Bazar
Bazar, also referred to as BazaLoader and also associated in the provided content with the aliases Kegtap and Team9, is a first-stage downloader/loader first identified in 2020 and commonly used as an initial access vector in ransomware intrusion chains. The content links it to follow-on ransomware activity including Conti and references reporting that associates BazaLoader implants with Ryuk-related operations. It is associated with Wizard Spider, which used spearphishing attachments containing malicious macros, as well as PDFs with malicious links, to lure victims into downloading Bazar. Microsoft-linked reporting in the content also states that DEV-0193 was responsible for developing, distributing, and managing payloads including BazaLoader, Trickbot, and AnchorDNS.
Functionally, Bazar supports encrypted command-and-control over TLS and can execute PowerShell scripts received from C2. It performs host and environment discovery, including identifying the username of the infected user, identifying domain administrator accounts, enumerating remote systems with Net View, querying Windows\CurrentVersion\Uninstall to identify installed applications, and using WMI queries to gather information about the installed antivirus engine. The malware also includes defense evasion and anti-analysis behavior: it manually loads ntdll from disk to identify and remove API hooks set by security products, checks that the operating system keyboard and language settings are not set to Russian, and can attempt to overload sandbox analysis by issuing 1550 printf calls. For persistence, Bazar can create a scheduled task. The content also states it can inject code through calls to VirtualAllocExNuma.
Operationally, the malware appears in broader cybercrime ecosystems alongside loaders and botnets such as Emotet, TrickBot, QakBot, IcedID, Dridex, ZLoader, and Buer Loader. Proofpoint tracks BazaLoader as a common downloader used in ransomware attack chains, and Sophos reported related campaigns in which initial compromise came from phishing-delivered loaders including Buer Loader, while other attacks in the same campaign used Bazar or Zloader before later ransomware activity. High-confidence behaviors and associations in the provided content therefore characterize Bazar/BazaLoader as a phishing-delivered Windows loader used for initial access, reconnaissance, persistence, defense evasion, and staging of later criminal operations, especially ransomware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Additionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads — activity that overlaps with a group Microsoft tracks as DEV-0193. | In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.
Additionally, Proofpoint tracks downloaders such as Buer Loader and BazaLoader that are often used as an initial access vector for ransomware attacks.
BazaLoader is a first stage downloader first identified in 2020 that has been associated with follow-on ransomware campaigns including Conti.
DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS.
"...other recent attacks have used another Trickbot-connected backdoor known as Bazar."
Microsoft attributes this campaign to Storm-0249... known for distributing, at minimum, BazaLoader, IcedID, Bumblebee, and Emotet malware.
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
These access facilitators distribute their backdoors via malicious links and attachments sent via email.
A smaller subset of entries mention attachments or PDFs containing malicious links, such as 'Wizard Spider has used spearphishing attachments to deliver ... PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar' and 'XLoader has been delivered as a phishing attachment, including PDFs with embedded links.'
Execution
6 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Persistence
3 techniques
Persistence
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
3 techniques
Privilege Escalation
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
9 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
The content includes multiple anti-analysis and environment checks, such as "OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks" and "Raspberry Robin performs several system checks as part of anti-analysis mechanisms."
Defense Impairment
1 technique
Defense Impairment
Discovery
11 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Brute Ratel C4 can use LDAP queries, net group "Domain Admins" /domain and net user /domain for discovery. OilRig has run net group "domain admins" /domain and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim. Wizard Spider has identified domain admins through the use of net group "Domain admins" /DOMAIN.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
AdFind can enumerate domain users. APT41 used built-in net commands to enumerate domain administrator users. BloodHound can collect information about domain users, including identification of domain admin accounts.
The content includes multiple anti-analysis and environment checks, such as "OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks" and "Raspberry Robin performs several system checks as part of anti-analysis mechanisms."
Examples include 'Action RAT can use WMI to gather AV products installed on an infected host,' 'FlawedAmmyy leverages WMI to enumerate anti-virus on the victim,' and 'TA2541 has used WMI to query targeted systems for security products.'
Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."
Collection
1 technique
Collection
Command and Control
5 techniques
Command and Control
Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). We observed over 17,000 unique command-and-control (C2) servers during 2022...
IP Transformation The A record of the domains is encrypted, just as in previous versions. Meaning, the four bytes of the IP are XORed with 0xFE. The IP is then used in URLs of format https://{ip}:443. For example, if the domain omleekyw.bazar has an A record of 220.39.239.27, then the actual contacted URL is https://34.217.17.229:443.
IOCs tracked for this family
18 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
94 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Bazar is referenced as a loader used in the same Ryuk campaign to gain initial access before follow-on tooling such as SystemBC and ransomware deployment.
Referenced as malware historically distributed by Storm-0249 (no additional functional detail provided in the content).
Loader/backdoor malware capable of code injection using VirtualAllocExNuma.
Named botnet/loader family referenced as part of elevated botnet activity following the Emotet takedown.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.