{ "id": "e5528bd0-4b5b-4f22-b368-7b4118c595d0", "created_at": "2026-04-06T00:09:56.228166Z", "updated_at": "2026-04-10T03:37:50.319487Z", "deleted_at": null, "sha1_hash": "b3a28d7ddf53103e9ccad2c8ccf4ed3d2840d288", "title": "Wrapping Up a Year of Infamous Bazar Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1942102, "plain_text": "Wrapping Up a Year of Infamous Bazar Campaigns\r\nBy Avigayil Mechtinger\r\nPublished: 2021-05-27 · Archived: 2026-04-05 13:55:50 UTC\r\nBazar is the latest tool developed by the TrickBot gang\r\nCommon malware used for cybercrime such as Agent Tesla, Dridex and Formbook have been around for at least\r\nfive years and are still distributed and active. About one year ago, a new malware named Bazar breathed some\r\nfresh air into this landscape. Since its first campaign, Bazar has been extremely active and has taken part in large-scale breaches including the nationwide Ryuk ransomware attack on UHS hospitals.\r\nThe name ‘Bazar’ was given to the malware because of its use of EmerDNS (.bazar) domains for command-and-control networking. On top of serving as a backdoor, Bazar is designed to gain a foothold on the victim’s machine\r\nto deliver an additional payload as a next phase of the attack. The time between Bazar installation and payload\r\ndelivery can vary between a few hours to days.\r\nIn this post we will profile Bazar and highlight four prominent campaigns delivering this year-old malware.\r\nKey Profiling\r\nhttps://www.intezer.com/blog/malware-analysis/wrapping-up-a-year-of-infamous-bazar-campaigns/\r\nPage 1 of 8\n\nAttribution\r\nBased on code similarities, delivery, infrastructure and operation methods, researchers believe that Bazar was\r\ndeveloped by the TrickBot gang (aka Team9).\r\nTargets\r\nThe operators behind the malware are mainly financially motivated, meaning they target organizations with high\r\ncapital.\r\nDelivery Method\r\nThe malware delivery method is purely based on social engineering initiated with a phishing email. The email will\r\nusually contain a link to a website, hosting a malicious Microsoft Office document, delivering Bazar upon running\r\nthe document on a victim’s machine, or it will host the malware itself masqueraded as a document.\r\nStealth\r\nBazar implements the following evasion techniques to bypass detection:\r\nSigning malware with certificates\r\n: Antiviruses tend to rely on code signing certificates to increase the credibility of a file. Therefore, signed files are\r\nless likely to be detected as malicious by Antivirus vendors.\r\nSigned Bazar files were fully undetected in VirusTotal\r\nFileless payload\r\n: Bazar uses a lightweight loader to inject its fileless payload into memory. Fileless malware challenges traditional\r\nAntivirus solutions as it resides only in memory and leaves no footprint on disk. The following is the genetic\r\nanalysis of a Bazar sample (3578e96b72cba790179d546f11e045ca) injecting fileless code into memory.\r\nhttps://www.intezer.com/blog/malware-analysis/wrapping-up-a-year-of-infamous-bazar-campaigns/\r\nPage 2 of 8\n\nBazar sample (3578e96b72cba790179d546f11e045ca) injects fileless code\r\nUse of decentralized C2C\r\n: For its C2C communication, Bazar uses EmerDNS which is a decentralized domain name system based on\r\nEmercoin blockchain technology. EmerDNS domains cannot be altered, revoked, or suspended, which allows\r\nBazar’s operations to be nearly immune from a take down attempt by law enforcement.\r\nTimeline and Milestone Campaigns\r\nAs Bazar evolves and takes part in different phishing campaigns, we are highlighting the top four milestones of\r\nthis threat so far.\r\nApr 2020 – Bazar Exposed to the Masses\r\nWith the outburst of COVID-19, many threat actors leveraged the pandemic for phishing campaigns. This theme\r\nwas used as part of the first documented campaign delivering Bazar.\r\nSimilar to other campaigns using Bazar, this one began with a phishing email containing a link to a page hosted on\r\nGoogle Docs. On this page, the victim was lured to click on a link preview to a doc report. By clicking on the link,\r\nthe victim would download the Bazar malware executable masqueraded as a document. Because Windows does\r\nnot present a file’s extension by default, threat actors are able to trick victims by masquerading a non-executable\r\nfile type, so that the file has a word document icon but it is in fact an executable.\r\nThe next image shows a Google Docs page hosting the malware executable.\r\nhttps://www.intezer.com/blog/malware-analysis/wrapping-up-a-year-of-infamous-bazar-campaigns/\r\nPage 3 of 8\n\nCOVID-19 themed phishing campaign (source: BleepingComputer) Interestingly, one of these phishing emails\r\nwas sent to a BleepingComputer domain.\r\nBazar targeting BleepingComputer domain\r\nSep 2020 – Healthcare, Ransomware and Bazar in Between\r\nUHS hospitals were hit by a Ryuk ransomware attack in September 2020. This attack was part of a greater trend\r\ntargeting hospitals and other healthcare-related organizations in the United States.\r\nThese ransomware attacks were initiated with phishing emails sent to employees delivering Bazar but also\r\nBuerLoader or TrickBot. After an employee was lured to install Bazar, a Cobalt Strike Beacon was delivered to\r\nthe victim’s machine for lateral movement and persistence. Together with Cobalt Strike, other penetration testing\r\ntools were installed and ran on the victim’s machine for reconnaissance and privilege escalation purposes. Ryuk\r\nransomware was delivered as the final step of the attack to run widely on the organization’s assets.\r\nhttps://www.intezer.com/blog/malware-analysis/wrapping-up-a-year-of-infamous-bazar-campaigns/\r\nPage 4 of 8\n\nCISA alert on the ransomware campaign This attack chain not only targeted the healthcare sector but also went\r\nafter different organizations inside France after it became public that Sopra Steria, a French consulting\r\norganization, was hit by Ryuk.\r\nJan 2021 – Hello, Who is This?\r\nThe BazarCall campaign may be the most interesting social engineering method used for delivering Bazar thus\r\nfar.\r\nAs the first step, a personalized phishing email is sent claiming that a free trial for a [fake] product is about to\r\nexpire, and the addressee will be charged via a “pre provided payment method.” The email also states that if the\r\naddressee wishes to drop the subscription, they can make a call to the “customer service center.” Once a victim\r\ncalls the customer service center number, the “service provider” lures the user to browse a phishing website, insert\r\na code, and click on “unsubscribe.” By clicking unsubscribe a malicious Microsoft Office document is\r\ndownloaded delivering Bazar.\r\nhttps://www.intezer.com/blog/malware-analysis/wrapping-up-a-year-of-infamous-bazar-campaigns/\r\nPage 5 of 8\n\nExample of a BazarCall phishing email (source: Sophos) The email has no indication of maliciousness as it does\r\nnot contain any links or attachments but it is purely an attempt to exploit the innocence of the victims who are\r\nlured to make the phone call.\r\nThis YouTube video documents a phone call between a researcher posing as a victim and the “service provider.”\r\nThe campaign, which started by delivering BazarLoader, continues to deliver other loaders such as IceID.\r\nFeb 2021 – Nim What?\r\nIn the beginning of February, a new and unusual version of Bazar was detected—an implementation of the\r\nbackdoor written in Nim, which is a statically-typed self-contained programming language.\r\nBecause Nim is not a common choice for malware development, it is believed that the use of this programming\r\nlanguage is an attempt to bypass detection. This attempt can be considered successful as this version, also known\r\nas  ‘BazarNimrod‘ and ‘NimzaLoader,’ had low detection rates in VirusTotal.\r\nBazar written in Nim with low detection rate in VirusTotal\r\nhttps://www.intezer.com/blog/malware-analysis/wrapping-up-a-year-of-infamous-bazar-campaigns/\r\nPage 6 of 8\n\nBazar is not the first malware written in Nim. Sofacy (Russian APT) developed a downloader in Nim for their\r\nZebrocy tool.\r\nFinal Words\r\nThreat actors are highly motivated and must keep reinventing themselves to stay effective. They put in the time\r\nand money to bypass Antivirus detection on the way to successful compromises. We assess that cybercriminals\r\nwill continue to step up their game with social engineering creativity and different malware implementation.\r\nHow to Protect Your Organization\r\nBazar and similar threats use social engineering as an entry point and keep a low profile once inside. Keep in mind\r\nthat it takes only one employee to take down an entire organization.\r\nTake the following steps to keep your organization clean from these type of attacks\r\n:\r\nEnhance social engineering awareness inside your organization.\r\nPerform proactive hunting on all endpoints inside your organization to make sure that no traces of\r\nmalicious code or malware exist. Intezer’s live Endpoint Scanner collects all binaries running in memory,\r\nincluding fileless, and classifies them using genetic code analysis technology.\r\nEndpoint scan on an infected machine\r\nReferences\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nhttps://www.intezer.com/blog/malware-analysis/wrapping-up-a-year-of-infamous-bazar-campaigns/\r\nPage 7 of 8\n\nhttps://www.bleepingcomputer.com/news/security/bazarcall-malware-uses-malicious-call-centers-to-infect-victims/\r\nhttps://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon\r\nhttps://threatpost.com/bazarloader-malware-slack-basecamp/165455/\r\nhttps://news.sophos.com/en-us/2021/04/15/bazarloader/\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles#trickbot-connection\r\nhttps://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon\r\nSource: https://www.intezer.com/blog/malware-analysis/wrapping-up-a-year-of-infamous-bazar-campaigns/\r\nhttps://www.intezer.com/blog/malware-analysis/wrapping-up-a-year-of-infamous-bazar-campaigns/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.intezer.com/blog/malware-analysis/wrapping-up-a-year-of-infamous-bazar-campaigns/" ], "report_names": [ "wrapping-up-a-year-of-infamous-bazar-campaigns" ], "threat_actors": [ { "id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38", "created_at": "2023-01-06T13:46:39.487358Z", "updated_at": "2026-04-10T02:00:03.344509Z", "deleted_at": null, "main_name": "BazarCall", "aliases": [ "BazzarCall", "BazaCall" ], "source_name": "MISPGALAXY:BazarCall", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434196, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3a28d7ddf53103e9ccad2c8ccf4ed3d2840d288.pdf", "text": "https://archive.orkl.eu/b3a28d7ddf53103e9ccad2c8ccf4ed3d2840d288.txt", "img": "https://archive.orkl.eu/b3a28d7ddf53103e9ccad2c8ccf4ed3d2840d288.jpg" } }