Threat Intelligence Tarot
pentacles · 13
Criminal (TrickBot operators - Russian-speaking)
G0102
risk 4/5
The Side Door
BazaLoader
BazarLoader · Team9 · Gold Ulrick
HealthcareLaw firmsFinancial servicesEnterprise networks globally
Active since ~2020 · Initial access as a service, Ryuk and Conti ransomware delivery, Enterprise network access
It emails a fake subscription renewal notice. You call the number to cancel. A call center employee walks you through downloading a file to 'process the cancellation.' The Side Door is one of the most creative initial access techniques documented - it weaponized customer service and deployed call centers for cybercrime.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.003
Spearphishing via Service
Initial Access
T1204.002
Malicious File
Execution
T1059.003
Windows Command Shell
Execution
T1105
Ingress Tool Transfer
Command and Control
Notable Operations
  • Fake subscription cancellation call-back scam delivering BazaLoader
  • Human-operated call centers for social engineering at scale
  • Ryuk ransomware delivery through BazaLoader access
  • Healthcare sector penetrations during COVID-19 pandemic
Defenses
Reversed: Their Weakness
BazaLoader's call-center social engineering model created unusual evidence trails - phone records, voice recordings, and payment processing for the call centers helped law enforcement identify operators in ways purely technical operations do not generate.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Frozen AccountNext →The False Tax
Related Adversaries
The Broker
TA505
3 shared TTPs
The Lotus Watcher
APT32
3 shared TTPs
The Frozen Account
IcedID / Bokbot
2 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.