Note that the researchers found that online forms may imply malware Bazar Loader

Although phishing emails are still the traditional attack vector, attackers have not given up looking for new attack methods. Recently, researchers discovered that BazarLoader launched attacks through online forms.

BazarLoader is credited with being extremely closely associated with the cybercrime organization Wizard Spider, which is widely known for developing the Trickbot Bank Trojan and the Conti Ransomware.

In 2021, BazarLoader was spreading under the guise of pirated content. Attackers threatened legal action against persistent copyright infringements, and the malware was described as evidence of misconduct.

Online forms

Between December 2021 and January 2022, the researchers found that the attackers did not send phishing emails directly to launch the attack, but through an online form.

The attackers masquerade as employees of a Canadian luxury construction company seeking a quote for the product. Attackers choose this method for two purposes:

Disguise traffic as legitimate traffic

Sent by legitimate senders, malicious message detection was evaded

The attacker only needs to wait for the victim of the target company to take the initiative to deliver it.

Send malicious samples

After confirming the identity via email, the attacker will lure the victim into downloading the malicious file in the name of project negotiations.


Attackers typically use the file-sharing services TransferNow and WeTransfer for sample delivery.

Link to TransferNow to download malware.

BazarLoader malware

The attackers shared .iso files that contained two files disguised as different file types. It appears that one of them is a shortcut to the folder you are in, and the other is a .log file with a legitimate Windows file name. In fact, one is an LNK file for Windows and the other is a DumpStack .log file.

Malware sent through TransferNow

Shortcuts allow the creator to specify command-line arguments to perform actions on the victim’s device, and attackers often exploit this type of file for attacks.

ISO file

LNK files use regsvr-32.exe open terminals to run DumStack .log, which is a DLL file of BazarLoader.

LNK file

The DLL evades detection by process injecting svchost .exe and uses port 443 to communicate with the C&C server


Establish a connection

Establish a connection

Some of the C&C servers were down at the time of the investigation and could not download subsequent payloads. Depending on the data association, relevant malware links can be discovered.

Correlation diagram

Malware associated with IP addresses is as follows:

Malicious samples


Attackers impersonate well-known businesses to create similar domain names to gain the victim’s trust, such as changing the .com top-level domain to .us.

BazarLoader is often part of a multi-stage malware that can be followed by the deployment of Conti Ransomware or a Cobalt Strike malicious sample.