December 3, 2023

BazarLoader, the nasty information stealer, is now using new delivery methods that include compromised software installers and ISO files. The variations in the arrival mechanism seem to be an attempt at evading detection.


In new campaigns, BazarLoader has directed its attack toward U.S. victims. The first change was observed in the malware’s delivery mechanism that now abuses legitimate, compromised installers such as VLC media player and TeamViewer.Hackers convince the victims to download those installers, which leads them to unwittingly acquire the BazarLoader executable.

In another method, hackers deliver malware by abusing ISO files, archive files that come with an identical copy of data stored on an optical disc. The abused ISO file would download a DLL payload and Windows link (LNK).The LNK file employs a folder icon on the systems of victims to fool them into clicking on the icon. Victim clicking on the icon runs the enclosed BazarLoader DLL file.

These two above-mentioned techniques are possibly the expansion of delivery capabilities in an attempt to evade detection, opine experts.

The large file size can be hard for detection solutions such as sandboxes; it may use file size limits. The LNK files serve as shortcuts that may be obfuscated as well for the additional layers.


Researchers have warned that BazarLoader is expected to continue to evolve its delivery capabilities, and therefore, BazarLoader detections should be prioritized. Moreover, the loader is used for initial access by prominent ransomware families. Therefore, organizations are recommended to deploy reliable anti-malware solutions to stay protected.

1 thought on “New BazarLoader TTP

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: