Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 1 actorExploits 2 CVEs

BazarBackdoor

BazarBackdoor is a Windows backdoor malware family also referred to in the provided content alongside BazarLoader, with some reporting using the names interchangeably for related payloads. It is associated with the TrickBot/Conti cybercrime ecosystem and has been tracked by Mandiant in activity involving UNC2053. The content states that Conti evolved into a broader cybercrime syndicate and assumed control over development of multiple malware operations including TrickBot and BazarBackdoor, and that leaked Conti materials included the BazarBackdoor API.

Observed delivery includes malicious email campaigns and abuse of the Windows 10 App Installer mechanism via ms-appinstaller links. In the Sophos-reported campaign, personalized complaint-themed phishing emails led victims to a malicious .appinstaller file and .appxbundle hosted on Microsoft cloud storage, presenting a fake Adobe-branded installer. The installed payload chain used SecurityFix.exe to download a DLL, execute it via regsvr32.exe, respawn through child processes with delays, and ultimately inject into a headless msedge.exe process.

Capabilities directly described in the content include HTTPS-based command-and-control using cookie values in GET or POST headers to send data, receipt of commands through Set-Cookie response headers, noisy traffic generation to unrelated websites, and host profiling through PowerShell and native commands. The malware was observed collecting system information including hard disks, processor, motherboard, RAM, network environment, and the victim’s public-facing IP address. Reported URI paths associated with this activity included /segment/billion, /recite/drink, /mission/revolt, /discreet/marble, and /note/actual.

The malware is linked in the content to ransomware operations. UNC2053 distributed BazarLoader via malicious email campaigns, and those loaders downloaded BazarBackdoor that subsequently delivered FIN12 Cobalt Strike BEACON payloads. The content also states BazarBackdoor can enable distribution of Ryuk ransomware, was recently sighted in ransomware-as-a-service campaigns, and rose in prevalence as TrickBot activity declined. Additional reporting cited code similarities between TrickBot and BazarBackdoor, and one source states TrickBot was officially discontinued in favor of improved malware such as BazarBackdoor.

Targeting described in the content is broad, including people around the world in the App Installer campaign, and downstream ransomware activity affecting large organizations, especially in North America, with notable healthcare targeting in FIN12- and Conti-linked operations. A related Elastic report also notes ZenPak as associated with the Bazar malware family and references BazarBackdoor’s history in ransomware-as-a-service campaigns.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2021-43890Windows AppX Installer Spoofing VulnerabilityExploited in the wild

Update (2021-01-15): Microsoft Security Response has issued CVE-2021-43890 in reference to the vulnerability in the App installer process described below. The bug was fixed in the January, 2022 Patch Tuesday release. | The payloads, belonging to a malware family variously known as BazarBackdoor and BazarLoader, were delivered by abusing a novel mechanism... The malware that eventually was installed is BazarBackdoor.

via sophos threat researchnews.sophos.com
CVE-2020-1472Zerologon in Microsoft Netlogon Remote ProtocolExploited in the wild

"Privileges have been escalated using Mimikatz, Rubeus4 [13], or by exploiting a Zerologon vulnerability (CVE-2020-1472) [26]."

via cert ssi scadacert.ssi.gouv.fr
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
WIZARD SPIDER

We track the use of BAZARLOADER and BAZARBACKDOOR as UNC2053.

via web archiveweb.archive.org
MITRE ATT&CK

Techniques & procedures

20 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence2

In instances where FIN12 leveraged UNC2053 for initial access, we observed BAZARLOADER payloads distributed via malicious email campaigns.

T1566.002Spearphishing LinkEvidence1

The messages urge the recipient to click through to a website that, purportedly, is where the complaint has been posted for you to review.

Execution

1 technique
T1059.001PowerShellEvidence1

the headless Edge process kept spawning instances of PowerShell or other tools.

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

“Bazar activity can be identified by searching the system startup folders and Userinit values under… Winlogon registry key: %APPDATA%\…\Startup\adobe.lnk” / (Ryuk table) “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder… create a Registry entry…\Run to establish persistence.”

Privilege Escalation

2 techniques
T1055Process InjectionEvidence1

the DLL terminates and an instance of the Edge browser (Chromium version) spawns, with the code injected into a headless instance of msedge.exe.

T1547.001Registry Run Keys / Startup FolderEvidence1

“Bazar activity can be identified by searching the system startup folders and Userinit values under… Winlogon registry key: %APPDATA%\…\Startup\adobe.lnk” / (Ryuk table) “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder… create a Registry entry…\Run to establish persistence.”

Stealth

4 techniques
T1036MasqueradingEvidence1

the attacker simply added individual display properties for the program’s name (“Adobe PDF Component”), publisher (“Adobe Inc.”), and an Adobe Acrobat logo graphic stored in a subfolder.

T1055Process InjectionEvidence1

the DLL terminates and an instance of the Edge browser (Chromium version) spawns, with the code injected into a headless instance of msedge.exe.

T1218.010Regsvr32Evidence1

SecurityFix executable ... downloaded a DLL ... into the %temp% directory and then runs it using regsvr32.exe.

T1497.001System ChecksEvidence1

And this very long PowerShell command chooses one or more of these URLs, at random, and uses it to identify the public-facing IP address of the network where the system is located.

Defense Impairment

1 technique
T1553.002Code SigningEvidence2

FIN12 has frequently leveraged code-signed payloads in their operations.

Credential Access

1 technique
T1003OS Credential DumpingEvidence1

“attackers… leveraging tools such as… Mimikatz… Privileges have been escalated using Mimikatz, Rubeus…”

Discovery

3 techniques
T1082System Information DiscoveryEvidence1

These three queries profiled the hard drive, processor information, and RAM on the system.

T1135Network Share DiscoveryEvidence1

The malware, running in the context of the headless Edge process, also ran other commands like net view /all to learn more about servers on the network where it’s installed.

T1497.001System ChecksEvidence1

And this very long PowerShell command chooses one or more of these URLs, at random, and uses it to identify the public-facing IP address of the network where the system is located.

Lateral Movement

2 techniques
T1021Remote ServicesEvidence1

“deploy Ryuk (for example via PsExec)… move laterally using RDP… spread… on every reachable machine on which Windows RPC accesses are possible.”

T1210Exploitation of Remote ServicesEvidence1

“Privileges have been escalated… by exploiting a Zerologon vulnerability (CVE-2020-1472).”

Command and Control

5 techniques
T1071Application Layer ProtocolEvidence2

What may be more helpful, though, is the BazarBackdoor APIs and TrickBot command and control server source code that was released, as there is no way to access that info without having access to the threat actor's infrastructure.

T1071.001Web ProtocolsEvidence1

Like many other malware, BazarBackdoor (and its related sibling BazarLoader) communicates over HTTPS

T1105Ingress Tool TransferEvidence3

These loaders then downloaded a corresponding BAZARBACKDOOR payload that was used to subsequently deliver a FIN12 BEACON payload.

T1132Data EncodingEvidence1

the malware uses “cookies” in the HTTPS GET or POST headers to transmit information to the server, and receives commands from the C2 in the form of one or more “Set-Cookie” response headers.

T1219Remote Access ToolsEvidence1

With their recent take over of the stealthy BazarBackdoor malware and becoming an actual crime syndicate, they will, unfortunately, continue to be a threat.

Exfiltration

1 technique
T1048Exfiltration Over Alternative ProtocolEvidence1

“Reconnaissance data… is exfiltrated via FTP.”

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
uri●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
sophos threat researchNews
Jan 1, 2026
BazarLoader 'call me back' attack abuses Windows 10 Apps mechanism – Sophos News | SOPHOS

A backdoor/loader delivered via malicious App Installer packages that injects into a headless msedge.exe process, beacons to command-and-control over HTTPS using cookie and Set-Cookie headers, and performs host and network profiling via PowerShell and native Windows commands.

Read more
bleeping computerNews
Oct 31, 2025
Ukrainian extradited from Ireland on Conti ransomware charges

Backdoor malware operation referenced as being under Conti syndicate control.

Read more
elastic security labsNews
Sep 8, 2022
CUBA Ransomware Campaign Analysis - Elastic Security Labs

Backdoor family referenced as an association for ZenPak; noted for historical use in ransomware-as-a-service ecosystems.

Read more
register securityNews
Mar 2, 2022
Conti ransomware gang's source code leaked

BazarBackdoor is referenced as part of the leaked Conti materials via its API, indicating a backdoor tool associated with the broader Conti leak context.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping20

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.

BazarBackdoor | Mallory