Buer Loader
Buer Loader is a modular malware-as-a-service downloader/loader introduced for sale on underground forums in August 2019. It is used as first-stage malware to establish initial access and deliver follow-on payloads, and has been observed in email-based campaigns as well as campaigns using malicious Excel XLL add-ins. Reported delivery chains include phishing emails that led users to enable content in a malicious document, executing print_document.exe identified as Buer Loader. Proofpoint also documented that Buer Loader was redeveloped from C to Rust.
Its primary role in the provided reporting is as an initial access malware associated with later ransomware operations rather than as the final payload itself. It has been linked in reporting to access brokerage and ransomware intrusion chains involving Ryuk and Conti, and Proofpoint data associated Conti ransomware with Buer alongside The Trick, ZLoader, and IcedID. Secureworks reported that core GOLD ULRICK operations typically used initial access through TrickBot, BazarLoader, or Buer Loader, and that GOLD BLACKBURN distributed malware including Buer Loader. Sophos reported Ryuk intrusions in which initial compromise came from phishing emails delivering Buer Loader, after which attackers deployed Cobalt Strike, performed Active Directory discovery, moved laterally, and deployed SystemBC on the domain controller. In one investigated Ryuk case, Buer Loader executed as print_document.exe and dropped qoipozincyusury.exe, identified as a Cobalt Strike beacon.
Buer Loader has also been observed in campaigns attributed to TA578 and TA800. Proofpoint noted TA578 had previously delivered Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike. It was also listed among commodity malware families using XLL files as an infection vector.
High-confidence behaviors and associations directly reflected in the content are: first-stage loader/downloader functionality; use in phishing-driven compromise chains; delivery of follow-on tooling such as Cobalt Strike; association with ransomware-enabling access and subsequent Ryuk/Conti activity; and use by or alongside criminal ecosystems involving TA578, TA800, GOLD BLACKBURN, and GOLD ULRICK. Specific indicators mentioned in the content include the filename print_document.exe as a Buer Loader executable and qoipozincyusury.exe as a dropped Cobalt Strike beacon in one Ryuk intrusion.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These criminal threat actors compromise victim organizations with first-stage malware like The Trick, Dridex, or Buer Loader and will then sell their access to ransomware operators to deploy data theft and encryption operations.
TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.
Ransomware attacks operated by the core GOLD ULRICK group typically consist of initial access through TrickBot, BazarLoader or Buer Loader.
"...allowing the document to execute print_document.exe —a malicious executable identified as Buer Loader."
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Buer Loader is referenced as malware delivered via phishing to establish initial compromise in Ryuk-related attacks where SystemBC was later used.
Loader family mentioned as using XLL files as an infection vector.
Loader family mentioned as using XLL files as an infection vector (no further technical detail provided in the content).
A malware loader referenced as one of the payloads historically delivered by TA578.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.