Monday, May 5, 2025
HomeMalwareBazarLoader Windows Malware Let Hackers Allow Backdoor Access & Network Reconnaissance

BazarLoader Windows Malware Let Hackers Allow Backdoor Access & Network Reconnaissance

Published on

SIEM as a Service

Follow Us on Google News

A BazarLoader Windows malware campaign has been detected recently by the security firm, Unit42 of Plaalto Networks that was hosting one of their malicious files on Microsoft’s OneDrive service. This BazarLoader Windows malware enables the threat actors backdoor access and network reconnaissance.

After the revelation of this incident, a former senior threat intelligence analyst of Microsoft, Kevin Beaumont has commented on this report that:- 

“Redmond company is the best malware host in the world for about a decade.”

- Advertisement - Google News

BazarLoader is a group of malware and is quite big in which a spam email attempts to trick beneficiaries into initiating a Trojan through a link.

Scattering methods

In 2021 there were many campaigns that have distributed BazarLoader malware using spam emails. But, after investigating the whole thing it came to know that the majority of BazarLoader samples were expanded through three campaigns.

However, not only this but the BazarCall campaign has pushed BazarLoader utilizing the spam emails for their initial contact and call centers to supervise the possible victims to affect their computers. 

Malicious Excel Spreadsheet

Initially, the malicious Excel spreadsheet was created on Wednesday, Aug. 18, 2021, and it has once again been modified and the file has macros that are specifically designed to contaminate a vulnerable Windows host with BazarLoader. 

However, the file has a DocuSign excel template that has been created by a hacker, as they try to instill reliance by taking benefit of the DocuSign brand name and image.

Binary of BazarLoader

The spreadsheet’s macro code recovered a malicious Dynamic Link Library (DLL) file for BazarLoader from the URL that we have given below:-

hxxps://pawevi[.]com/lch5.dll

And after recovering it, the DLL gets saved to the victim’s home directory C:\Users\[username]\tru.dll. It ran using regsvr32.exe.

Bazar C2 Traffic & Cobalt Strike Activity

Bazar C2 traffic has been generated through BazarLoader that formed command and control (C2) activity, for recovering BazarBackdoor just by using HTTPS traffic from 104.248.174[.]225 above TCP port 443.

While the Bazar C2 activity creates traffic to legitimate domains, and the activity is not essentially malicious. 

On the other side, the Cobalt Strike DLL file is being transferred through Bazar C2 traffic and later gets saved to the affected Windows host under the user’s AppData\Roaming directory. 

Reconnaissance activity

After two minutes of the Cobalt Strike attack, a tool to identify an AD environment that generally resembled the affected host at C:\ProgramData\AdFind.exe has been identified. 

But, this particular tool has been applied by the threat actors groups with the motive of collecting data from an AD environment. 

This type of attack can cause a lot of damage to the organization, that’s why it’s strongly recommended that organizations that have decent spam filtering, proper system management, and up-to-date Windows hosts will definitely have a lower risk of infection from such malicious attacks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated,...