Detection Content: Bazar Loader

In late April, developers of TrickBot used a new stealthy backdoor in a phishing campaign targeted at professional services, healthcare, manufacturing, IT, logistics, and travel companies across the United States and Europe. Many advanced threat actors including the infamous Lazarus APT use TrickBot’s services, and malware authors not only improve well-known tools like the Anchor malware framework but also create new ones such as Bazar Loader (aka BazarBackdoor or Team9 Backdoor).

Adversaries mostly use Bazar Loader to gain a foothold in compromised enterprise networks. The researchers named this malware strain after the C&C domains with top-level domain .bazar. This TLD is provided by EmerDNS, a peer-to-peer decentralized domain name system in OpenNIC, and it will be very difficult, if not impossible, for law enforcement to take over these domains. In early versions of BazarLoader TrickBot authors used a handful of hard-coded domains such as bestgame.bazar, forgame.bazar or newgame.bazar, but recently discovered sample tries algorithmically generated domains.

Ariel Millahuel released new community threat hunting Sigma to detect the malicious activity of Bazar Loader in organizations’ networks:

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint


Tactics: Execution

Techniques: Command-Line Interface (T1059)

We also want to draw your attention to a couple of exclusive rules released by the SOC Prime Team to detect this malware:

Team9/Bazar scheduled task name (via audit) –

Team9/Bazar batch filename pattern (via cmdline) –

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.