BazarLoader (sometimes referred to as BazaLoader) has become a real problem in the last few months. The backdoor malware, which managed to gain a foothold in the cyber threat landscape during the absence of TrickBot, has particularly been associated with the recently found BazaCall tactic. However, researchers highlight that the malware is capable of causing more damage as it broadens its attack scope.

BazaLoader leads in Q3

  • In a Q3 2021 report from PhishLabs, researchers uncovered that BazaLoader accounted for 24.7% of attacks, making it the most reported malware deploying payloads.
  • Believed to be a product of TrickBot operators, the backdoor was primarily associated with phishing campaigns used to deploy Ryuk and Conti ransomware.
  • Three such phishing campaigns involving the use of BazarLoader were observed between July and August.
  • Additionally, there was a spike in vishing attacks where victims were prompted to connect with a fake call center that stealthily infected their systems.

Another interesting fact

Some days ago, a security analyst took to Twitter to cite the malicious abuse of Office 365 and other related platforms of Microsoft.
  • In one of the tweets, the analyst mentioned that a BazarLoader malware campaign had hosted its malicious files on Microsoft’s OneDrive service.
  • The infected cloud platform was active for over a year before it was taken down.
  • This could have turned catastrophic as the backdoor could have led to ransomware attacks.


From launching ransomware attacks to engaging in fake DDoS attacks, operators of BazarLoader malware have made it clear that they are not going away anytime soon. Moreover, the attackers are evolving their propagation tactics that largely involve phishing emails. Therefore, users should be careful while opening emails and documents sent by unknown people, as well as keep their security software updated.

Cyware Publisher