{ "id": "47921cfb-dda8-4358-a602-bac20c724022", "created_at": "2026-04-06T00:13:10.309076Z", "updated_at": "2026-04-10T03:37:23.899705Z", "deleted_at": null, "sha1_hash": "5c8fb3f0540f0816345e85722d9d1d9d6d281e3e", "title": "Case Study: From BazarLoader to Network Reconnaissance", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3393476, "plain_text": "Case Study: From BazarLoader to Network Reconnaissance\r\nBy Brad Duncan\r\nPublished: 2021-10-18 · Archived: 2026-04-05 19:38:58 UTC\r\nExecutive Summary\r\nBazarLoader is Windows-based malware spread through various methods involving email. These infections\r\nprovide backdoor access that criminals use to determine whether the host is part of an Active Directory (AD)\r\nenvironment. If so, criminals deploy Cobalt Strike and perform reconnaissance to map the network. If the results\r\nindicate a high-value target, criminals attempt lateral movement and will often deploy ransomware like Conti or\r\nRyuk.\r\nThis blog reviews a recent BazarLoader infection, how it led to Cobalt Strike, and how Cobalt Strike led to\r\nnetwork reconnaissance. If you discover similar activity within your network, you could be a target for\r\nransomware.\r\nOrganizations with decent spam filtering, proper system administration and up-to-date Windows hosts have a\r\nmuch lower risk of infection. Palo Alto Networks customers are further protected from this threat. Our Threat\r\nPrevention security subscription for the Next-Generation Firewall detects the BazarLoader sample from this\r\ninfection and similar samples. Endpoint detection like Cortex XDR can prevent Cobalt Strike activity and criminal\r\naccess to your network.\r\nDistribution Methods for BazarLoader\r\nDuring summer 2021, different campaigns distributed BazarLoader malware using emails. From late July through\r\nmid-August 2021, the majority of BazarLoader samples were spread through three campaigns.\r\nThe BazarCall campaign pushed BazarLoader using emails for initial contact and call centers to guide potential\r\nvictims to infect their computers. By early July, a copyright violation-themed campaign using ZIP archives named\r\nStolen Images Evidence.zip also began pushing BazarLoader. By late July, a long-running campaign known as\r\nTA551 (Shathak) started pushing BazarLoader through English-language emails.\r\nIn addition to those three major campaigns, we discovered at least one example of BazarLoader distributed\r\nthrough an Excel spreadsheet of undetermined origin. Our case study reviews an infection generated using this\r\nexample on Aug. 19, 2021.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/\r\nPage 1 of 9\n\nFigure 1. Chain of events from BazarLoader infection on Aug. 19, 2021.\r\nMalicious Excel Spreadsheet\r\nThe malicious Excel spreadsheet was discovered on Wednesday, Aug. 18, 2021, and it has a last modified date of\r\nTuesday, Aug. 17. The filename had an .xlsb file extension. This file has macros designed to infect a vulnerable\r\nWindows host with BazarLoader. Figure 2 shows a screenshot of the Excel file.\r\nThough the DocuSign logo appears in Figure 2, this Excel template was created by a threat actor trying to instill\r\nconfidence by taking advantage of the DocuSign brand name and image. Various threat actors use this and other\r\nDocuSign-themed images on a near-daily basis. DocuSign is aware of this ongoing threat and provides guidelines\r\non how to handle these types of malicious files.\r\nFigure 2. Screenshot of the malicious Excel spreadsheet.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/\r\nPage 2 of 9\n\nAfter enabling malicious macros on a vulnerable Windows host, the spreadsheet presented a new tab for a page\r\nwith fake invoice information, as shown below in Figure 3.\r\nFigure 3. Excel spreadsheet presented a fake invoice after enabling macros.\r\nAs it presented the fake invoice page, the spreadsheet’s macro code had already retrieved a malicious binary for\r\nBazarLoader.\r\nBazarLoader Binary\r\nThe spreadsheet’s macro code retrieved a malicious Dynamic Link Library (DLL) file for BazarLoader from the\r\nfollowing URL:\r\nhxxps://pawevi[.]com/lch5.dll\r\nAs shown below in Figure 4, the DLL was saved to the victim’s home directory at C:\\Users\\[username]\\tru.dll. It\r\nran using regsvr32.exe.\r\nFigure 4. BazarLoader DLL saved to the infected user’s home directory.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/\r\nPage 3 of 9\n\nThe BazarLoader DLL was immediately copied to another location and made persistent through the Windows\r\nregistry, as shown below in Figure 5.\r\nFigure 5. Location and Windows registry update for persistent BazarLoader DLL.\r\nAs seen in Figure 5, the filename changed from tru.dll to kibuyuink.exe, even though it remained a DLL and still\r\nrequired regsvr32.exe to run. Changing the filename extension is a common tactic seen in various malware\r\ninfections.\r\nBazar C2 Traffic\r\nThis example of BazarLoader generated command and control (C2) activity, retrieving BazarBackdoor using\r\nHTTPS traffic from 104.248.174[.]225 over TCP port 443. Then BazarBackdoor generated C2 activity using\r\nHTTPS traffic to 104.248.166[.]170 over TCP port 443. In Figure 6, we refer to this combined C2 activity as\r\nBazar C2 traffic.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/\r\nPage 4 of 9\n\nFigure 6. Traffic from the infection filtered in Wireshark.\r\nThis example of Bazar C2 activity generates traffic to legitimate domains. This activity is not inherently malicious\r\non its own. Various malware families generate similar traffic as a connectivity check or to ensure an infected\r\nWindows host has continued internet access.\r\nCobalt Strike Activity\r\nApproximately 41 minutes after the initial BazarLoader infection, our infected Windows host started generating\r\nCobalt Strike activity using HTTPS traffic to gojihu[.]com and yuxicu[.]com, as shown below in Figure 7.\r\nFigure 7. Wireshark showing when the Cobalt Strike activity began.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/\r\nPage 5 of 9\n\nIn this case, a Cobalt Strike DLL file was sent through Bazar C2 traffic and saved to the infected Windows host\r\nunder the user’s AppData\\Roaming directory. Figure 8 shows the Cobalt Strike DLL running on the infected\r\nmachine.\r\nFigure 8. Cobalt Strike activity shown in Process Hacker.\r\nCobalt Strike leads to reconnaissance of an infected host’s environment. In our lab environments, this\r\nreconnaissance activity can start within a few minutes after Cobalt Strike traffic first appears.\r\nReconnaissance Activity\r\nIn our case study, approximately two minutes after Cobalt Strike activity started, a tool to enumerate an AD\r\nenvironment appeared on the infected host at C:\\ProgramData\\AdFind.exe. This tool has been used by criminal\r\ngroups to gather information from an AD environment. AdFind is a command line tool, and an associated batch\r\nfile was used to run the tool in our case study.\r\nFigure 9 shows the location of AdFind, the associated batch file adf.bat and the results of its search saved in seven\r\ntext files.\r\nhttps://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/\r\nPage 6 of 9\n\nFigure 9. AdFind.exe, the batch file and search results saved to text files.\r\nFigure 10 shows commands used in the adf.bat file that run AdFind.exe.\r\nFigure 10. Commands used for AdFind.exe.\r\nThese commands reveal the users, computers, file shares and other information from a targeted AD environment.\r\nOur example did not involve a high-value target, and the environment was wiped within two or three hours after\r\nthe initial infection. In this example, no follow-up ransomware was sent after the reconnaissance.\r\nConclusion\r\nThis case study reveals one example of an initial malware infection moving to Cobalt Strike, followed by\r\nreconnaissance activity. When attackers use Cobalt Strike, they can also perform other types of reconnaissance in\r\nan AD environment.\r\nIf the AD environment is a high-value target, the attacker’s next step is lateral movement and gaining access to the\r\ndomain controller and other servers within the network.\r\nThis is a common pattern seen before attackers hit an organization with ransomware.\r\nOrganizations with decent spam filtering, proper system administration and up-to-date Windows hosts have a\r\nmuch lower risk of infection. Palo Alto Networks customers are further protected from this threat. Our Threat\r\nhttps://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/\r\nPage 7 of 9\n\nPrevention security subscription for the Next-Generation Firewall detects this and similar BazarLoader samples.\r\nEndpoint detection like Cortex XDR can prevent Cobalt Strike activity and criminal access to your network.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nExcel file with macros for BazarLoader, SHA256 hash:\r\n8662d511c7f1bef3a6e4f6d72965760345b57ddf0de5d3e6eae4e610216a39c1\r\nFile size: 332,087 bytes\r\nFile name: Documents new.xlsb\r\nMalicious DLL for BazarLoader retrieved by above Excel macro, SHA256 hash:\r\ncaa03c25583ea24f566c2800986def73ca13458da6f9e888658f393d1d340ba1\r\nFile size: 459,776 bytes\r\nOnline location: hxxps://pawevi[.]com/lch5.dll\r\nInitial saved location: C:\\Users\\[username]\\tru.dll\r\nFinal location: C:\\Users\\[username]\\AppData\\Local\\Temp\\Damp\\kibuyuink.exe\r\nRun method: regsvr32.exe /s [filename]\r\nMalicious DLL for Cobalt Strike, SHA256 hash:\r\n73b9d1f8e2234ef0902fca1b2427cbef756f2725f288f19edbdedf03c4cadab0\r\nFile size: 443,904 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\nubqabmlkp.iowd\r\nRun method: rundll32.exe [filename],Entrypoint\r\nADfind command-line tool for enumerating AD environment, SHA256 hash:\r\nb1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682\r\nFile size: 1,394,176 bytes\r\nFile location: C:\\ProgramData\\AdFind.exe\r\nBatch file to run ADfind, SHA256 hash:\r\n1e7737a57552b0b32356f5e54dd84a9ae85bb3acff05ef5d52aabaa996282dfb\r\nFile size: 385 bytes\r\nFile location: C:\\ProgramData\\adf.bat\r\nContents of adf.bat:\r\nadfind.exe -f \"(objectcategory=person)\" \u003e ad_users.txt\r\nadfind.exe -f \"objectcategory=computer\" \u003e ad_computers.txt\r\nadfind.exe -f \"(objectcategory=organizationalUnit)\" \u003e ad_ous.txt\r\nadfind.exe -sc trustdmp \u003e trustdmp.txt\r\nadfind.exe -subnets -f (objectCategory=subnet)\u003e subnets.txt\r\nhttps://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/\r\nPage 8 of 9\n\nadfind.exe -f \"(objectcategory=group)\" \u003e ad_group.txt\r\nadfind.exe -gcb -sc trustdmp \u003e trustdmp.txt\r\nAdditional Resources\r\nBazarCall Method: Call Centers Help Spread BazarLoader Malware – Unit 42, Palo Alto Networks\r\nTA551 BazarLoader to Cobalt Strike – Internet Storm Center\r\n“Stolen Images Evidence” BazarLoader to Cobalt Strike – @Unit42_Intel\r\n“Stolen Images Evidence” BazarLoader to Cobalt Strike – malware-traffic-analysis.net\r\nStolen Images Evidence” BazarLoader to Cobalt Strike to PrintNightmare – @Unit42_Intel\r\nBazarLoader to Cobalt Strike – @Unit42_Intel\r\nBazarLoader to Cobalt Strike to Anchor malware – Internet Storm Center\r\nTA551 BazarLoader to Cobalt Strike – malware-traffic-analysis.net\r\nSource: https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/\r\nhttps://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/\r\nPage 9 of 9\n\nBazar C2 This example Traffic of BazarLoader generated command and control (C2) activity, retrieving BazarBackdoor using\nHTTPS traffic from 104.248.174[.]225 over TCP port 443. Then BazarBackdoor generated C2 activity using\nHTTPS traffic to 104.248.166[.]170 over TCP port 443. In Figure 6, we refer to this combined C2 activity as\nBazar C2 traffic. \n Page 4 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/" ], "report_names": [ "bazarloader-network-reconnaissance" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38", "created_at": "2023-01-06T13:46:39.487358Z", "updated_at": "2026-04-10T02:00:03.344509Z", "deleted_at": null, "main_name": "BazarCall", "aliases": [ "BazzarCall", "BazaCall" ], "source_name": "MISPGALAXY:BazarCall", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434390, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c8fb3f0540f0816345e85722d9d1d9d6d281e3e.pdf", "text": "https://archive.orkl.eu/5c8fb3f0540f0816345e85722d9d1d9d6d281e3e.txt", "img": "https://archive.orkl.eu/5c8fb3f0540f0816345e85722d9d1d9d6d281e3e.jpg" } }