{
	"id": "250acf9d-7622-4776-8ef1-8e19de153353",
	"created_at": "2026-04-06T00:10:43.765261Z",
	"updated_at": "2026-04-10T03:22:05.791124Z",
	"deleted_at": null,
	"sha1_hash": "c23777629eb7f6708162767eaaa3ebe4ac84052b",
	"title": "BazarBackdoor: TrickBot gang\u0026rsquo;s new stealthy network-hacking malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2567624,
	"plain_text": "BazarBackdoor: TrickBot gang\u0026rsquo;s new stealthy network-hacking\r\nmalware\r\nBy Lawrence Abrams\r\nPublished: 2020-04-24 · Archived: 2026-04-05 22:23:13 UTC\r\nA new phishing campaign is delivering a new stealthy backdoor from the developers of TrickBot that is used to compromise\r\nand gain full access to corporate networks.\r\nIn advanced network attacks such as enterprise-targeting ransomware, corporate espionage, or data exfiltration attacks,\r\nquietly gaining access to and control over a corporate network is a mandatory step.\r\nIn new phishing attacks discovered over the past two weeks, a new malware named 'BazarBackdoor', or internally by the\r\nmalware developers as simply \"backdoor\", is being installed that deploys a network-compromising toolkit for the threat\r\nactors.\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nThe developers of the infamous TrickBot trojan are believed to be behind this new backdoor due to code similarities,\r\nexecutable crypters, and its infrastructure.\r\nThe attack starts with a phishing email\r\nThe initial attack starts with phishing campaigns that utilize a wide variety of lures such as customer complaints, COVID-19\r\nthemed payroll reports and employee termination lists that contain links to documents hosted on Google Docs.\r\nExample BazarLoader phishing email\r\nWhen sending the phishing emails, the attackers are utilizing the Sendgrid email marketing platform.\r\nSent via Sendgrid\r\nUnlike many phishing attacks, this campaign is putting a lot of thought into their creatives by stylizing their landing pages to\r\ncorrespond to the lures, or themes, of the emails. \r\nFor example, as you can see below, we have one landing page utilizing a COVID-19 Payroll Report template while another\r\npretends to be a customer complaint from a corporate lawyer.\r\nEach of the landing pages pretends to be a Word document, Excel spreadsheet, or PDF that cannot be properly viewed and\r\nprompts the user to click on a link to properly view the document.\r\nWhen the link is clicked, an executable will be downloaded instead that uses an icon and name associated with the icon\r\nshown on the landing page.\r\nFor example, the 'COVID-19 ACH Payroll Report' theme will download PreviewReport.DOC.exe, while the \"Customer\r\nComplaint\" theme will download Preview.PDF.exe.\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nPage 3 of 7\n\nBazarLoader executables\r\nAs Windows does not display file extensions by default, most users will see \"Preview.PDF\" or \"PreviewReport.DOC\" and\r\nopen them thinking they are legitimate Word and PDF documents.\r\nThis executable is the loader for the backdoor and, according to security researcher James, is being called \"BazaLoader\".\r\nOnce launched, the backdoor will be stealthily installed on the computer.\r\nAttachment stealthily loads fileless backdoor\r\nAfter a victim launches the downloaded file, the loader will sleep for a short period of time and then connect to command\r\nand control servers to check-in and download the backdoor payload.\r\nTo get the address of the command and control servers, BazarLoader will use the Emercoin decentralized DNS resolution\r\nservice to resolve various hostnames that use the 'bazar' domain. The 'bazar' domain can only be utilized on Emercoin's DNS\r\nservers, and as it is decentralized, it makes it difficult, if not impossible, for law enforcement to seize the hostname.\r\nThe hostnames used for the command and control servers are:\r\nforgame.bazar\r\nbestgame.bazar\r\nthegame.bazar\r\nnewgame.bazar\r\nportgame.bazar\r\nOnce the IP address for the command and control server is resolved, the loader will first connect to one C2 and perform a\r\ncheck-in. In our tests, this request always returned a 404 HTTP error code.\r\nCommand and control server communication\r\nThe second C2 request, though, will download a XOR encrypted payload, which is the BazarBackdoor backdoor malware.\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nPage 4 of 7\n\nXOR encrypted payload\r\nAfter the payload is downloaded, it will be filelessly injected into the C:\\Windows\\system32\\svchost.exe process. Security\r\nresearcher Vitali Kremez, who has published a technical report, told BleepingComputer that this is done using the Process\r\nHollowing and Process Doppelgänging techniques.\r\nInjected backdoor into svchost.exe\r\nAs Windows users have grown numb to svchost.exe processes running in Task Manager, one more svchost process is not\r\nlikely to arouse suspicion for most users.\r\nA scheduled task will also be configured to launch the loader when a user logs into Windows, which will allow new versions\r\nof the backdoor to be routinely downloaded and injected into the svchost.exe process.\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nPage 5 of 7\n\nScheduled task\r\nAfter a period of time, both Kremez and James have told BleepingComputer that the backdoor will download and\r\nexecute the Cobalt Strike penetration testing and post-exploitation toolkit on the victim's machine.\r\nCobalt Strike is a legitimate cybersecurity application that is promoted as an \"adversary simulation platform\" intended to\r\nperform network security assessments against a simulated advanced threat actor persisting in a network.\r\nAttackers, though, commonly use cracked versions of Cobalt Strike as part of their toolkit when spreading laterally\r\nthroughout a network, stealing credentials, and deploying malware.\r\nBy deploying Cobalt Strike, it is clear that this stealthy backdoor is being used to gain footholds in corporate networks so\r\nthat ransomware can be deployed, data can be stolen, or to sell network access to other threat actors.\r\nStrong ties to the developers of Trickbot\r\nKremez and James have told BleepingComputer that this malware is enterprise-grade and is likely developed by the same\r\ngroup behind the TrickBot trojan.\r\n\"This is another high-profile project developed by the same core team as TrickBot due to the spam origin, method of\r\noperation, and code overlap analysis,\" Kremez told BleepingComputer in conversation.\r\nBoth the BazarBackdoor and Trickbot utilize the same crypter and email chain deliverables as previous TrickBot campaigns.\r\nKremez also told us that the TrickBot Anchor project also uses the Emercoin DNS resolution service for command \u0026 control\r\nserver communication.\r\nTo further tie the two malware together, James told BleepingComputer that the malware's command and control server's TLS\r\ncommunications had been seen using certificates created in the same manner that historic TrickBot certificates have been\r\ncreated.\r\nBased on the volume of phishing emails being sent out using this new loader/backdoor, BazarBackdoor poses a grave threat\r\nto corporate networks that could easily be used to deploy ransomware or perform other attacks.\r\nBusinesses should immediately be on the lookout and warn employees of emails coming from sendgrid.net that contain links\r\nthat download files to prevent their employees from being infected.\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nPage 6 of 7\n\nUpdate 4/26/20: Added link to Vitali Kremez's technical report on BazarBackdoor.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nhttps://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/"
	],
	"report_names": [
		"bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434243,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c23777629eb7f6708162767eaaa3ebe4ac84052b.pdf",
		"text": "https://archive.orkl.eu/c23777629eb7f6708162767eaaa3ebe4ac84052b.txt",
		"img": "https://archive.orkl.eu/c23777629eb7f6708162767eaaa3ebe4ac84052b.jpg"
	}
}