Loader
BazarLoader
aka BazarBackdoor · BazaLoader · Team9
A stealthy backdoor-loader from the TrickBot/Conti gang used to gain initial access and deploy Ryuk and Conti ransomware.
BazarLoader (BazarBackdoor) was a stealthy loader and backdoor built by the Wizard Spider crew behind TrickBot and Conti. From 2020 it served as a quieter alternative to TrickBot for gaining initial access and deploying Ryuk and Conti ransomware.
BazarCall
BazarLoader popularised "BazarCall" (call-back phishing): emails about a fake subscription prompt the victim to phone a call centre, where operators talk them into installing the malware — neatly bypassing email attachment defenses.
Infrastructure
It notably used EmerDNS / blockchain-based domains for resilient C2. Activity wound down as the Conti ecosystem fractured in 2022. Campaigns are tracked on Cyber Breaches; a C2 analysis lives on the Reverse Engineering Hub.
Defense
Train staff against call-back phishing, block the delivery chain, and respond to BazarLoader as pre-ransomware activity.