BazarBackdoor or BazarLoader is an attack loaded through a backdoor that allows attackers to install additional malware commonly used in ransomware attacks. The malware has attacked various organizations in North America and Europe. It is widely believed that BazarLoader was developed by a hacking group called Trickbot.

How does it operate?

Comma Separated Values (CSV) is a text file that contains columns and where the data is separated by the use of commas. In such cases, the first line is considered as the header, description. A delimiter can be a semicolon, space, or another character, but the most common one is a comma.

Used in exporting data

Using CSV is a popular way to export data from an application, and then imported it into other programs as a data source. Since CSVs are just text with no executable code, many people consider these types of files to be harmless and can be much more hassle-free when opening them.

Fakes to look authentic

Bazar Loader usually uses existing “email” matches. It will reply to a real email thread with malicious content, using social engineering techniques to look legitimate and lure the victim.

Password-protected and ZIP files

In many cases, text in the subject line and email body creates a sense of urgency and encourages victims to open attachments without thinking. Typically, the file attached to an email is a ZIP file that requires a password. ZIP file results in a Microsoft Word file. The .doc itself displays a message asking you to run a macro to view the file. This will prompt the user to click “enable content” on the top bar and allow the macro to run. The password itself is displayed in the body of the letter.

From an attacker’s point of view, the reason for using a password-protected file is to make it harder for security tools to scan the file. On the other hand, a person can easily open it since the password is in the email itself.

Spreads by phishing

BazarBackdoor spreads through phishing messages purporting to be from legitimate senders. For example, communications may include payroll reports related to COVID-19 and lists of terminated employees.

Redirection for file downloading

Potential victims must click on a link to a document that appears to be stored in Google Docs. After clicking this link, you will be redirected to a custom landing page similar to a PDF, Word, or Excel document. The landing page asks potential victims to click on a link to view the attachment. When the link is clicked, an executable file will be downloaded that references the name of the file displayed on the login page.

Since file extensions stored on Windows computers are usually not displayed by default, most Windows users will see the zipped file as “PreviewReport.Doc” and not as “PreviewReport.Doc.exe”.

The executable, also known as BazaLoader, is a backdoor loader. If the victim opens BazaLoader, it will be installed on the infected computer and will remain inactive for a short period.

It will then connect to the command and control server to download the backdoor. When the backdoor is installed, it will download and run the legitimate security application Cobalt Strike. Fraudsters often use hacked versions of Cobalt Strike to spread over the network, distribute malware, and steal credentials.


Once installed, BazarBackdoor will allow attackers to gain access to the corporate network, which attacks will use to spread horizontally across the network. Ultimately, this can lead to further malware infections, data theft, and ransomware injections.