Key Points 

  • Three groups are known to have split from Conti and are now using BazarCall tactics to gain access to their victim's network.
  • The attack starts with an email, usually regarding a subscription to a renewed service that victims can only cancel by calling a phone number found in the email.
  • If a victim calls the number, the person they are speaking to will distract the user while another attempts to gain access to the victim's network.

The Conti ransomware group has borne three new phishing organizations terrorizing people with a phishing tactic dubbed BazarCall. Read on if you want to find out who these new organizations are, what the “BazarCall tactic” is, and how they’re gaining access to their victims' network.

Moreover, continue reading for tips on how you can protect yourself from this new wave of phishing scams.

What is the BazarCall Tactic?

The BazarCall tactic is also referred to as “callback phishing,” first seen in 2021 and used by the Ryuk campaign, which is now known as the Conti ransomware group.

The tactic is used in combination with the BazarLoader malware, which provides backdoor access to a compromised Windows-based unit. This call center-based method involved utilizing emails following a theme of trial-based subscriptions. Potential victims receive the email and, seeing a subscription invoice they had not signed up for, as prompted to call the phone number indicated in the spoofed email.

An operator answers the call and directs the victim to a website where they can “unsubscribe.” But in reality, the call center operators are guiding them through an entire process that will infect their computer with BazarLoader.

Now, three more phishing organizations that split from Conti are utilizing this tactic. Look closely at each example below; one of them might be familiar.

Silent Ransomware Group (SRG) / Luna Moth

According to Sygnia, one of the groups that split from Conti is now known as the Silent Ransomware Group (SRG), which is also known as Luna Moth, and formed in April 2022.

Moreover, they targeted about 94 organizations and focused on stealing data and extorting their victims for ransom.

Sample emails used by SRG. Source: AdvIntel

Some of the potential targets of SRG are:

  • NBA teams
  • A multinational weapons manufacturer and aerospace company (data stolen in the breach)
  • A large IT solutions provider
  • A multi-billion dollar technology and software company
  • A large plumbing and HVAC supplier

Quantum and their Jörmungandr Campaign

AdvIntel found that in June 2022, a group dubbed “Quantum,” which also split from Conti, used BazarCall in a campaign they dubbed “Jörmungandr” and carried out this campaign by employing individuals specialized in spamming, OSINT, design, and call center operations.

According to AdvIntel, Quantum was the main Conti subdivision known as Conti Team 2, the same group that breached the Costa Rican government.

A sample of an email used by Quantum. Source: AdvIntel

Several of Quantum’s known targets include:

  • Ginyard International
  • “Azure Dragon” (Azure Storage)
  • Oracle
  • HelloFresh
  • Luchechko Mortgage Team
  • US Equal Opportunity Employment Commission
  • CrowdStrike
  • Gobble

Roy / Zeon Phishing Group

A third group also splintered from Conti (Conti Team 1) and is known as Roy/Zeon and also uses BazarCall tactics and was first seen on June 20, 2022, according to AdvIntel. This group is known to target the most number of organizations to date.

AdvIntel researchers noted that the choice to impersonate the brands listed below came from the assumption that the targeted employees would be more likely to talk to software vendors specific to their activity, which is less known outside the industry.

A sample email used by Roy/Zeon. Source: AdvIntel

Roy/Zeon is known to target the following organizations:

  • Sygnal Partners
  • iWired
  • Applied Automation Tech
  • RMM Central
  • Itarian
  • Auvik
  • RemotePC
  • RentoMojo
  • Parcel International
  • WhatFix
  • EZLynx
  • EATclub Canada
  • Standard Notes

Detecting BazarCall Phishing with SafeGuard Cyber

These callback phishing emails are elaborate enough to escape detection by the human eye. An untrained employee might easily end up falling victim to such a scam, putting your entire company’s IT system in jeopardy.

Of course, properly training your employees on detecting and responding to phishing attacks is a must. Still, with the number of emails that personnel receive (the average person receives 100-120 emails daily, and that excludes spam!), they can’t be expected to check and verify every single email for hints of social engineering and phishing.

Organizations need cybersecurity solutions that utilize machine learning and Natural Language Understanding (NLU) to detect, flag, and respond to threats from these phishing organizations and similar threat actors.

Case in point: This is a sample of one of the emails used in the attack. The SafeGuard Cyber platform detected this email as a social engineering attack.


The SafeGuard Cyber platform can do this through a novel machine learning-based model that detects social engineering attacks, phishing scams, spoofed email workflows, and more through NLU across communication channels.

This detection model identifies potential threats through scanning for and identifying various determinants and critical attributes of content and text that suggest a social engineering attempt has been made.

Talk to our experts here to learn more about the SafeGuard Cyber platform and how you can protect yourself from the BazarCall tactic.

If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.

Explore Security Product