BazarCall
BazarCall is a phone-based phishing and social engineering malware delivery campaign, also referred to as BazaCall, that was initially used to install BazarLoader. It was observed being distributed by live call centers beginning in late January. The campaign targets corporate users with phishing emails that typically claim a free trial or subscription is about to renew and instruct the recipient to call a phone number to cancel. During the call, operators validate a customer ID from the email to identify intended victims, then direct them to fake websites that deliver malicious Excel files in .xls or .xlsb format. Victims are instructed to open the file and enable macros, which results in malware execution. In some observed cases, callers were told to disable antivirus software.
Although initially associated with BazarLoader, BazarCall later distributed additional malware including TrickBot, IcedID, and Gozi IFSB. These infections can provide remote access, enable lateral movement and data theft, and support subsequent ransomware deployment. The content specifically notes that BazarLoader and TrickBot have been used to deploy Ryuk and Conti ransomware, while IcedID has been used to deploy Maze and Egregor. Microsoft also described BazarCall as a scam that infects victims by getting them to call a fake call center, and noted that resulting infections can lead to Anchor malware, which uses DNS tunneling for command-and-control.
BazarCall is repeatedly linked in the reporting to callback-phishing and vishing tradecraft later associated with actors in the Conti ecosystem, including UNC2686 and UNC3753/Luna Moth/Silent Ransom Group. Multiple sources state that these actors previously used BazarCall-style campaigns and that BazarCall activity was tied to Ryuk and Conti ransomware operations. The campaign is best characterized as an initial-access and malware distribution mechanism relying on convincing social engineering, fake service brands, rotating phone numbers and hosting infrastructure, and low-volume payload delivery that often resulted in low antivirus detection rates.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
UNC3753 traces back to the now-defunct Conti ransomware gang, sharing overlaps with UNC2686, which ran BazarCall-style campaigns from 2021.
Изначально исследователи связывали хакеров с атаками BazarCall, которые использовалась операторами таких вымогательских групп, как Conti и Ryuk.
The new malware was discovered being distributed by call centers in late January and is named BazarCall, or BazaCall, as the threat actors initially used it to install the BazarLoader malware.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
When the Excel macros are enabled, the BazarCall malware will be downloaded and executed on the victim's computer.
When the user enters their customer ID number, the website will automatically prompt the browser to download an Excel document (xls or xlsb). The call center agent will then help the victim open the file and clicking on the 'Enable Content' button to enable malicious macros. | The call center agent will then help the victim open the file and clicking on the 'Enable Content' button to enable malicious macros.
Command and Control
2 techniques
Command and Control
In the past several years, we have seen multiple malware samples using DNS tunneling to exfiltrate data... Anchor malware that uses DNS tunneling to communicate with C2 servers... DNS tunneling is an old technique that allows attackers to communicate with C2 servers and exfiltrate data through many firewalls.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named campaign/toolset associated with voice-phishing style initial access activity, referenced here as used by UNC2686 from 2021.
A callback-phishing/social engineering campaign mechanism used to gain initial access by tricking targets into contacting fake IT/support personnel, historically linked here to ransomware intrusions.
BazarCall is referenced as a named attack framework/campaign used for callback-phishing style initial access and associated with operators of major ransomware groups.
Named malware/social-engineering delivery cluster referenced in the content with alternate spellings.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.