According to cyber researchers, the actors behind this cyberattack are targeting large organizations by sending emails to their employees, with the purpose of the attacks being to get important information related to contracts, customer service, invoices, or payroll.

It seems that the threat actors behind the infamous Trickbot botnet are behind this new attack,  and are firing highly customized phishing emails targeting Slack and BaseCamp users with loader malware, according to Sophos.

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal® Threat Prevention - Network

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Andrew Brandt explained that the campaign first appeared in January, and got shared through links that were contained in Malicious emails leading to malware payloads hosted on cloud storage services provided by popular collaboration tools such as Slack.

The email also inserts the names of both the recipient and its employer into the message and downloads and executes the Trojan payload temporarily hosted on those legitimate websites. I tried to persuade the recipient.

When they were convinced that the target would open the document associated with the spam email, their computer was immediately infected with BazarLoader, which itself acts primarily as a delivery mechanism for other malware. Focusing on corporate targets, BazarLoader could be used to launch subsequent ransomware attacks.


In addition to this cyberattack a second, more complex campaign from the same actor was discovered, as well. Called BazarCall, the campaign acts through spam messages claiming the recipient’s free trial ended, they provide a number for calling in order to avoid paying for renewals.

In this latter form of attack, only the person who called the phone number was given a URL and was instructed to visit a website where they could unsubscribe from these notifications.

The well-designed and professional-looking websites bury an ‘unsubscribe’ button in a page of frequently asked questions. Clicking that button delivers a malicious Office document (either a Word doc or an Excel spreadsheet) that, when opened, infects the computer with the same BazarLoader malware.


The cyber researchers at Sophos tied the campaigns to Trickbot through the shared command and control infrastructure and also via the similarities observed in the method of injecting malicious payloads into running processes, being similar to Trickbot’s “injectDLL” module.

Bazar Loader Message


Although not as sophisticated as Trickbot, the BazarLoader malware appears to be in development and could be a new way for the gang to target high-value businesses going forward.

Phishing Emails Are Now Spreading Trickbot Malware, FBI and CISA Warn

Security Alert: New Variant of Trickbot Malware Returns, Spoofing the Financial Sector

10 Definitive Answers to the Most Popular Cyber Security Questions

Leave a Reply

Your email address will not be published. Required fields are marked *