A BazarLoader Windows malware campaign has been detected hosting one of their malicious files on Microsoft’s OneDrive service. This BazarLoader Windows malware enables the threat actors backdoor access and network reconnaissance.

BazarLoader is a group of malware and is quite big in which a spam email attempts to trick beneficiaries into initiating a Trojan through a link.Many campaigns that have distributed BazarLoader malware using spam emails. But, after investigating the whole thing it came to know that the majority of BazarLoader samples were expanded through three campaigns.


BazarCall campaign has pushed BazarLoader utilizing the spam emails for their initial contact and call centers to supervise the possible victims to affect their computers.

The malicious Excel spreadsheet was created and it has once again been modified and the file has macros that are specifically designed to contaminate a vulnerable Windows host with BazarLoader.The file has a DocuSign excel template that has been created by a hacker, as they try to instill reliance by taking benefit of the DocuSign brand name and image.

The spreadsheet’s macro code recovered a malicious DLL file for BazarLoader from the URL and after recovering it, the DLL gets saved to the victim’s home directory C:\Users\[username]\tru.dll. It ran using regsvr32.exe.


Bazar C2 traffic has been generated through BazarLoader that C2 activity, for recovering Bazar Backdoor just by using HTTPS traffic from 104.248.174[.]225 above TCP port 443. While the Bazar C2 activity creates traffic to legitimate domains, and the activity is not essentially malicious.

Cobalt Strike DLL file is being transferred through Bazar C2 traffic and later gets saved to the affected Windows host under the user’s AppData\Roaming directory.

After Cobalt Strike attack, a tool to identify an AD environment that generally resembled the affected host at C:\ProgramData\AdFind.exe has been identified to find data in the environment

This type of attack can cause a lot of damage to the organization, that’s why it’s strongly recommended that organizations that have decent spam filtering, proper system management, and up-to-date Windows hosts will definitely have a lower risk of infection from such malicious attacks.