright. I'm opening it right now. I see Excel Office 365. This document is protected. Previewing is not\r\navailable for protected documents. I have to press enable.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 7 of 15\n\nFigure 7. Screenshot of Excel file downloaded from BazarCall website.\r\nOperator: Click editing and enable content.\r\nVictim: Okay. [pauses] Alright. The spreadsheet changed. [pauses] It shows a form with a company name, first\r\nname, last name, birthdate, and all that stuff.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 8 of 15\n\nFigure 8. Excel file after enabling macros. Note the different filename on the title bar.\r\nOperator: Okay, can you see the code? The code is the important one.\r\nVictim: I don't see a code, no.\r\nOperator: Okay. There are different pages. Can you see the next page?\r\nVictim: Where is this code supposed to be?\r\nOperator: There is a confirmation code in case you don't want to get charged but in case you get charged, that is\r\nwhat you call us with in order to cancel the charge.\r\nVictim: Okay, I still don't know where I'm supposed to find this code.\r\nOperator: Just hold on and let me check with the department of IT.\r\nVictim: Okay.\r\n[hold music for approximately 1 minute]\r\nOperator: Hello sir.\r\nVictim: Yes.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 9 of 15\n\nOperator: I've checked with the IT department, and they are saying that the cancellation went through correctly.\r\nWe are just having an issue with our servers, but the cancellation went through successfully.\r\nVictim: Okay.\r\nOperator: So nothing will be charged to your account. And they've given me a code on their end. Can I read it to\r\nyou?\r\nVictim: Yes.\r\nOperator: The code is [spells out seven characters of an alpha-numeric code].\r\nVictim: Okay.\r\nOperator: In case of any problem, you can just call back and give us that code. We will be able to resolve any\r\nissue.\r\nVictim: Okay. Thank you.\r\nOperator: You're welcome sir. And if you call back, you can ask for [operator's first name], because we have\r\nmany [garbled].\r\n[Victim repeats operator's first name]\r\nOperator: Yes, that's my name.\r\nVictim: Alright, well thank you.\r\nOperator: Have a good day.\r\nVictim: Goodbye.\r\nOperator: Goodbye sir.\r\nInfection Traffic\r\nAfter macros are enabled on the downloaded Excel file, the BazarLoader DLL is dropped, and it generates a URL\r\ncontaining the string campo. This type of URL is called Campo Loader, which acts as a gateway that redirects\r\ntraffic to malware. Some examples of Campo Loader URLs generated by a BazarLoader DLL are shown below in\r\nTable 1.\r\nDate URL\r\n2021-03-25 hxxp://whynt[.]xyz/campo/w/w\r\n2021-03-29 hxxp://veso2[.]xyz/campo/r/r1\r\n2021-03-31 hxxp://about2[.]xyz/campo/a/a1\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 10 of 15\n\n2021-04-07 hxxp://basket2[.]xyz/campo/u/u1\r\n2021-04-08 hxxp://dance4[.]xyz/campo/d8/d9\r\n2021-04-14 hxxp://glass3[.]xyz/campo/gl/gl3\r\n2021-04-15 hxxp://idea5[.]xyz/campo/id/id8\r\n2021-04-16 hxxp://keep2[.]xyz/campo/jl/jl7\r\nTable 1. Recent Campo Loader URLs generated by BazarCall spreadsheet macros.\r\nFigure 9 shows a Campo Loader URL from April 14, 2021 redirecting to a URL for BazarLoader.\r\nFigure 9. Campo Loader URL successfully redirecting to a URL for BazarLoader.\r\nExamples of recent URLs for BazarLoader EXE files are shown below in Table 2.\r\nDate URL\r\n2021-03-25 hxxp://whynt[.]xyz/uploads/files/dl8x64.exe\r\n2021-03-29 hxxp://admin.yougleeindia[.]in/theme/js/plugins/o1e.exe\r\n2021-03-29 hxxp://admin.yougleeindia[.]in/theme/js/plugins/rt3ret3.exe\r\n2021-03-31 hxxp://about2[.]xyz/uploads/files/ret5er.exe\r\n2021-04-07 hxxp://www.carsidecor[.]com/wp-content/uploads/2021/04/cv76.exe\r\n2021-04-08 hxxp://dance4[.]xyz/uploads/files/10r3.exe\r\n2021-04-14 hxxp://glass3[.]xyz/uploads/files/hah5.exe\r\n2021-04-15 hxxp://idea5[.]xyz/uploads/files/ratan.exe\r\n2021-04-15 hxxp://idea5[.]xyz/uploads/files/rets.exe\r\n2021-04-16 hxxp://keep2[.]xyz/uploads/files/suka.exe\r\nTable 2. Recent URLs for BazarLoader malware.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 11 of 15\n\nThe BazarLoader executable generates HTTPS C2 traffic noted below in Figure 10.\r\nFigure 10. Traffic from the BazarLoader infection.\r\nForensics on Infected Windows Host\r\nThis section describes forensics on an infected Windows host from April 14, 2021. SHA256 hash for the\r\ndownloaded spreadsheet is:\r\ndb53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6\r\nMacros from the downloaded Excel file create artifacts in the Windows computer’s C:\\Users\\Public directory as\r\nshown in Figure 11.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 12 of 15\n\nFigure 11. Artifacts were created after enabling macros from the downloaded Excel file on April 14,\r\n2021\r\nFile information is shown below in Table 3. The first two are text files with the same SHA256 hash. The other file\r\nis a BazarLoader DLL.\r\nFile name File type SHA256 hash\r\n130486.xlsb ASCII text 2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc\r\n130486.dot ASCII text 2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc\r\n130486.pgj DLL f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4\r\nTable 3. Artifacts from a BazarCall spreadsheet seen on April 14, 2021.\r\n130486.xlsb and 130486.dot consist of an American Standard Code For Information Interchange (ASCII) string\r\nwith base64 text. This text represents the BazarLoader dynamic link library (DLL) file. Macro code from the\r\ndownloaded Excel file converts the base64 text to a DLL named 130486.pgj and runs this DLL using the\r\nfollowing script commands:\r\ncmd.exe /c certutil -decode %PUBLIC%\\130486.dot %PUBLIC%\\130486.pgj\r\nrundll32 %PUBLIC%\\130486.pgj,DF1\r\nKeep in mind these files are from one specific example. Artifacts generated from other spreadsheets have different\r\nnames and different file extensions. Common characteristics include:\r\nAll three artifacts have the same name, but different file extensions.\r\nTwo of the artifacts are ASCII strings with base64 text.\r\nOne of the artifacts is a DLL for BazarLoader.\r\nOne of the text-based artifacts uses an .xlsb file extension.\r\nThe DLL is designed to retrieve a BazarLoader EXE. In our example from April 14, 2021, the BazarLoader EXE\r\nwas saved to a folder under the C:\\ProgramData directory as shown below in Figure 12.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 13 of 15\n\nFigure 12. Windows EXE file for BazarLoader.\r\nFollow-Up Activities\r\nBazarLoader provides backdoor access to an infected Windows host. In some cases, Cobalt Strike is seen as\r\nfollow-up malware, leading to other malware like Anchor. At least two cases have been publicly documented\r\nwhere BazarLoader malware led to Cobalt Strike and then to Anchor malware. One case happened in February\r\n2021, and the other case happened in March 2021.\r\nHowever, BazarLoader is not limited to just Cobalt Strike and Anchor as follow-up malware. 2020 saw reports of\r\nBazarLoader leading to ransomware like Ryuk. Backdoor access to an infected Windows host could lead to any\r\nfamily of malware.\r\nConclusion\r\nAs early as February 2021, we have seen several reports of the BazarCall method distributing BazarLoader\r\nmalware using call center personnel. These infections follow noticeable patterns, and they can lead to other\r\nmalware like Cobalt Strike, Anchor and Ryuk ransomware.\r\nOrganizations with decent spam filtering, proper system administration and up-to-date Windows hosts have a\r\nmuch lower risk of infection from BazarLoader malware and its post-infection activity. Palo Alto Networks Next-Generation Firewall customers are further protected from this threat with a Threat Prevention security\r\nsubscription.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 14 of 15\n\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise described in this\r\nreport, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly\r\ndeploy protections to their customers and to systematically disrupt malicious cyber actors. For more information\r\non the Cyber Threat Alliance, visit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nAppendix A\r\nExamples of BazarCall emails (March and April 2021): GitHub repository.\r\nAppendix B\r\nExamples of domains hosting the fake websites used for the BazarCall method (March and April 2021): GitHub\r\nrepository.\r\nAppendix C\r\n96 examples of Excel spreadsheets from unsubscribe pages from fake websites using the BazarCall method\r\n(March and April 2021): GitHub repository.\r\nAppendix D\r\n11 examples of BazarLoader DLL files dropped by Excel spreadsheet macros (March and April 2021): GitHub\r\nrepository.\r\nAppendix E\r\nSHA256 hashes for 24 examples of BazarLoader EXE files retrieved by BazarLoader (March and April 2021):\r\nGitHub repository.\r\nSource: https://unit42.paloaltonetworks.com/bazarloader-malware/\r\nhttps://unit42.paloaltonetworks.com/bazarloader-malware/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/bazarloader-malware/"
	],
	"report_names": [
		"bazarloader-malware"
	],
	"threat_actors": [
		{
			"id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38",
			"created_at": "2023-01-06T13:46:39.487358Z",
			"updated_at": "2026-04-10T02:00:03.344509Z",
			"deleted_at": null,
			"main_name": "BazarCall",
			"aliases": [
				"BazzarCall",
				"BazaCall"
			],
			"source_name": "MISPGALAXY:BazarCall",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434051,
	"ts_updated_at": 1775791675,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9833bebaf9b7151df5b54d69c5ba6ded5a8ad97d.pdf",
		"text": "https://archive.orkl.eu/9833bebaf9b7151df5b54d69c5ba6ded5a8ad97d.txt",
		"img": "https://archive.orkl.eu/9833bebaf9b7151df5b54d69c5ba6ded5a8ad97d.jpg"
	}
}