{
	"id": "c3fa1eec-e703-40c7-bcde-d8f73bb3f4f5",
	"created_at": "2026-04-06T00:13:52.808354Z",
	"updated_at": "2026-04-10T13:11:57.084437Z",
	"deleted_at": null,
	"sha1_hash": "fc0a3c5001b6b23d7368deddb7c90358c1d7b9b0",
	"title": "Malicious CSV text files used to install BazarBackdoor malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4042482,
	"plain_text": "Malicious CSV text files used to install BazarBackdoor malware\r\nBy Lawrence Abrams\r\nPublished: 2022-02-01 · Archived: 2026-04-05 17:44:45 UTC\r\nA new phishing campaign is using specially crafted CSV text files to infect users' devices with the BazarBackdoor malware.\r\nA comma-separated values (CSV) file is a text file containing lines of text with columns of data separated by commas. In\r\nmany cases, the first line of text is the header, or description, for each column.\r\nFor example, a very basic CSV text file containing the capitals of some US states is illustrated below. Notice how commas\r\nseparate each column of data (states and capitals).\r\nhttps://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nState,Capital\r\nAlabama,Montgomery\r\nAlaska,Juneau\r\nArizona,Phoenix\r\nArkansas,Little Rock\r\nCalifornia,Sacramento\r\nColorado,Denver\r\nConnecticut,Hartford\r\nDelaware,Dover\r\nFlorida,Tallahassee\r\nAs you can see above, the file contains nothing but text, but when loaded into Excel, the data is presented with each line on\r\nits own row and the data separated by the commas into columns of data.\r\nExample CSV file loaded in Microsoft Excel\r\nSource: BleepingComputer\r\nUsing CSVs is a popular method to export data from applications that can then be imported into other programs as a data\r\nsource, whether that be Excel, a database, password managers, or billing software.\r\nSince a CSV is simply text with no executable code, many people consider these types of files harmless and may be more\r\ncarefree when opening them.\r\nHowever, Microsoft Excel supports a feature called Dynamic Data Exchange (DDE), which can be used to execute\r\ncommands whose output is inputted into the open spreadsheet, including CSV files.\r\nUnfortunately, threat actors can also abuse this feature to execute commands that download and install malware on\r\nunsuspecting victims.\r\nCSV file uses DDE to install BazarBackdoor\r\nA new phishing campaign spotted by security researcher Chris Campbell is installing the BazarLoader/BazarBackdoor\r\ntrojan through malicious CSV files.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/\r\nPage 3 of 6\n\nBazarBackdoor is a stealthy backdoor malware created by the TrickBot group to provide threat actors remote access to an\r\ninternal device that can be used as a springboard for further lateral movement within a network.\r\nThe phishing emails pretend to be \"Payment Remittance Advice\" with links to remote sites that download a CSV file with\r\nnames similar to 'document-21966.csv.'\r\nBazarBackdoor phishing email\r\nSource: @phage_nz\r\nLike all CSV files, the document-21966.csv file is just a text file, with columns of data separated by commas, as seen below.\r\nThe document-21966.csv file opened in a text editor\r\nSource: BleepingComputer\r\nThe astute reader, though, will notice that one of the data columns contains a strange WMIC call in one of the columns of\r\ndata that launches a PowerShell command.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/\r\nPage 4 of 6\n\nThis =WmiC| command is a DDE function that causes Microsoft Excel, if given permission, to launch WMIC.exe and\r\nexecute the provided PowerShell command to input data into the open workbook.\r\nIn this particular case, the DDE will use WMIC to create a new PowerShell process that opens a remote URL containing\r\nanother PowerShell command that is then executed.\r\nThe remote PowerShell script command, shown below, will download a picture.jpg file and save it as\r\nC:\\Users\\Public\\87764675478.dll. This DLL program is then executed using the rundll32.exe command.\r\nPowerShell executed to download BazarLoader\r\nSource: BleepingComputer\r\nThe DLL file [Tria.ge sample] will install BazarLoader, ultimately deploying the BazarBackdoor and other payloads on the\r\ndevice.\r\nThankfully, when this CSV file is opened in Excel, the program will spot the DDE call and prompt the user to \"enable\r\nautomatic update of links,\" which is marked as a security concern.\r\nConfirm whether DDE should be enabled\r\nSource: BleepingComputer\r\nEven if they enable the feature, Excel will show them another prompt confirming if WMIC should be allowed to start to\r\naccess the remote data.\r\nMicrosoft Excel asking to confirm if WMIC should be executed\r\nSource: BleepingComputer\r\nIf the user confirms both prompts, Microsoft Excel will launch the PowerShell scripts, the DLL will be downloaded and\r\nexecuted, and BazarBackdoor will be installed on the device.\r\nWhile this threat does require users to confirm that the DDE function should be allowed to execute, AdvIntel CEO Vitali\r\nKremez told BleepingComputer that people are falling for the ongoing phishing attack.\r\n\"Based on our visibility into the BazarBackdoor telemetry, we have observed 102 actual non-sandbox corporate and\r\ngovernment victims over the past two days from this phishing campaign,\" Kremez explained in an online discussion.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/\r\nPage 5 of 6\n\nOnce BazarBackdoor is installed, it will allow the threat actors access to the corporate network, which the attacks will use to\r\nspread laterally throughout the network.\r\nUltimately, this could lead to further malware infections, the stealing of data, and the deployment of ransomware.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/\r\nhttps://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/"
	],
	"report_names": [
		"malicious-csv-text-files-used-to-install-bazarbackdoor-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434432,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc0a3c5001b6b23d7368deddb7c90358c1d7b9b0.pdf",
		"text": "https://archive.orkl.eu/fc0a3c5001b6b23d7368deddb7c90358c1d7b9b0.txt",
		"img": "https://archive.orkl.eu/fc0a3c5001b6b23d7368deddb7c90358c1d7b9b0.jpg"
	}
}