{ "id": "94435ee8-9bbe-49ad-8482-4b086a836502", "created_at": "2026-04-06T00:19:02.313433Z", "updated_at": "2026-04-10T13:12:09.955419Z", "deleted_at": null, "sha1_hash": "fa6b93ac7acddf95596985a125f93c98b36b79b4", "title": "Corporate website contact forms used to spread BazarBackdoor malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3939540, "plain_text": "Corporate website contact forms used to spread BazarBackdoor\r\nmalware\r\nBy Bill Toulas\r\nPublished: 2022-03-10 · Archived: 2026-04-05 17:00:27 UTC\r\nThe stealthy BazarBackdoor malware is now being spread via website contact forms rather than typical phishing emails to\r\nevade detection by security software.\r\nBazarBackdoor is a stealthy backdoor malware created by the TrickBot group and is now under development by the Conti\r\nransomware operation. This malware provides threat actors remote access to an internal device that can be used as a\r\nlaunchpad for further lateral movement within a network.\r\nThe BazarBackdoor malware is usually spread through phishing emails that include malicious documents that download and\r\ninstall the malware. \r\nhttps://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nHowever, as secure email gateways have become better at detecting these malware droppers, distributors are moving to new\r\nways of spreading the malware.\r\nContact forms replacing emails\r\nIn a new report by Abnormal Security, analysts explain that a new distribution campaign started in December 2021 targets\r\ncorporate victims with BazarBackdoor, with the likely goal of deploying Cobalt Strike or ransomware payloads.\r\nInstead of sending phishing emails to the targets, the threat actors first use corporate contact forms to initiate\r\ncommunication.\r\nFor example, in one of the cases seen by Abnormal's analysts, the threat actors posed as employees at a Canadian\r\nconstruction company who submitted a request for a product supply quote.\r\nAfter the employee responds to the phishing email, the attackers send back a malicious ISO file supposedly relevant to the\r\nnegotiation.\r\nSince sending these files directly is impossible or would trigger security alerts, the threat actors use file-sharing services like\r\nTransferNow and WeTransfer, as shown below.\r\nPhishing message pointing to a malicious file download (Abnormal Security)\r\nWe reported a similar case of contact form abuse in August, where fake DMCA infringement notices sent via contact forms\r\nwere installing BazarBackdoor.\r\nIn April 2021, we also reported on a phishing campaign using contact forms to spread the IcedID banking trojan and Cobalt\r\nStrike beacons.\r\nHiding BazarLoader\r\nThe ISO archive attachment contains a .lnk file and a .log file. The idea here is to evade AV detection by packing the\r\npayloads in the archive and having the user manually extract them after download.\r\nhttps://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/\r\nPage 3 of 5\n\nThe .lnk file contains a command instruction that opens a terminal window using existing Windows binaries and loads the\r\n.log file, which is, in reality, a BazarBackdoor DLL.\r\nBazarLoader executable posing as a .log file (Abnormal Security)\r\nWhen the backdoor is loaded, it will be injected into the svchost.exe process and contact the command and control (C2)\r\nserver to receive commands to execute.\r\nDue to many of the C2 IPs being offline at the time of Abnormal's analysis, the researchers couldn't retrieve the second-stage\r\npayload, so the ultimate goal of this campaign remains unknown.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/\r\nhttps://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/" ], "report_names": [ "corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434742, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fa6b93ac7acddf95596985a125f93c98b36b79b4.pdf", "text": "https://archive.orkl.eu/fa6b93ac7acddf95596985a125f93c98b36b79b4.txt", "img": "https://archive.orkl.eu/fa6b93ac7acddf95596985a125f93c98b36b79b4.jpg" } }