Microsoft warns of BazarCall using call centers to spread BazarLoader malware

Cybersecurity researchers at Microsoft warn of BazarCall, a cybercriminal group that is now using call centers as its latest platform to infect devices with BazarLoader malware. Sometimes referred to as BazaLoader, this malware provides backdoor access to an infected Windows system. Once a victim is compromised, cybercriminals use the backdoor access to carry out their attacks, installing additional malware and scanning the network to infect any other vulnerable hosts.

Researchers discovered BazarLoader back in February 2021, as well as their call center-based method of distributing this malware. The method involves using emails with a trial subscription that entices potential victims to make a call to a specific number. The attack generally starts with a phishing email proclaiming that a trial subscription of a popular software has expired and that the victim will be charged to extend the subscription unless they call a number to opt-out of the subscription. Once the call is made, an illegitimate call center operator receives the call. Then they proceed to guide the victim to a legitimate-looking website to unsubscribe from the subscription. The user is then instructed to download an Excel file to cancel the service. The file contains a macro that downloads the payload. The call center offering to personally guide users throughout the process makes the attack method seem more genuine and authentic.


Source: Microsoft Security Intelligence Twitter

How the BazarCall Method works:

The BazarCall method follows the flow path diagram displayed in the image below:

Source: Paloalto Networks Unit 42

  • A phishing email with a trial subscription theme and call center phone number.
  • Victim dials the number.
  • Fraudulent call center operator guides the victim to an authentic-looking website.
  • The victim downloads the Microsoft Excel file.
  • The operator instructs the victim to enable macros on the downloaded Excel file.
  • The Windows PC is infected with Bazaloader malware.
  • The victim is assured that the subscription to the service was canceled.
  • The malware generates command-and-control traffic from the compromised Windows system.
  • BazarLoader malware backdoor access leads to post-attack activities such as data exfiltration, reconnaissance, network exploitation and follow-up malware.

While BazarLoader malware provides backdoor access to a compromised computer, in some cases, Cobalt Strike and Anchor were found providing further incursion into the network. In two discovered cases, BazaLoader led to both Cobalt Strike and Anchor malware being discovered in February and March 2021.

However, the follow-up malware infections are not just limited to Anchor and Cobalt Strike. Some have reported that BazarLoader led to Ryuk ransomware.

So how do you avoid this or similar cyberattacks? Organizations with proper spam filtering, system administration, regularly updated and patched Windows devices are dramatically less prone to infection from the BazarLoader malware. However, having a well-trained staff that can recognize possible phishing attempts would further protect your organization from possible infections or data breaches.

Image sources:

PaloAlto Networks Unit 42:

Microsoft Security Intelligence:

For more news and updates, visit

You can also reach us out on Facebook, & LinkedIn or Contact us

Comments are closed
Our team knows the importance of the work we do for our clients. We know that our efforts have a direct impact on your productivity, profitability and success, so we take our tasks seriously! We look forward to providing your company with strong
ROI and value.