Share This:

Threat Update

Security researchers have released their latest findings on BazarLoader, malware that provides backdoor access to an infected Windows host. Threat actors will use this malware to infect and infiltrate a victim’s system, send follow-up malware and exploit other vulnerable hosts. Reports show that BazarLoader threat actors send malicious emails under the guise of a notification that a trial subscription is expiring that encourages potential victims to call a malicious call center. An operator answers and guides victims into infecting their computers with the malware.

SKOUT recommends deploying advanced endpoint protection and spam filtering to protect against BazarLoader.

Technical Detail & Additional Information


The threat actor behind BazarLoader is using a unique chain of attack in order to gain access to their victims’ systems. The malicious call center will tell the victim to download an Excel file and enable macros. Once the macros are enabled, the computer will run the BazarLoader executable, and threat actors will be able to exfiltrate data, complete further reconnaissance, and attack other hosts on your network.


Attacks with BazarLoader have spiked and continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. After initial installation, threat actors will install “follow-up malware” like Cobalt Strike, Anchor and even the infamous Ryuk ransomware-as-a-service. Outside of these three documented ransomware variants, BazarLoader’s backdoor access could allow threat actors to load other types of malware onto an infected window’s host.


Since Bazar was discovered in 2016 it has been involved in information stealing, credential theft, ransomware, bitcoin mining, and loading other common crimeware malware as a first or second stage loader. The malware has recently added a Remote Desktop Protocol (RDP) brute force, scanner module, an Active Directory (AD) harvesting module. It is important to note that its TrickBot group prefers to use shellcode “file-less” modules making detection more difficult. The access that BazarLoader offers threat actors into peoples’ systems could lead to extended periods of downtime, lost revenue and damage to a business and should not be taken lightly.


To prevent infection, SKOUT recommends that MSPs take the following actions:

  • Deploy advanced endpoint protection throughout your network and ensure the agents are updated.
  • Perform end user training to be wary of suspicious calls asking victims to perform unusual actions and emails that may contain malicious links or attachments.
  • Implement email protection to defend against phishing attacks.


For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.

Share This:
Doris Au

Posted by Doris Au

Doris is a product marketing manager at Barracuda MSP. In this position, she is responsible for connecting managed service providers with multi-layered security and data protection products that can protect their customers from today’s advanced cyber threats.

Leave a reply

Your email address will not be published. Required fields are marked *