The notorious BazarLoader is active again. Recently, a fake movie streaming service, BravoMovies, was found offering fake movie titles on its landing page. However, it does not offer anything to download besides BazarLoader.

What's the scoop?

Proofpoint researchers identified an ongoing campaign that requires significant human interaction to install the BazarLoader backdoor and eventually deliver other malware.
  • The campaign uses an extensive infection chain, in which BazarLoader affiliates manipulate their victims into jumping through a number of hoops to trigger malware payloads.
  • It begins with an email informing recipients that their credit cards will be charged if they do not cancel their subscription to the service, a subscription that recipients never signed up for.
  • The email has a phone number for customer care at the call center with people standing by. These people direct the victim callers to a website to cancel the fake movie streaming service.
  • However, the website directs those victims who fall for the scheme and finally downloads a booby-trapped Excel spreadsheet that will use macros to download BazarLoader.

Recent BazarLoader incidents

It is not the first time that BazarLoader email threat campaigns have needed a significant amount of human interaction.
  • The threat actors have been using phone-based customer service representatives to direct malicious downloads since February. This type of attack method is now called BazarCall.
  • The first such use of BazarLoader was identified by Proofpoint researchers in February when a pre-Valentine’s Day malware was delivering lures to fake lingerie and flower stores.


Scammers have noted how subscriptions to online streaming services during the COVID-19 pandemic have skyrocketed. Criminal groups, such as BazarLoader, are actively adapting to the current global trends and using those as bait to engage with victims. Such threats, therefore, require a strict eye of caution to minimize any potential security risks.

Cyware Publisher