BazarLoader: The precursor malware used by RaaS gangs

Redazione RHC : 13 November 2025 14:07

BazarLoader (sometimes referred to as BazaLoader ) is a ” precursor malware ” that provides initial backdoor access to an infected Windows host. Once a client is infected, criminals use this access to deliver additional malware, scan the environment, exploit other vulnerable hosts on the network, and launch the ransomware.

The threat actor behind BazarLoader uses different methods to distribute this malware to potential victims.

In early February 2021 , researchers began reporting a call center-based method for distributing BazarLoader. This method uses trial-subscription-themed emails that encourage potential victims to call a specific phone number.

A call center operator answers and directs victims to a website to unsubscribe from the service. Call center operators offer to personally guide victims through a process designed to infect vulnerable computers with BazarLoader.

This call center-based process of infecting computers with BazarLoader has been dubbed the “BazarCall” method (sometimes referred to as the “BazaCall” method).

BazarCall infection chain

BazarCall infections follow a very specific pattern. Figure 1 provides a flowchart that precisely illustrates the chain of events.

The BazarCall flowchart campaign shows victims being guided through steps that infect their system with the BazarLoader malware. — Figure 1. BazarCall event chain (Source Palo Alto UNIT42)

These events can be summarized in these phases:

A hypothetical victim receives a themed email with a trial subscription and a telephone number for a call center for assistance;
The victim calls the phone number from the email;
The call center operator directs the victim to a fake company website;
The victim downloads a Microsoft Excel file from the website;
The call center operator instructs the victim to enable macros on the downloaded Excel file;
Victim’s Windows computer gets infected with BazarLoader malware;
The call center operator then informs the victim that the unsubscription was successful;
BazarLoader initiates communication with the command and control (C2) server from the infected Windows host;
The backdoor implanted on the server via BazarLoader is ready for exploitation.

Pretending to be a victim

The call center, contacted by Palo Alto Network (UNIT42), was apparently staffed by native English speakers. Two of the operators were female and three were male. Each operator followed the same basic script, but there were some variations.

The following conversation, reported via a YouTube video below, took place on Wednesday, April 14, 2021, using a phone number from the email shown below in Figure 2.

https://www.youtube.com/watch?v=uAkeXCYcl4Y

Example of an email conversation that took place on Wednesday, April 14, 2021, using a phone number from the email address. — Figure 2. Email used by the person posing as the victim. (Source: Palo Alto UNIT42)

An example of a telephone conversation

Operator: Customer Service. How can I help you?

Victim: Hello. Today I received an email from a company called Paradise Books. It says I have a subscription and that it will be charged to my credit card. But I’ve never had any dealings with Paradise Books. I don’t recall doing anything or going to a Paradise Books website or anything like that.

Operator: All right, sir. Do you have a subscription number?

Victim: Yes, wait. 040*********. [Note: The last 9 digits of this number are intentionally hidden because the number identifies the recipient’s email address.]

Operator: Okay, I can repeat that. 040*********.

Victim: Yes.

Operator: Wait a moment, let me check our system.

Victim : All right.

[background music]

Operator : Hello?

Victim : Yes.

Operator : All right. It looks like this account was opened by John Edwards, but your email begins with [victim’s name] .

Victim : Yes, I’m [victim’s name] . I don’t know any John Edwards.

Operator : All right, sir. We need to cancel your subscription. So what you need to do is go to worldbooks.us.

Operator : Worldbooks [indicates each letter phonetically] US dot.

Victim : Wait a second. Let me get to the website.

Operator : Yes? Can I read it again?

Victim : No thanks. I’m here. [Keyboard typing sounds]

Operator : Hello?

Victim : Yeah, wait. It looks like it’s loading.

Operator : Have you already seen the website?

Victim : Okay, I’m here. I’ve never seen this site before.

Operator : No problem. We can simply cancel your subscription. What we need is your subscriber number that you gave me earlier.

Victim : All right.

Screenshot of the fake website used in the BazarCall method. — Figure 3. BazarCall website, April 14, 2021.

Operator : Can you see the sign up button?

Victim : Yes.

Operator : When you click that, you should be able to see the unsubscribe.

Victim : Ok, I’m clicking the subscribe button.

Operator : Can you see the unsubscribe?

Victim : I see a line that says “Do you want to unsubscribe?”

Operator : That’s where it needs to go. You need to click on it.

Victim : All right.

Operator : And then enter your subscription number.

Victim : Got it. [keyboard typing sounds]

Screenshot of the unsubscribe page for the fake BazarCall Method website. — Figure 5. BazarCall website unsubscribe page.

Operator : Once done, you will receive a confirmation document.

Victim : Ok, it’s asking me what I want to do with subscription 16184. It’s telling me to download an XLSB file?

The fake World Books website provides an Excel file for download. — Figure 6. The BazarCall website unsubscribe page returns an Excel file.

Operator : This is the confirmation document. That’s where you’ll find the confirmation code.

Victim : Should I open it? Should I save it? What should I do?

Operator : You can open it if you need the confirmation code. The confirmation code is important. If there are any problems, you can call us and give us the confirmation code.

Victim : All right.

Operator : So if you want, we can solve the problem.

Victim : Got it. Good.

Operator : Do you understand?

Victim : Okay. I’m opening it right now. I see Excel Office 365. It says this document is protected. Preview isn’t available for protected documents. I need to enable it.

Screenshot of the Excel file to download on BazarCall — Figure 7. Screenshot of the Excel file downloaded from the BazarCall website.

Operator : Click edit and enable content.

Victim : All right. All right. The spreadsheet has changed. It now displays a form with the company name, first name, last name, date of birth, and everything else.

Screenshot of the Excel file, which changed its name after enabling macros. — Figure 8. Excel file after enabling macros. Note the different file name in the title bar.

Operator : Okay, can you see the code? The code is the important one.

Victim : I don’t see a code, no.

Operator : All right. There are several pages. Can you see the next page?

Victim : Where should this code be?

Operator : There is a confirmation code in case you do not want to be charged, but in case you are charged, this is what you call us with to cancel the charge.

Victim : Ok, I still don’t know where I’m supposed to find this code.

Operator : Hold on and let me check with the IT department.

Victim : All right.

[keep the music playing for about 1 minute]

Operator : Hello sir.

Victim : Yes.

Operator : I checked with IT, and they say the cancellation was successful. We just have a problem with our servers, but the cancellation was successful.

Victim : All right.

Operator : So nothing will be charged to your account. And they gave me a code. Can I read it?

Victim : Yes.

Operator : The code is [complicates seven characters of an alphanumeric code] .

Victim : All right.

Operator : If you have any problems, you can just call back and give us that code. We’ll be able to solve any problems.

Victim : All right. Thanks.

Operator : Please, sir. And if you call back, you can ask for [operator’s name] , because I have a lot of colleagues here.

[The victim repeats the operator’s name]

Operator : Yes, that’s my name.

Victim : Okay, thanks.

Operator : Good day.

Victim : Goodbye.

Operator : Goodbye, sir.

Trafficking of infections

After macros are enabled on the downloaded Excel file, the BazarLoader DLL is deleted and generates a URL containing the field string. This type of URL is called a Field Loader , which acts as a gateway that redirects traffic to the malware.

Some examples of URLs generated by a BazarLoader DLL are shown in the next table.

Date	URL
2021-03-25	hxxp://whynt[.]xyz/campo/w/w
2021-03-29	hxxp://veso2[.]xyz/campo/r/r1
2021-03-31	hxxp://about2[.]xyz/field/a/a1
2021-04-07	hxxp://basket2[.]xyz/campo/u/u1
2021-04-08	hxxp://dance4[.]xyz/campo/d8/d9
2021-04-14	hxxp://glass3[.]xyz/campo/gl/gl3
2021-04-15	hxxp://idea5[.]xyz/campo/id/id8
2021-04-16	hxxp://keep2[.]xyz/campo/jl/jl7

Table 1. Recent Field Loader URLs generated by BazarCall spreadsheet macros.

Figure 9 shows a URL that redirects to a URL for BazarLoader.

Redirect code for the BazarLoader method. — Figure 9. URL Field Loader successfully redirected to a URL for BazarLoader.

Recent URL examples with BazarLoader executables.

Date	URL
2021-03-25	hxxp://whynt[.]xyz/uploads/files/dl8x64.exe
2021-03-29	hxxp://admin.yougleeindia[.]in/theme/js/plugins/o1e.exe
2021-03-29	hxxp://admin.yougleeindia[.]in/theme/js/plugins/rt3ret3.exe
2021-03-31	hxxp://about2[.]xyz/uploads/files/ret5er.exe
2021-04-07	hxxp://www.carsidecor[.]com/wp-content/uploads/2021/04/cv76.exe
2021-04-08	hxxp://dance4[.]xyz/uploads/files/10r3.exe
2021-04-14	hxxp://glass3[.]xyz/uploads/files/hah5.exe
2021-04-15	hxxp://idea5[.]xyz/uploads/files/ratan.exe
2021-04-15	hxxp://idea5[.]xyz/uploads/files/rets.exe
2021-04-16	hxxp://keep2[.]xyz/uploads/files/suka.exe

Table 2. Recent URLs for BazarLoader malware.

The BazarLoader executable generates the HTTPS C2 traffic shown below in Figure 10.

An example of web traffic on an Excel spreadsheet for BazarBackdoor C2 traffic. — Figure 10. Traffic from the BazarLoader infection (Source Palo Alto UNIT42)

Forensic Analysis of an Infected Windows Host

The SHA256 hash for the downloaded Excel spreadsheet is:

 db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6

The downloaded Excel file macros create artifacts in the C:UsersPublic directory of your Windows computer, as shown in Figure 11.

Screenshot of Windows computer folders after downloading macros. — Figure 11. Artifacts were created after enabling macros from the Excel file downloaded on April 14, 2021

The file information is shown below in Table 3. The first two are text files with the same SHA256 hash. The other file is a BazarLoader DLL.

File name	File type	SHA256 hash
130486.xlsb	ASCII text	2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc
130486.point	ASCII text	2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc
130486.pgj	DLL	f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4

Table 3. Artifacts from a BazarCall spreadsheet

130486.xlsb and 130486.dot consist of an ASCII (American Standard Code For Information Interchange) string with base64 text.

This text represents the BazarLoader dynamic link library (DLL) file. The macro code from the downloaded Excel file converts the base64 text to a DLL named 130486.pgj and runs this DLL using the following script commands:

cmd.exe /c certutil -decode %PUBLIC%130486.dot %PUBLIC%130486.pgj
rundll32 %PUBLIC%130486.pgj,DF1

Please note that these files are from a specific example. Artifacts generated by other spreadsheets obviously have different names and extensions. Common features include:

All three artifacts have the same name, but different file extensions ;
Two of the artifacts are ASCII strings with base64 text ;
One of the artifacts is a DLL for BazarLoader ;
One of the text-based artifacts uses a .xlsb file extension.

The DLL is designed to retrieve a BazarLoader EXE. In the April 14, 2021, example, the BazarLoader EXE was saved to a folder in the C:ProgramData directory, as shown below in Figure 12.

A Windows screenshot of the program data and properties folders. — Figure 12. Windows EXE file for BazarLoader.

Conclusions

BazarLoader provides backdoor access to an infected Windows host. In some cases, Cobalt Strike is seen as a follow-up malware, leading to other malware such as Anchor . At least two cases have been publicly documented in which the BazarLoader malware distributed Cobalt Strike and then Anchor. One case occurred in February 2021 and the other in March 2021.

However, BazarLoader isn’t limited to Cobalt Strike and Anchor as follow-up malware. In 2020, there were reports of BazarLoader leading to the inoculation of Ryuk ransomware . Backdoor access to an infected Windows host could lead to any malware family.

Since February 2021, several reports have emerged of the BazarCall method, which distributes the final stage of the BazarLoader malware using call center staff. These infections follow obvious patterns and can lead to other malware such as Cobalt Strike, Anchor, and Ryuk ransomware.

Organizations with decent spam filters, proper system administration, and up-to-date Windows hosts are at a much lower risk of being infected by the BazarLoader malware and its post-infection activity.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli