BazarLoader downloader has been discovered in two separate cyberattack campaigns. Both the campaigns employed unique social engineering techniques and popular products used in many organizations. It was first spotted last April and since then, researchers have discovered six variants.

What has been discovered?

The researchers working at Sophos discovered BazarLoader being used in two attack campaigns.
  • In the first campaign, the attackers were targeting employees of big organizations with emails offering important information regarding customer service, invoices, payroll, or contracts.
  • The links inside the emails were hosted on BaseCamp or Slack cloud storage and looked genuine.
  • In the second campaign, the spam messages were identified. The emails talk about a free trial for an online service that is about to expire and the target must call on the provided telephone number to prevent expiry.
  • Upon calling, a person on the other side asks them to visit a malicious website address that spreads a malicious Office document.

A connection to TrickBot?

According to researchers, BazarLoader is suspected to be related or managed by TrickBot operators. 
  • Sophos discovered that TrickBot and BazarLoader use some of the same C2 infrastructures.
  • Both the malware were spotted communicating with a common IP address that was used in previous attacks.


BazarLoader operators have been actively targeting victims using unique social engineering techniques. In addition, the discovery of six variants shows active and continued development of the threat. Thus, organizations should employ adequate security measures in place to stay protected.

Cyware Publisher