A new phishing campaign has been discovered delivering the BazarBackdoor malware. The campaign is using the multi-compression method to hide the malware as an image file. This method can trick Secure Email Gateways (SEGs) into detecting malicious attachments as clean files.

What's new?

According to researchers from Cofense, the multi-compression method can bypass some SEGs as they have limits on thoroughly checking or scanning a compressed file.
  • The new BazarBackdoor campaign has been active since last month and lured several enterprise recipients using an Environmental Day theme, which is celebrated on June 5.
  • The email contains ZIP and RAR archives in the attachment. It comprises a JavaScript file that delivers BazarBackdoor malware to get remote access to the target machines.
  • The highly obfuscated JavaScript file is used to download a malicious payload with an image extension.
  • This practice, as experts say, is a growing trend among hackers as it increases the possibility of malicious files avoiding detection.

The tricky obfuscation

The nesting of multiple archive types is deliberately used by attackers as it has the possibility to exhaust the SEG’s decompression limit or could be failed due to an unknown archive type.
  • Once executed, the obfuscated JavaScript downloads a BazarBackdoor payload with a .png extension using an HTTP GET connection. The payload is a .exe file with the wrong extension.
  • Once being deployed on a victim computer, the malware could download and run the Cobalt Strike, a genuine toolkit created for post-exploitation exercises and spread laterally.


As the year commenced, BazarBackdoor got a makeover. Now, the threat actors behind it are getting more sophisticated and using new ways of disseminating the malware. This makes it a worrisome threat and requires continuous monitoring from security agencies.

Cyware Publisher