{
	"id": "8908d4e3-86dc-43d7-9044-6bb5ff7a49bb",
	"created_at": "2026-04-06T00:19:50.010819Z",
	"updated_at": "2026-04-10T03:21:51.783352Z",
	"deleted_at": null,
	"sha1_hash": "b4955871b9f5baab2c2d6b2b13a8d75ab2697c8c",
	"title": "New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II | Fortinet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2593678,
	"plain_text": "New Bazar Trojan Variant is Being Spread in Recent Phishing\r\nCampaign – Part II | Fortinet\r\nBy Xiaopeng Zhang\r\nPublished: 2021-02-12 · Archived: 2026-04-05 15:53:41 UTC\r\nFortiGuard Labs Threat Research Report\r\nAffected platforms: Microsoft Windows  \r\nImpacted parties:    Windows Users\r\nImpact:                     Control and Collect sensitive information from victim’s device, as well as delivering other\r\nmalware.\r\nSeverity level:           Critical\r\nFortiGuard Labs recently detected a suspicious email through the SPAM monitoring system that was designed to\r\ntrick a victim into opening a web page to download an executable file. Additional research on this executable file\r\nfound that it is a new variant of the Bazar malware. \r\nMy analysis of this variant is being published in two parts. In the first part of the analysis, I explained how the\r\nBazar loader was downloaded onto a victim’s device, how it communicates with its C2 server to obtain a Bazar\r\nfile, and how that file is then injected into a newly-created “cmd.exe” process.\r\nIn this second part, I will focus on the Bazar payload file that runs inside the “cmd.exe” process. You will learn\r\nwhat new anti-analysis techniques this Bazar uses, how it communicates with its C2 server, what sensitive data it\r\nis able to collect from the victim’s device, and how it is able to deliver other malware onto the victim’s system.\r\nMain() function of the Bazar Payload \r\nThis variant of the Bazar payload is a 64-bit executable file written in Microsoft Visual C++ 8.0. It was compiled\r\non Monday, Jan 18, 2021.\r\nIn its Main() function, we can see that it is driven by a “Timer” set by the API SetTimer() and then captured by\r\nGetMessageA(). When a condition is matched, the working function is called once. The pseudocode of how they\r\nwork together is shown in Figure 1.1, below.\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 1 of 16\n\nFigure 1.1. Pseudocode of the Main() function of Bazar\r\nAnti-analysis Techniques\r\nI also observed three primary anti-analysis techniques being used throughout entire Bazar execution. I will explain\r\nhow each of these work.\r\n1. All key APIs are hidden\r\nBazar hides key APIs in the code and only uses them when it needs to call. A function that I call get_api() is used\r\nto dynamically get an API address with the API name hash and its module index. The API address is carried in the\r\nRAX register when get_api() returns. More than 600 APIs are obtained in this variant by using get_api().\r\nAnalyzing this API is complicated because nobody is able to read it via its name hash code. This really creates\r\ntrouble for researchers during both dynamic and static analysis. \r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 2 of 16\n\nThe piece of ASM code shows below when it retrieves the API “TerminateProcess” with the name hash\r\n0x9E6FA842 and module index 8. As stated earlier, the address is found in RAX when the API call returns.\r\nxor     ecx, ecx\r\nmov     edx, 1\r\nmov     r8d, 9E6FA842h  ; The hash of API \"TerminateProcess\".\r\nmov     r9d, 8          ; An index of the module that contains \"TerminateProcess\".\r\ncall    get_api\r\nmov     [rsp+698h+var_640], rax   ; “TerminateProcess” is in RAX.\r\n2. ASM Code Obfuscation\r\nIf you are curious about the code structure, the pseudocode (shown in Figure 1.1) looks so weird because Bazar\r\nuses a kind of code obfuscation technique. This is another barrier to threat researchers in clearly tracking the code.\r\nHere is an example of how the ASM code is obfuscated.\r\nThe original code is below:\r\nmov     [rsp+40h+var_18], rdx    \r\nmov     rbp, [rsp+40h+var_18]    \r\ncmp     rbp, 4                   \r\njae     Lable_1                  \r\nmov     rdx, [rsp+40h+var_18]    \r\nmovzx   ebp, [rsp+rdx+40h+var_10]\r\nimul    ebp, -0Bh                \r\nmov     ebx, ebp                 \r\nadd     ebx, 273h                \r\n[...]                            \r\nLable_1:                         \r\nlea     rcx, [rsp+40h+arg_40]    \r\nlea     rdx, [rsp+40h+var_10]    \r\ncall    sub_13F944B2E   \r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 3 of 16\n\nAfter obfuscation, it becomes this (the original code is highlighted):\r\nmov     ecx, 370A6DACh\r\nLabel_0:\r\nmov     [rsp+40h+var_18], rdx\r\nmov     rbp, [rsp+40h+var_18]\r\ncmp     rbp, 4\r\nmov     ebp, 0B03F61D0h\r\ncmovb   ebp, ecx\r\njmp     Label_1\r\n[…]\r\nLabel_1:\r\ncmp     ebp, 0F7C9568Bh\r\njg      short Label_2\r\ncmp     ebp, 0B03F61D0h\r\njz        Label_3\r\ncmp     ebp, 0BAE74C5Ch\r\njz      Label_5\r\ncmp     ebp, 0EC1D9526h\r\njnz     short Label_1\r\njmp     Label_4\r\n[…]\r\nLabel_2:\r\ncmp     ebp, 0F7C9568Ch\r\njz      Label_6\r\ncmp     ebp, 2BA792A4h\r\njz      Label_0\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 4 of 16\n\ncmp     ebp, 370A6DACh\r\njnz     short Label_1\r\nmov     rdx, [rsp+40h+var_18]\r\nmovzx   ebp, [rsp+rdx+40h+var_10]\r\nimul    ebp, -0Bh\r\nmov     ebx, ebp\r\nadd     ebx, 273h\r\n[…]\r\nLabel_3:\r\nmov     ebp, 0EC1D9526h\r\njmp     Label_1\r\n[…]\r\nLabel_4:\r\nlea     rcx, [rsp+40h+arg_40]\r\nlea     rdx, [rsp+40h+var_10]\r\ncall    sub_13F944B2E\r\nAs you can see, the obfuscated ASM code was mixed with huge amounts of trash-like code while also becoming\r\nquite sophisticated in its logic. Almost every function in Bazar has had this kind of obfuscation approach applied.\r\n3. All constant strings are encoded in Bazar\r\nAnother form of obfuscation affects the use of constant strings. Bazar’s constant strings are hidden in encrypted\r\ndata throughout the code to perform anti-analysis. \r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 5 of 16\n\nFigure 2.1. Just decrypted a constant string “POST”\r\nAccording to Figure 2.1, the encrypted data (“3C 37 4B 50 29”) was copied from the stack and decrypted to\r\n“POST” before using it.\r\nCommunicating with the C2 Server\r\nIn its working function, after Bazar does some initial work, such as setting environment variables, creating mutex\r\nobjects, loading APIs and setting global variables, it creates a thread to perform its tasks in the thread function.\r\nThe thread function connects to the C2 server and sends data to it. The C2 server host strings are decrypted\r\nconstant strings. They are \"miraclecarwashanddetall[.]com:443\" and a group of additional hosts:\r\n“caexidom[.]bazar”, “ektywyom[.]bazar”, “emliwyyw[.]bazar”, “uhymeked[.]bazar”, “ibykwyyw[.]bazar”, and\r\n“elicuhem[.]bazar\". Bazar prioritized connecting to the first C2 server host. It then attempts to connect to the\r\nothers if the first one does not work.\r\n1. Request\r\nThe traffic between Bazar and its C2 server is encrypted via SSL protocol. The following image, Figure 3.1, was\r\ntaken when the first request was about to be SSL-encrypted by calling the API EncryptMessage().\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 6 of 16\n\nFigure 3.1. Bazar encrypts a packet via the SSL protocol\r\nAs you can see, this is a GET request. The URL “/cgi-bin/req5” is a decrypted constant string, and the host is the\r\nfirst C2 server I mentioned above. There are also four “Cookies”: “fpzkgo”, “bcfs”, “hky” and “otxe”. Their\r\nnames are random strings and only the value of “fpzkgo” is valid data. The others are random data.\r\nLet’s take a look what the value of “fpzkgo” consists of. According to my analysis, it has two parts, the Victim-ID\r\nand a command number. The Victim-ID for my testing device is “a9aadd987308f3a5b28d5a0c552c4324”. That is\r\nan MD5 hash code of a string of information obtained from my device, such as the computer name, the volume\r\nnumber of the partition, and Windows installation information.\r\nThe format of the report command is “/{Victim-ID}/{command number}”. The first “GET” packet’s command\r\nnumber is “2”. Therefore, the final command string is “/a9aadd987308f3a5b28d5a0c552c4324/2”.\r\nBazar then encrypts the command string in a 100H buffer using a private key encryption technique that uses the\r\nRSA algorithm. Figure 3.2 shows both the plaintext data at the top and the cipher text at the bottom.  \r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 7 of 16\n\nFigure 3.2. Using the RSA algorithm to encrypt the Victim-ID and command string\r\nFinally, Bazar base64 encodes the RSA encrypted data, which is the value of the “Cookies” item “fpzkgo”, as\r\nshown in Figure 3.1.\r\nAll the command packets to the C2 server are enclosed in “Cookies” and use the same steps and algorithm to\r\ngenerate.\r\n2. Response\r\nOnce the C2 server receives and handles the malware request and notification, it replies to Bazar. So, in this\r\nsection, we will analyze the response packet. Referring to Figure 3.3, you can see in the memory section that one\r\nresponse packet had just been decrypted from a SSL packet using the API, DecryptMessage(). \r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 8 of 16\n\nFigure 3.3. Display of received response packet\r\nThis response packet includes the item “Set-Cookies: jklo=…” in the header, whose value is base64 encoded.\r\nAfter base64 decoding the value, Bazar gets an RSA-encrypted 100H long set of data. Using the C2 server’s\r\npublic key, Bazar is able to decrypt this data set to get to the command string from the C2 server. Figure 3.4 shows\r\nthe RSA decrypted command string, “0 302”, uncovered by calling the API BCryptDecrypt().\r\nThe “0” of “0 302” is the command number, and “302” is the command data.\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 9 of 16\n\nFigure 3.4. A decrypted C2 command string from the “Set-Cookies” item\r\nThis is pretty much the basic packet structure used for all other communication packets between Bazar and C2\r\nserver. I will talk about more control commands in next section.\r\nAnalyzing the Command and Control (C2)\r\nBazar is able to control the victim’s device with the commands it receives from the C2 server. In the previous\r\nsection, I identified the C2’s command “0” in the “0 302” string. By going through Bazar’s code, I have been able\r\nto identify that it supports the following C2 command numbers: “0”, “1”, “10”, “11”, “12”, “13”, “14”, “15”,\r\n“16”, “17”, “18” and “100”. \r\nIn this section, I explain some of the known commands used in this malware, including what the command packet\r\nconsists of and the purpose of those commands being used.\r\nWhen Bazar needs to send whichever data the C2 server requests, it sends a “POST” request with the URL “/cgi-bin/req5”, the command number string enclosed in “Cookies”, and the RAS-encrypted data in the “body” of the\r\nrequest.\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 10 of 16\n\nAs a reminder, the format of the report command is “/{Victim-ID}/{command number}” and the Victim-ID for\r\nmy test device is “a9aadd987308f3a5b28d5a0c552c4324”.\r\nCommand 0:\r\nThe C2 server asks Bazar to send the host string and port it is connecting to and the running time of Bazar on the\r\nvictim’s device. Below is an example of this data.\r\n\"\\r\\nVerBD 205\\r\\nmiraclecarwashanddetall.com:443\\r\\nuptime 232\". Bazar encrypts it using its private key as\r\nthe data in the “body” of the “POST” it sends to the C2 server.\r\n\"/a9aadd987308f3a5b28d5a0c552c4324/4\" is enclosed in “Cookies” to provide the Victim-ID and command\r\nnumber.\r\nCommand 1:\r\nThis command asks Bazar to collect data from victim’s system, like OS information, domain, user name, public IP\r\naddress, location and language, all software installed, network information, shared folders, a list of running\r\nprocesses, time zone, CPU information, hard drive capacity, physical memory capacity, and whether Bazar is\r\nrunning in a VM.\r\nIt calls the APIs GetVersionExA() and GetProductInfo() to obtain the Windows’ Version and Service Pack\r\ninformation.\r\nTo obtain the public IP address of the victim’s device, Bazar sends a STUN request (UDP packet) to one of\r\nGoogle’s STUN servers, such as \"stun2.l.google.com\", to retrieve the public IP address. Figure 4.1 is a Wireshark\r\nscreenshot of the command requesting Bazar to send the STUN packet.\r\nFigure 4.1. Obtaining the victim’s public IP address using the Google STUN service.\r\nBazar executes several commands to obtain network related information and domain trusts from the victim’s\r\ndevice. The commands are \"net view /all\", \"net view /all /domain\", and \"nltest.exe /domain_trusts /all_trusts\".\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 11 of 16\n\nIt then enumerates the system registry to collect the list of installed software on the victim’s device. Figure 4.2 is a\r\nscreenshot of the system registry showing a partial list of installed software under the sub-key\r\n“HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\”.\r\nFigure 4.2. Software information installed on the victim’s device\r\nBazar calls APIs CreateToolhelp32Snapshot(), Process32First(), Process32Next(), and OpenProcess() to collect\r\ninformation about the running processes on the victim’s system.\r\nBazar also performs some WMI query strings, such as \"Select * From Win32_Processor\", \"Select * From\r\nWin32_DiskDrive\", and \"Select * From Win32_PhysicalMemory\" to obtain information about the CPU, drive,\r\nand physical memory.\r\nIt obtains hard disk description from \"HKLM \\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum\" in the system\r\nregistry. For my research  environment (Oracle VM VirtualBox), it is\r\n“IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5\u002633d1638a\u00260\u00260.0.0”. Bazar then\r\nsearches for the key words \"VBOX\" and \"VMware\" to determine if Bazar is running on a VM.\r\nWhen this collection is done, it sends all of the gathered information in the “body” of the “POST” request to the\r\nC2 server. The report command string \"/a9aadd987308f3a5b28d5a0c552c4324/3\" is enclosed in “Cookies”. The\r\nimage in figure 4.3 shows the malware when it is about to encrypt the collected data by calling BCryptEncrypt().\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 12 of 16\n\nFigure 4.3. RSA algorithm used to encrypt the collected sensitive information from the victim’s device.\r\nCommand 10, 11:\r\nThese commands could contain a link to download other malware, or it could contain the malware directly. Bazar\r\ninjects this malware into one of the newly-created processes in the following list, which are decrypted constant\r\nstrings.\r\n\"c:\\windows\\system32\\calc.exe\"\r\n\"c:\\windows\\system32\\cmd.exe\"\r\n\"c:\\windows\\system32\\notepad.exe\"\r\n\"c:\\windows\\system32\\svchost.exe\"\r\n\"c:\\windows\\system32\\explorer.exe\"\r\n\"c:\\windows\\syswow64\\calc.exe\"\r\n\"c:\\windows\\syswow64\\explorer.exe\"\r\n\"c:\\windows\\syswow64\\cmd.exe\"\r\n\"c:\\windows\\syswow64\\svchost.exe\"\r\n\"c:\\windows\\syswow64\\notepad.exe\"\r\nIt then gives the C2 server a status update by replying with a message of “file not downloaded”, ”loader started”,\r\n”program is running”, or ”program start error” in a “POST” request together with a report command string of\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 13 of 16\n\n“/a9aadd987308f3a5b28d5a0c552c4324/3”.\r\nCommand 12, 13:\r\nC2 server replies with a script file to Bazar in a command. Bazar then decrypts the script file and saves it to a\r\nWindows temporary folder. Finally, Bazar runs it by calling the API CreateProcessA().\r\nBazar notifies the C2 server of the status of the script by replying with a message of “program is running” or an\r\nerror message of “program start error”, ”no script”, or ”no memory” when an error occurs.\r\nThe message is RSA-encrypted and posted as the “body” data of a “POST” request together with a report\r\ncommand string of “/a9aadd987308f3a5b28d5a0c552c4324/3” enclosed in a “Cookies” value.\r\nCommand 16: \r\nBazar reads a file path from the C2 server’s command and collects the file’s contents. It sends the collected data as\r\nthe “body” of a “POST” request to back to the C2 server.\r\nThe report command string is “/a9aadd987308f3a5b28d5a0c552c4324/3”.\r\nCommand 17: \r\nThe C2 server replies with a piece of native code that has been RSA-encrypted in the command. Bazar decrypts\r\nthe native code (ASM code) using the C2 server’s public key and deploys it on a newly-create thread to execute.\r\nTo achieve this, it needs to call some APIs, such as VirtualAlloc(), memcpy(), VirtualProtect(), and\r\nCreateThread(). Figure 4.4 provices a partial view of the relevant ASM code.\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 14 of 16\n\nFigure 4.4. A code snippet of Bazar handling received native code.\r\nAs with other commands, it also replies with a status to the C2 server in a same way. The messages could be\r\n“program is running” or an error status like “no code”, “no memory”, and “program start error”, etc.\r\nCommand 100:\r\nWhen Bazar receives this command, it terminates itself by calling the API TerminateProcess().\r\nConclusion\r\nThe second part of this analysis is all about the Bazar payload that was downloaded by the Bazar loader. I have\r\nshown the three primary anti-analysis techniques used by this Bazar variant. Furthermore, I also showed how\r\nBazar communicates with the C2 server, what control commands Bazar supports, as well as what malicious things\r\nBazar is able to do on a victim’s device with those commands.\r\nAt this moment, this particular Bazar’s phishing campaign is still active and are frequently being captured by\r\nFortiGuard Labs.\r\nFortinet Protections\r\nFortinet customers are already protected from this Bazar variant with FortiGuard’s Web Filtering and AntiVirus\r\nservices as follows:\r\nThe Bazar loader download URLs are rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nThe downloaded files are detected as \"W64/Bazar.CFI!tr\" and blocked by the FortiGuard AntiVirus service.\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient and FortiEDR. The\r\nFortinet AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with\r\nup-to-date protections are protected.\r\nWe also suggest our readers to go through the free NSE training -- NSE 1 – Information Security Awareness,\r\nwhich has a module on Internet threats designed to help end users learn how to identify and protect themselves\r\nfrom phishing attacks.\r\nIOCs:\r\nURLs\r\nhxxps[:]//miraclecarwashanddetall[.]com:443/cgi-bin/req5\r\nhxxps[:]//caexidom[.]bazar\r\nhxxps[:]//ektywyom[.]bazar\r\nhxxps[:]//emliwyyw[.]bazar\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 15 of 16\n\nhxxps[:]//uhymeked[.]bazar\r\nhxxps[:]//ibykwyyw[.]bazar\r\nhxxps[:]//elicuhem[.]bazar\r\nReferences:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and\r\nServices portfolio.  \r\nLearn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training\r\nprogram, Security Academy program, and Veterans program.\r\nSource: https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nhttps://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II"
	],
	"report_names": [
		"new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II"
	],
	"threat_actors": [],
	"ts_created_at": 1775434790,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4955871b9f5baab2c2d6b2b13a8d75ab2697c8c.pdf",
		"text": "https://archive.orkl.eu/b4955871b9f5baab2c2d6b2b13a8d75ab2697c8c.txt",
		"img": "https://archive.orkl.eu/b4955871b9f5baab2c2d6b2b13a8d75ab2697c8c.jpg"
	}
}