---
title: "Three Conti Spinoffs With Call-back Phishing Attack Vector Intrinsically Embedded | Phish Protection"
description: "Three Conti Spinoffs With Call-back Phishing Attack Vector Intrinsically Embedded: After a split from the Conti cybercrime cartel, three autonomous threat."
image: "https://phishprotection.com/og/blog/conti-spinoffs-call-back-phishing-attack-vector-intrinsically-embedded.png"
canonical: "https://phishprotection.com/blog/conti-spinoffs-call-back-phishing-attack-vector-intrinsically-embedded/"
---

Quick Answer

After a split from the Conti cybercrime cartel, three autonomous threat groups have created Bazarcall, a call-back \[phishing\](/resources/what-is-phishing) tactic as the \*\*initial vector\*\* to breach and access targeted networks. Read on to know more and the steps you can take to prevent such attacks.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fconti-spinoffs-call-back-phishing-attack-vector-intrinsically-embedded%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Three%20Conti%20Spinoffs%20With%20Call-back%20Phishing%20Attack%20Vector%20Intrinsically%20Embedded&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fconti-spinoffs-call-back-phishing-attack-vector-intrinsically-embedded%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fconti-spinoffs-call-back-phishing-attack-vector-intrinsically-embedded%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fconti-spinoffs-call-back-phishing-attack-vector-intrinsically-embedded%2F&title=Three%20Conti%20Spinoffs%20With%20Call-back%20Phishing%20Attack%20Vector%20Intrinsically%20Embedded "Share on Reddit") [ ](mailto:?subject=Three%20Conti%20Spinoffs%20With%20Call-back%20Phishing%20Attack%20Vector%20Intrinsically%20Embedded&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fconti-spinoffs-call-back-phishing-attack-vector-intrinsically-embedded%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/08/prevent-spear-phishing-7780.jpg) 

After a split from the Conti cybercrime cartel, three autonomous threat groups have created Bazarcall, a call-back [phishing](/resources/what-is-phishing) tactic as the **initial vector** to breach and access targeted networks. Read on to know more and the steps you can take to prevent such attacks.

Most [cybersecurity](/content/cybersecurity-in-a-nutshell) threats are based on automated, drive-by tactics (like compromising legitimate websites or exploiting system vulnerabilities) or advanced detection evasion methods. However, attackers continue to succeed in **human interaction** and social engineering attacks.

The BazarCall leaders knew that the repetitiveness of attack patterns was the reason for the downfall of older ransomware groups, leading them to plan and **execute the Conti spin-offs**.

### Silent Ransom

The call-back phishing experts created “Silent Ransom” after splitting from Conti in March 2022 . After becoming an [autonomous group](https://in.indeed.com/career-advice/career-development/autonomous-work-group), they operated for a few months, and their tactics were successful. They realized they could avoid the dying Conti’s poor branding, sanctions, and regulations.

### Other Conti Spin-offs

> “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle

After the success of Silent Ransom with its highly targeted

phishing operations, two other Conti spin-offs came, namely Roy/Zeon and Quantum. They gave a **personal spin** to the same approach in mid-June 2022.

Roy/Zeon was the **most skilled social engineer** of the three groups, having many adjustable and interchangeable indicators of compromise. Additionally, it selected its [impersonation](/phishing/social-media-impersonation-phishing-2022s-latest-wave-cybercrime) schemes based on its target.

Quantum was implicated in May 2022’s massive ransomware attacks that hit the[Costa Rican government](https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion)networks. Its members were responsible for creating Ryuk and showed a highly selective targeting approach that favored organizations with **high average revenue**.

![Prevent spear phishing](https://media.mailhop.org/phishprotection/images/2022/08/prevent-spear-phishing-7780.jpg) 

### How Does the Bazarcall Methodology Work?

The [Bazarcall](https://www.bleepingcomputer.com/news/security/bazarcall-malware-uses-malicious-call-centers-to-infect-victims/) methodology is unique because it forgoes malicious attachments and links in emails with phone numbers. The recipients get tricked into calling the phone numbers because they get alerted of an **upcoming transaction** on their credit card.

Suppose the user falls for the scheme and calls the phone number mentioned in the email. In that case, a person from a fake call center set up by the BazarCall’s operators convinces them to grant the executive **remote desktop control** to help cancel the phony subscription.

After getting the desktop access, the attacker stealthily takes steps and infiltrates the **user’s network** to establish persistence for follow-on activities like [data exfiltration](https://www.fortinet.com/resources/cyberglossary/data-exfiltration).

### Why is There a Rise in Callback Phishing Attacks?

Callback phishing is the tactic that resulted in a widespread shift in the [ransomware](/resources/ransomware-attack-why-organizations-pay-ransom) deployment approach. The reason why the approach is **unique and effective** is that

Instead of automated botnet infections, the attackers employ a targeted **selective approach** to select the victim or victim industry before the [attack campaign](https://thehackernews.com/2022/09/researchers-uncover-covert-attack.html) begins.

The cybercriminals tailor a sophisticated phishing campaign for a specific industry/victim instead of generic \*\* Emotet-style spam\*\*.

They conceptualize frameworks with maximum risk for the targeted victim instead of chaotic extortion strategies.

Attackers constantly change the **campaign’s content** and do not follow the same methodology every time.

In such attacks, there is a **greater focus** on data exfiltration than [data encryption](https://www.geeksforgeeks.org/what-is-data-encryption/).

### How to Protect Against Such Attacks?

BazarCall’s emails lack the

typical [malicious](https://www.securityweek.com/malicious-npm-pypi-packages-stealing-user-information/) elements, and their operators can conduct attacks at **breakneck speeds**. Thus, such attacks exemplify the increasingly elusive and complex threats that organizations face today. Following are the steps individuals/organizations can take to protect themselves:

1\*\*. Be Vigilant: \*\* One should always check the email subject, sender, and body to find anything suspicious before opening or downloading email attachments. Users must be vigilant about [unsolicited emails](https://accounts.hostcolor.com/knowledgebase/121/What-does-Unsolicited-Email-mean.html) coming from **unknown senders**.

Given below are

some sample subject lines. They have a unique “account number” that the attackers create to identify the recipients:

Soon you will move to the **Premium membership** because the demo period is ending. Personal ID: KT\[unique ID number\]

Renew your automated premium membership soon GW\[unique ID number\]

Your demo stage is ending. Your user account number is VC\[unique ID number\]. Are you all set to continue?

Notifying you of an abandoned **road accident** site! Must contact a manager! \[body of the email contains unique ID number\]

Thank you for deciding to become a prestigious member of ABCFitness. Becoming a member was never simpler before \[body of the email contains a unique ID number\]

Your [subscription](https://www.indiatoday.in/technology/news/story/man-trying-to-renew-netflix-subscription-loses-1-lakh-in-online-fraud-2304351-2022-12-02) will be upgraded to the gold membership, ending the trial. Order: KT\[unique ID number\]

Your free period is over. Your account number VC\[unique ID number\]. Are you ready to move forward?

Thank you for buying the [WinRAR](https://www.hackread.com/winrar-vulnerability-attackers-remotely-hijack-systems/) pro plan. Your order number is WR\[unique ID number\]

Thank you for choosing WinRAR. Check out the information your license information \[body of the email contains a unique ID number\]

2\*\*. Use cross-domain visibility and threat intelligence:\*\* Enterprises must choose solutions with coordinated defense and **cross-domain visibility** to [protect customers](https://www.helpnetsecurity.com/2022/07/28/human-security-perimeterx/) against such threats. The solutions must have the ability to correlate events across emails and endpoints. It is crucial to protect against threats like BazarCall, given its distinct characteristics.

![Prevent spear phishing](https://media.mailhop.org/phishprotection/images/2022/08/prevent-spear-phishing-3489.jpg) 

3\*\*. Rich Investigation Tools:\*\* Enterprises must deploy investigation tools like advanced hunting that allow the security teams to locate similar or related **activities** and resolve them seamlessly.

1. Users must check the attachment’s **file extension** and ensure it is in the intended file format.
2. Users must only activate macro for the attached Microsoft Office files if necessary. They must be extremely vigilant of emails requesting [macro activation](https://wiki.keyboardmaestro.com/Macro%5FActivation) using the opened file’s body image or those that don’t display anything .
3. Users must look out for **spoofed domains** embedded in emails before opening them. It is prudent to quickly search the website or company used in emails to check for legitimacy .

### Final Words

_After its resurgence in March, call-back phishing campaigns have impacted the current cyber threat landscape and forced the attackers to update their attack methodologies to stay on **top** of the ransomware food chain._

As cyber criminals realize the potential of weaponized [social engineering](/phishing-awareness/social-engineering-attack-twilio-compromises-employee-accounts-customer-data) tactics, it is expected such phishing operations will continue to become more detailed, elaborate, and difficult to distinguish from legitimate communications. The need of the hour is to stay vigilant and adopt adequate [phishing protection](/) measures to thwart such threats.

## Topics

[ Phishing Awareness ](/tags/phishing-awareness/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Foundational 5m  0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks  Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[  Foundational 14m  12 Real-World Spear Phishing Examples And The Red Flags You Missed  Feb 4, 2026 ](/blog/12-real-world-spear-phishing-examples-and-the-red-flags-you-missed/)[  Foundational 2m  8 million Android users fell prey to SpyLoan malware on Google Play Store  Dec 5, 2024 ](/blog/8-million-android-users-fell-prey-to-spyloan-malware-on-google-play-store/)[  Foundational 1m  A Big Part of the Phishing Problem is You  Sep 17, 2019 ](/blog/a-big-part-of-the-phishing-problem-is-you/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Three Conti Spinoffs With Call-back Phishing Attack Vector Intrinsically Embedded","description":"Three Conti Spinoffs With Call-back Phishing Attack Vector Intrinsically Embedded: After a split from the Conti cybercrime cartel, three autonomous threat.","url":"https://phishprotection.com/blog/conti-spinoffs-call-back-phishing-attack-vector-intrinsically-embedded/","datePublished":"2022-08-16T08:47:31.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-08-16T08:47:31.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/conti-spinoffs-call-back-phishing-attack-vector-intrinsically-embedded/"},"articleSection":"foundational","keywords":"Phishing Awareness","wordCount":1038,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/08/prevent-spear-phishing-7780.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"How Does the Bazarcall Methodology Work?","acceptedAnswer":{"@type":"Answer","text":"The [Bazarcall](https://www.bleepingcomputer.com/news/security/bazarcall-malware-uses-malicious-call-centers-to-infect-victims/) methodology is unique because it forgoes malicious attachments and links in emails with phone numbers. The recipients get tricked into calling the phone numbers because..."}},{"@type":"Question","name":"Why is There a Rise in Callback Phishing Attacks?","acceptedAnswer":{"@type":"Answer","text":"Callback phishing is the tactic that resulted in a widespread shift in the [ransomware](/resources/ransomware-attack-why-organizations-pay-ransom) deployment approach. The reason why the approach is **unique and effective** is that"}},{"@type":"Question","name":"How to Protect Against Such Attacks?","acceptedAnswer":{"@type":"Answer","text":"BazarCall's emails lack the"}}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"Three Conti Spinoffs With Call-back Phishing Attack Vector Intrinsically Embedded","item":"https://phishprotection.com/blog/conti-spinoffs-call-back-phishing-attack-vector-intrinsically-embedded/"}]}
```