Buer Loader
Buer Loader is a modular malware-as-a-service downloader/loader introduced for sale on underground forums in August 2019. It has been used in phishing and email-based intrusion chains as an initial access malware and has also been observed delivered via malicious Microsoft Excel XLL add-ins. In a documented Ryuk intrusion investigated by Sophos, a targeted phishing email led a victim to a malicious Google Docs-hosted document that executed print_document.exe, identified as Buer Loader; Buer Loader then dropped a Cobalt Strike beacon and additional malware. Sophos and Secureworks reporting cited in the source material associates Buer Loader with ransomware intrusion ecosystems involving Ryuk and Conti/Diavol-linked activity, including GOLD ULRICK/GOLD BLACKBURN overlap, and notes that core GOLD ULRICK operations typically used initial access via TrickBot, BazarLoader, or Buer Loader. Proofpoint also reported TA578 had previously delivered Buer Loader in email campaigns. The content further notes Buer Loader was used in Ryuk attacks where SystemBC was later deployed on domain controllers, and that related campaigns also used BazarLoader or Zloader. High-confidence infection vectors mentioned in the content are phishing emails, malicious documents, and XLL-based delivery. No standalone Buer Loader-specific IOCs are provided in the content beyond the filename print_document.exe observed in one incident.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.
Ransomware attacks operated by the core GOLD ULRICK group typically consist of initial access through TrickBot, BazarLoader or Buer Loader.
"...allowing the document to execute print_document.exe —a malicious executable identified as Buer Loader."
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesProofpoint researchers have observed Bumblebee being distributed in email campaigns by at least three tracked threat actors.
“Multiple employees… received highly-targeted phishing emails… The link… redirected to a malicious document hosted on docs.google.com… one employee clicked… enabled its content, allowing the document to execute print_document.exe”
Execution
1 technique“The user opened the document and enabled its content, allowing the document to execute print_document.exe”
Command and Control
1 technique“Buer Loader malware dropped… a Cobalt Strike ‘beacon,’ along with other malware files… A folder… was dropped on the domain controller… SystemBC… was deployed on the domain controller.”
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Buer Loader is referenced as malware delivered via phishing to establish initial compromise in Ryuk-related attacks where SystemBC was later used.
Loader family mentioned as using XLL files as an infection vector.
Loader family mentioned as using XLL files as an infection vector (no further technical detail provided in the content).
A malware loader referenced as one of the payloads historically delivered by TA578.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.