BazarLoader
BazarLoader is a Windows malware loader/downloader used to establish initial access and deliver follow-on payloads, including BazarBackdoor and ransomware-enabling tooling. The content links it closely to the TrickBot ecosystem and describes it as commonly disseminated through phishing campaigns, including malicious links or attachments, actor-controlled Google Drive or other free file-hosting links, password-protected ZIP attachments containing macro-enabled Word documents, and the BazarCall social-engineering campaign in which victims are induced by call-center operators to open malicious Excel files and enable macros. TA551 (Shathak/Gold Cabin) is explicitly identified as a distributor of BazarLoader, and Mandiant notes FIN12 increasingly relied on BAZARLOADER-associated access from 2021 onward. The malware is repeatedly associated with post-compromise ransomware activity, especially Ryuk and Conti, and is described as one of the most commonly used vectors for ransomware deployment. Multiple sources in the content also associate BazarLoader with Wizard Spider/TrickBot-linked operations and with FIN12/UNC1878-related intrusion chains.
Technically, the content focuses heavily on BazarLoader’s domain generation algorithm (DGA). One analyzed sample used a faulty DGA that generated invalid domains ending in .bazaar instead of the likely intended EmerDNS .bazar TLD, due to signed integer overflow in random values produced via BCryptGenRandom; this also caused invalid second-level characters such as ^, ], _, and `. A later fixed variant replaced that random-number generation approach with GetTickCount-derived values and partially patched character handling. Another analyzed sample used a .bazar DGA based on vowel/consonant pair permutations to generate 8-character domains, but a faulty hard-coded permutation caused invalid domains during some months, especially July through September. When functioning as intended, the DGA generated deterministic monthly-changing 8-character .bazar domains; the content cites possible domain volumes of 5,776 per month for the intended pair-based DGA, about 2,160 per month for one fixed variant, and about 55,000 per month for the faulty overflow variant.
Observed behaviors in delivery chains include malicious VBA macros writing an HTA file to disk, obfuscated JavaScript/VBScript using ActiveX objects such as MSXML2.XMLHTTP and ADODB.Stream to download payloads, saving payloads under paths such as C:\Users\Public\winExDir.jpg, and executing them via regsvr32. The content also states BazarLoader and BazarBackdoor communicate with the same C2 infrastructure. Reported indicators tied to analyzed BazarLoader samples include hashes 2e99ed535a9f73bafab151ec409de04c953a0187cb8e4063317617befa09068d, 86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74, and d15dbfb7ef0511556a3527cc98d09145a56302bdd19a6083ee6d007af3352434; filenames DD45.exe, Preview_Report.exe, and document-09.21.doc; and a hard-coded download URL on beltmorgand.com in one TA551 infection chain.
Targeting described in the content is broad but repeatedly includes high-value corporate environments and healthcare. Joint CISA/FBI/HHS reporting states actors used TrickBot and BazarLoader against U.S. hospitals and healthcare providers, often leading to ransomware, data theft, and service disruption. FIN12 is described as heavily targeting large organizations, with a notable concentration in healthcare, while other reporting ties BazarLoader-enabled access to corporate ransomware intrusions in sectors including healthcare and other large enterprises.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Update (2021-01-15): Microsoft Security Response has issued CVE-2021-43890 in reference to the vulnerability in the App installer process described below. The bug was fixed in the January, 2022 Patch Tuesday release.
"Privileges have been escalated using Mimikatz, Rubeus4 [13], or by exploiting a Zerologon vulnerability (CVE-2020-1472) [26]."
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA551, also known as Shathak or Gold Cabin, is an attacker group that is responsible for spreading a wide variety of malware families including IcedID, Valak, Ursnif and, more recently, BazarLoader.
The threat cluster relies heavily on Remote Monitoring and Management (RMM) tools, unlike UNC2686 which deployed BAZARLOADER variants as well as TRICKBOT, URSNIF, and SILENTNIGHT.
After a break in FIN12 activity from late March 2020 to late August 2020, FIN12 resumed operations shifting their reliance for initial access away from TRICKBOT to BAZARLOADER malware in September 2020.
When the BazarCall campaign first started, it was used to distribute the BazarLoader malware but has also begun distributing TrickBot, IcedID, Gozi IFSB, and other malware.
Commentaire : les attaquants impliqués dans l’incident du CHU de Brest seraient donc actifs depuis au moins 2019 et auraient utilisé successivement les rançongiciels Ryuk, Conti, Hive, Nokoyawa et Play. Ils auraient également eu recours aux services du code malveillant BazarLoader entre 2020 et 2021.
The ransomware gang usually gains access to a network through BazarLoader or TrickBot malware infections installed via phishing attacks...
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
In instances where FIN12 leveraged UNC2053 for initial access, we observed BAZARLOADER payloads distributed via malicious email campaigns.
The email contains a ZIP attachment which is protected with a password that is provided in the email text. Unzipping the attachment leads to a word document.
The TTPs used to distribute BEACON have significant overlaps with UNC2053 distribution campaigns observed between March 2020 and February 2021, including similar lure themes, phishing emails that contain links to malicious PDFs hosted on Google Documents, and the use of legitimate web services for payload hosting.
Execution
5 techniques
Execution
Both Javascript files are executed with eval one after the other, so we can merge them into one file...
The word documents contains an hta script, which is hidden by setting it in a white, 1px-sized font. A macro file writes that script to disk and runs it.
The hta script deobfuscates and executes Javascript. The Javascript then downloads and runs the BazarLoader payload from a hard-coded URL using ActiveX.
“They contain links to Google Docs pages of document previews, prompting the victim to download the file… The files concerned are executables signed with revoked certificates…”
When the user enters their customer ID number, the website will automatically prompt the browser to download an Excel document (xls or xlsb). The call center agent will then help the victim open the file and clicking on the 'Enable Content' button to enable malicious macros.
Persistence
1 technique
Persistence
“Bazar activity can be identified by searching the system startup folders and Userinit values under… Winlogon registry key: %APPDATA%\…\Startup\adobe.lnk” / (Ryuk table) “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder… create a Registry entry…\Run to establish persistence.”
Privilege Escalation
1 technique
Privilege Escalation
“Bazar activity can be identified by searching the system startup folders and Userinit values under… Winlogon registry key: %APPDATA%\…\Startup\adobe.lnk” / (Ryuk table) “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder… create a Registry entry…\Run to establish persistence.”
Stealth
5 techniques
Stealth
Defense Impairment
1 technique
Defense Impairment
Collection
2 techniques
Collection
Command and Control
7 techniques
Command and Control
The random number generator is finally used to generate the domain names ... In total, 100 domains are generated.
Like many other malware, BazarBackdoor (and its related sibling BazarLoader) communicates over HTTPS
The Javascript then downloads and runs the BazarLoader payload from a hard-coded URL using ActiveX.
the malware uses “cookies” in the HTTPS GET or POST headers to transmit information to the server, and receives commands from the C2 in the form of one or more “Set-Cookie” response headers.
The gang seems to focus on high-profile corporate networks, which they compromise by targeting critical devices with BazarLoader or TrickBot malware to gain unauthorized remote access.
IOCs tracked for this family
37 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Loader family referenced as part of tracked C2 infrastructure in Abuse.ch Feodo Tracker.
Loader malware mentioned as associated with TrickBot in the broader Conti malware ecosystem.
A named loader/dropper listed in the RAMP malware marketplace.
BazarLoader is a loader malware known for using application sideloading techniques, such as leveraging AppX packages staged in common user directories, to gain initial access and deploy additional payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.