Campo, a New Attack Campaign Targeting Japan

Since around March 2021, campaigns in Japan using an infrastructure called campo/openfield have been observed. This campaign has the potential to deliver subsequent malware depending on the infected organization, and some cases eventually could result in ransomware incidents overseas.

We keep tracking this attack campaign, and it started to be observed at least around October 2020 as far as we are aware. We anticipate that attackers will continue to be active in the future, and we are concerned that this could lead to serious impacts including ransomware encryption in the worst case. Therefore, in order to prepare for such threats, we will share in this blog the characteristics of campaigns for Japan and how to check for malware execution traces based on our research.


Update history

Date Details
2021/5/11 Published this blog

Observation cases of this campaign in Japan

Reports of suspicious emails in Japan have been shared on social networking sites. 

The reports are shown below in chronological order.









Big picture of attack campaign

The big picture of the attack campaign is as shown in Figure1. The attack begins with incoming Japanese emails. The body of the email contains a URL link and a password, and when the user accesses the URL link, they can download a ZIP file with the password. After extracting this zip file and opening the document file to enable the content, a downloader called Campo Loader is dropped and executed, then starts communication. In addition, it infects DFDownloader as a follow-up malware which can download and execute additional payloads by communicating with the C2 server.

Figure1. The big picture of the attack campaign

We believe that the attacker is using an anti-bot service called “BlackTDS” to communicate with the both host of the URL link and the host of the Campo Loader. This service enables communications for research activities to redirect to unintentionally legitimate sites. Details of how this service works are described later.

The DFDownloader used in this campaign against Japan has the ability to download and execute additional malware, but at this time we have not observed any following payloads yet. The DFDownloader has not yet been reported overseas. Hence, the final payload via DFDownloader is not known.

On the other hand, similar cases of infection with the follow-up malware via Campo Loader have been reported overseas.

  • Trickbot
  • Ursnif
  • BazarLoader -> CobaltStrike, AnchorDNS
  • PhobosRansom

We also believe that the attackers in past campaigns attempting to infect Zloader may have been the same attacker group. We will discuss these at the end of this paper.

Features of Emails

An example of emails is shown in Figure 2. In the attack campaign for Japan, the email is written in Japanese. As for the content of the email, it pretends to be a real company representative and asks the user to download a ZIP file with a password linked to it in the form of an invoice. The email address is different from a legitimate corporate email address, and the attacker is pretending to be a corporation. We have confirmed that the passwords for the linked files in the email are all the same as far as we can currently observe. Furthermore, based on the email headers, we assume that the attacker is using Roundcube Webmail, an open source webmail, to deliver the message.

Figure2. Email samples in Japanese

Features of the linked server

We have confirmed that all the linked URLs where the passworded ZIPs are located have https. It also has the following features. The IP address associated with the domain name is often common.

As a result of our investigation, it is possible that this server is using an anti-bot service called “BlackTDS”. This service is described on the official website as “the best solution for cleaning traffic and protecting bots” (Figure 3), but in fact it is reported by ProofPoint to be abused by attackers as Drive-by as a service [1].

Figure3. BlackTDS

In this campaign for Japan, the following filtering of the service may be used.

  • Filtering by IPs that fully support IPv6
  • Filtering by ISP
  • Filtering by referrer
  • Filtering by hardware ID.
  • Filtering by hardware ID – Filtering by anti-bot database with more than 440,000 IP anti-viruses, moderators, search engines, and checker bots

Therefore, BlackTDS makes it difficult to retrieve files by security researchers and sandboxes. In other words, it increases the difficulty of the investigation.


Features of document files

In the case of the campaign for Japan, when extracting a ZIP file with a password downloaded from a link in an email and opening the document file, a template with a Japanese design is displayed, as shown in Figure4.

Figure4. Example of a malicious document file in Japanese

Since the design of the document file may be common to other malware, it may be difficult to determine whether it is related to this attack by appearance. It is also possible that the design may change in the future.

The following sections provide an overview of the behavior  and the latest document file behavior at the time of writing (April 2021).


Overview of malicious document Behaviour

If the Office product has default settings, when a user opens a document file and clicks on “Enable Content”, an Excel 4.0 macro (referred to as “macro”) is executed and the file is dropped with the text embedded in the document file.

In the document file that we have seen in the series of attacks, the sheet where the macro is set is hidden, and the sheet contains the string to execute the macro. (shown in Figure5, Figure6)

Also, due to the “Auto_Open” setting of the document file book, malicious macros will be automatically executed when the document file is opened.(shown in Figure5, Figure6)

Figure5. Example of macro functions on April 9, 2021
Figure6. Another example of macro functions on April 9, 2021

The string saved by the SAVE.AS function is decoded using certutil.exe and saved under a different file name. (Campo Loader) After that, Campo Loader is executed using rundll32.exe with CALL function etc. (Figure7).

Figure7. Example of macro functions on April 9, 2021

These series of behaviors are implemented by directly calling the functions of the standard Windows modules (DLL) in addition to macros.


Document files used in the April 9

The following shows the flow from the most recent (April 9) document file observed to the execution of Campo Loader (Figures 8 and 9).

Figure8. Infection flow when a document file is opened


Figure9. Process tree when a document file is opened


The flow of operation is as follows. 

  1. When the document file is opened and the content is activated, the malicious macro is activated.
  2. The string embedded in the sheet of the document file will be saved as %PUBLIC%\14118.doy. *1
  3. The string embedded in the sheet of the document file will be saved as %PUBLIC%\14118.xlsb. *2 
  4. The contents of %PUBLIC%\14118.doy will be BASE64 decoded and the result will be saved as %PUBLIC%\14118.biy.
  5. A fake input form will be displayed (Figure10).
  6. rundll32.exe will execute Campo Loader(%PUBLIC%\14118.biy). In this case, DF1 is specified as the argument and the DF1 function is called.
    *1 The numbers in the file name are generated randomly from 9999 to 19999 by a function, but in reality, the numbers are fixed values, as they were when the attacker saved the file.
    *2 This file is just created and is not actually needed for the attack.
Figure10. Fake input form


Features of Campo Loader malware

Campo Loader (a.k.a NLoader) is a malware that is executed after being dropped from a document file. This malware is a downloader, and it has the ability to perform HTTP communication to obtain and execute additional payloads. Since it accesses a path containing “/campo/” during communication, Orange Cyberdefense named this malware “Campo Loader”[2] and came to be used on social networking sites. 

Campo Loader appears to have been updated in early March, and the features of HTTP communication have changed. This blog will explain the latest one.

When the Campo Loader is executed, it first creates a directory. As shown in the figure below, the directory name to be created is hard-coded.

Figure11. Function of creating a directory

Next, send the string “ping” to the server using the POST method (Figure12). The server to be communicated with at this time is called the “Openfield server” in the following.

Figure12. Example of a request generated by Campo Loader.

In this stage of communication, the Openfield server returns a URL as a response (see below for details). For this reason, Campo Loader checks if the response starts with “h”, and if it does not, it terminates the process (Figure13).

Figure13. Checking the character of “h”

If the response starts with an “h”, send a second “ping” message to that URL using the POST method. As a result, an additional payload will be downloaded and saved as a file. The name of the file to be saved is also hard-coded (Figure14).

Figure14. Example of hardcoded URLs

Then rundll32.exe will be used to call the function in the DLL file you downloaded. The name of the function to be called is usually the “DF” function *. This call argument is also hard-coded. 

Campo Loader is also available as an exe file that can be downloaded and executed. In past cases in Japan, Campo Loader has directly executed malware such as Ursnif and Zloader. However, recent campaigns for Japan have tended to use DLL versions, and have shifted to downloading and executing to the DFDownloader described later in this article.

*Note that Campo Loader uses function names such as “DF” and “DF1” as the export function, but DFDownloader, the malware described later, also uses the same name “DF” as the function name, so be careful not to confuse Campo Loader and DFDownloader in this section.


Features of Openfield

The Openfield server indicates the server where the payload is hosted for Campo Loader to get. One of the main features is the inclusion of the string “/campo/” in the URL when getting the payload. In this section, we will explain the contents of the response and the results of our investigation for this server.

Response from Openfield Server

By sending “ping” in the HTTP body by the POST method under the “campo” directory, the next URL to access can be obtained (Figure15 and 16).In past cases, we observed cases where the response indicated a redirection, but nowadays, the response generally includes the URL.

Figure15. Example of the response 1
Figure16. Example of the response 2

There is a possibility that BlackTDS is used for the Openfield server as well as “5. Features of the linked server”. Hence, if the BlackTDS service determines that the connection is coming from cyber security  researchers, it will redirect the user to a legitimate site such as Yahoo or GNU.

The URL to be passed to Campo Loader as a response can be one of the following two cases. 

  1. A URL that indicates a different directory on the same server (such as under /uploads/files/)
  2. URLs of other Openfield servers.

In addition, we have observed cases in which malware was placed on compromised servers in past campaigns for Japan and overseas.


Characteristics of IP address and Domain name combination

Both IP addresses and domain names have been used for URLs in the past, but recently attackers have tended to use domain names. Domain names are registered with the Namecheap service, and have the regularity of “word + number + xyz domain”. Our research also shows that the range of IP addresses associated with domain names is (shown in Table1.)

Table1.  Examples of combination of domain name and resolved IP address used for the Openfield

Target Domain names IP Addresses
Not Japan bfdnews[.]xyz 176.111.174[.]72
Not Japan groupeu[.]xyz 176.111.174[.]72
Not Japan allcafe[.]xyz 176.111.174[.]72
Not Japan gainme[.]xyz 176.111.174[.]53
Japan ship4[.]xyz 176.111.174[.]53
Japan gopigs[.]xyz 176.111.174[.]53
Not Japan beauty1[.]xyz 176.111.174[.]53
Not Japan about2[.]xyz 176.111.174[.]57
Japan board3[.]xyz 176.111.174[.]57
Japan cake3[.]xyz 176.111.174[.]58
Japan dance4[.]xyz 176.111.174[.]61
Not Japan hall4[.]xyz 176.111.174[.]62
Not Japan keep2[.]xyz 176.111.174[.]62
Not Japan lie3[.]xyz 176.111.174[.]59
Not Japan out2[.]xyz 176.111.174[.]60
Not Japan noise1[.]xyz 176.111.174[.]60

The origin and function of the Openfield server

“Openfield” is the name given by the Cryptolaemus Team (@Cryptolaemus1), an international security research team, to identify this server.


The name comes from the fact that the directory listing feature of the web server has been enabled, and the contents could be viewed (commonly referred to as “open directory”). In our research, we confirmed that the list of contents on the Openfield server had been viewable. However, this setting has been modified.(shown in Figure17)

Figure17. Directory listing of the Openfield server

The Openfield server also has a login panel. As shown in Figure17 (left), the Openfield server may have functions related to sending mail, since the names “smtp” and “mails” are used in the directory.(Figure18)

Figure18. The login panel of the Openfield server


Features of the DFDownloader malware

DFDownloader is the second stage malware that is downloaded and executed by Campo Loader. This malware is a downloader and is responsible for downloading and executing the next stage of malware. In addition to downloading and executing, it also has the ability to persist and update itself, making it more feature-rich than Campo Loader. In addition, DFDownloader has embedded version information, and since it is frequently upgraded, it is expected to be used continuously in the future. In the following sections, we will explain the operation of DFDownloader. As we will explain later, we have confirmed that some overseas cases do not use DFDownloader.


Anti-Sandbox Function

DFDownloader has an anti-sandbox feature: DFDownloader will first check the total amount of memory on your system, and if it is less than 4 GiB, it will kill the process. There are also several loops in the sleep function, and these functions may prevent the process from running properly in a sandboxed environment.(Figure19)

Figure19. Memory checking



As shown in Figure20, DFDownloader keeps the string to be used encrypted with XOR. These strings contain information about C2 and the functions to be used. The XOR routines for decrypting these strings are also used when decrypting the response from the server.

Figure20. Example of XOR strings


Communication flow

The communication flow by DFDownloader is shown in the figure below. There are four types of data formats that DFDownloader uses when it communicates with the C2 server.

Figure 21: Communication flow of DFDownloader

① Communication of SYS identifiers

DFDownloader sends the information collected by the first infected host using the POST method (see the figure below). The information sent at this time is encoded in Base64, and contains identifiers and other information.

Figure22. First communication example (SYS identifier)

The details of the information sent to the server are shown in the table below. For these requests, the server usually returns a response with the HTTP status code “200 OK”.

Table2 The details of the sending data

Value samples Description
SYS Identifier
10 OS Major Version
17763 OS Build Number
DESKTOP-AABSVH71760622929 Computername and Volume serial number
test Username
64 OS-bit number
1.28r DFDownloader version number 
0 0 or 1
7545391 N/A


②Communication with BIN identifier

The second communication using the BIN identifier (see the figure below).

Figure23. Second traffic example (BIN identifier)

When you receive a response from the server, DFDownloader decrypts the response with XOR and checks if the first byte starts with “MZ” (the magic number of the PE file). If it is a PE file, it saves the received data as a file, and then registers the value in the registry using the path of the created file (as shown below).

Figure 24. Example of registry values

This registration in the registry will cause the DFDownloader to run when the user logs on to the terminal, this means persistence of the infection. We have confirmed that this communication causes the DFDownloader to be updated. When this happens, it saves new files, rewrites the registry values, and deletes old files and directories.


③Communication with PNG Identifier

The third communication using the PNG identifier.

Figure25. Third communication example (PNG identifier)

Depending on the value received from the server in this communication, the process branches as shown in the table below. Some parts of the branching process are still under development, and it is expected that additional functions will be added in future versions.

Table 3 Commands

Value Description
0x31 Save and execute the file (DLL or EXE) to be retrieved in the following communication; the function name can be specified in the case of DLL
0x32 Save and execute the file (DLL) to be acquired in the following communication. 

In this case, the DFDownloader process exits after execution.

0x33 unimplemented
0x34 unimplemented


④Communication with the BN identifier

Finally, the communication using the BN identifier (see the figure below). In this communication, depending on the result of communication ③, the payload to be executed in each branch is obtained from the server. As mentioned earlier, the payload to be obtained is a DLL file or an EXE file.

Figure 26. Fourth communication example (BN identifier)

Then, a new process is created by the CreateProcessA function; if it is an EXE file, it is executed as is; if it is a DLL file, rundll32.exe is used. Since loop processing is implemented in this malware, even if this couldn’t get the expected response from the server, the communication in ③ and ④ will occur again and again. ( The communication interval is not constant.)


Consideration of follow-up malwares

At the time of writing (April 2021), we have not been able to confirm any follow-up payloads. However, similar cases have been reported overseas, and we assume that infections by this campaign may spread in Japan like these cases in the future. Also, before the use of Campo Loader and DFDownloader, we have seen attack campaigns by the same attacker group, so it is not difficult to guess the attack trend. In this section, we will discuss the malware that can be infected based on overseas cases and past cases.

The following figure shows the malware that may be infected subsequently based on similar cases so far. There have been cases where the Campo Loader has been infected with the malware shown in the blue box in the figure below, and we think that this infection may progress in the same way from the DFDownloader.

Figure27. Consideration of infection step of follow-up malwares

As you can see, various types of impact can be expected depending on the type of malware, such as information theft, remote access, and ransomware.


Previous attacks on Japan using Campo Loader

We have observed cases of Ursnif and Zloader infection [3] before this attack campaign In Japan.  In this case, the Openfield server was used, but not the Campo Loader or DFDownloader. It is possible that this attack campaign may also infect Ursnif and Zloader like past cases.


The other cases of using Campo Loader except Japan

There are several reported cases of the use of Campo Loader.  In these cases, the URL returned as a response to the Campo Loader is malware.

Another similar case except Japan is an attack campaign called “Bazar Call”. In this campaign, users call a contact listed in an email, which leads them to a link in a document file that leads to infection. [4] 

This campaign also uses the Campo Loader, which is dropped from the document file as in this attack campaign, runs and accesses the Openfield server to download and execute the BazarLoader (Figure 28).

Figure 28. Example of communication to get the BazarLoader in the BazarCall campaign.

In other cases, there have been reports of Trickbot and Phobos Ransomware infections from the older Campo Loader; these cases were reported around September-October 2020, but the malware is still active, so we have to be careful.


Relevance to other campaigns

This section explains the relevance to other campaigns that were discovered during the research process.

Relevance to the BazarCall campaign

As an example, the fake input form displayed when opening the document file used in the April 9 attack on Japan is almost the same as a fake input form mentioned in the report [7] released by Sophos on April 15. (Figure29, and 30)

Figure29. Fake input form shown in the April 9 attack campaign for Japan.
Figure 30. Fake input form mentioned in the report published by Sophos.
(Source :

Furthermore, the behavior of the document files used in the series of attacks for Japan is almost the same as well (Figure31 and 32).

Figure 31. Process tree of the document file in the April 9 attack campaign against Japan.
Figure32. Process tree mentioned in the report published by Sophos.
(Source :


Similarity of packers 

There are multiple variations of the packer used in Campo Loader and DFDownloader, and some of the packers are similar to those used in Trickbot and BazarLoader.

The figure below shows part of the code of the packer used in Campo Loader and DFDownloader (1.28r). The packer uses the CryptoAPI to encrypt the malware itself, with the CryptImportKey function importing the RSA2 key and CryptEncrypt processing the data in RC4 cipher.

Figure 33. Example of Campo Loader’s packer


Figure 34. Example of DFDownloader’s packer.

These source codes show similar characteristics to the packer used by BazarLoader, as described in Cybereason’s blog [8], and the packer used by Trickbot, as described in VIPRE Labs’ blog [9]. These similarities also indicate that Trickbot and BazarLoader might be related to this attack campaign.


How to check for malware execution traces

The following is how to check the malware execution traces.

Automatic Startup Settings


  • DFDownloader registers a DLL file in the registry for persistence. 
  • DFDownloader is executed when the user logs on to the terminal.


Table 4. Registry values

Item Value
Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value Shell
Data type REG_SZ
Data (e.g.) explorer.exe, regsvr32.exe C:\ProgramData\nmvhg\nmvhg.dll
Figure 35. Example of the registry values


Network Traffic and Proxy Logs

Communication of Campo Loader

  • Use the POST method with no User-Agent in the HTTP header.
  • The domain name tends to be the xyz domain.
  • The URL can be expressed by regular expression as  “\/campo\/([a-z0-9]{1,2})\/([a-z0-9]{1,3})”.
Figure 36. Campo Loader communication example

Communication of DFDownloader

  • The POST method is used with no User-Agent in the HTTP header.
  • The domain name tends to use the xyz domain.
  • The Content-Length of a request is about 40 to 100 bytes.
  • Server responses are encrypted with XOR, and the XOR key is a different value for each infected host. Example: “DESKTOP-AABSVH71760622929”.
Figure 37. Example of DFDownloader communication 1
Figure 38. Example of DFDownloader communication 2


Created Files

Please check if any of the following files have been created.

*Please note that the name and destination of the file can be easily changed by an attacker.

Document files

  • The folder path used to store the files is consistently “C:\Users\Public\”, and the file name changes depending on the attack campaign.
  • The table below shows the generated files for the document files we checked.

Table 5. Examples of generated files by document file

File Description
C:\Users\Public\14118.doy File dropped by document file.

Used in a campaign for Japan on April 9, 2021.

C:\Users\Public\14118.xlsb File dropped by document file.

Used in a campaign for Japan on April 9, 2021.

C:\Users\Public\14118.biy The file generated by Base64 decoding the data in “C:\Users\Public\14118.doy” (Campo Loader). 

Used in a campaign for Japan on April 9, 2021.

Campo Loader

  • The saved file path and file name are hard-coded in the Campo Loader that is dropped from the document file.
  • The folder path used to store the files is consistently “C:\ProgramData\”
  • The files generated by Campo Loader are as shown in the table below.

Table 6. Examples of files generated by Campo Loader

Files Description
C:\ProgramData\jyqwkf\jyqwkf.dll DLL file downloaded by Campo Loader.

Used in a campaign for Japan on April 9, 2021.

C:\ProgramData\yosgu\yosgu.dll DLL file downloaded by Campo Loader.

Used in a campaign for Japan on April 2 and 8, 2021.


  • The file path and filename saved by DFDownloader are randomly generated.
  • Depending on the communication result, the folder and file may be deleted.
  • The following table shows the files generated by DFDownloader.

Table 7. Examples of files generated by DFDownloader

Files Description
C:\ProgramData\<random string>\<random string>.dll


DLL file downloaded by DFDownloader
C:\ProgramData\<random string>\<random string>.exe

(e.g.) C:\ProgramData\nmvhg\nmvhg.exe

EXE file downloaded by DFDownloader 


We would like to thank the following security researchers for sharing their information with us in writing this blog.

IoCs (As of May 10)

Document file


Campo Loader




Where to communicate with Campo Loader

Since Openfield servers are also used by malware other than Campo Loader, the following may include communication destinations used by BazarCall and others. In addition, other Openfield URL information can be found at URLhaus.


Where to communicate with DFDownloader