An ongoing malicious campaign has been discovered employing phony call centers to fool victims into downloading BazaLoader and other ransomware. Such attacks are known as BazaCall. The BazaLoader malware is known for its data exfiltration abilities. 

What's new?

The recent campaign is part of an ongoing attack trend in which BazaLoader operators are using fake call centers as human elements, once again.
  • BazaCall attacks tricking users into calling a particular phone number, an actual human at a fake call center, to persuade potential victims into downloading malware.
  • These attacks can quickly move within a network, carry out widespread data exfiltration and credential theft, and disseminate ransomware within 48 hours of an initial breach.

Recent BazarLoader campaigns 

So far, multiple cybercriminals have used BazarLoader in their campaigns since April 2020. The malware is often used to serve as a loader for ransomware such as Ryuk or Conti.
  • In July, a movie streaming subscription service (BravoMovies) was spreading malicious Excel spreadsheets that delivered BazaLoader.
  • In June, a BazarLoader campaign used call centers to create some sort of panic by instructing recipients to call a number to cancel their supposed subscription to a service. It was also deploying ransomware.


Recent campaigns highlight the need for cross-domain optics to correlate events for protection against threats such as BazaLoader. The inclusion of the human element, particularly in BazaCall attacks, has made this threat more serious than others.

Cyware Publisher