{
	"id": "071e6810-ad81-40d0-89ab-e91109ffc30a",
	"created_at": "2026-04-06T01:30:44.50799Z",
	"updated_at": "2026-04-10T13:12:36.512429Z",
	"deleted_at": null,
	"sha1_hash": "8b1a2597e97a70e0338b115cc3db02262fa999e9",
	"title": "Yet Another Bazar Loader DGA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73953,
	"plain_text": "Yet Another Bazar Loader DGA\r\nArchived: 2026-04-06 01:17:15 UTC\r\nBazar Loader decided to change its perfectly fine domain generation algorithm (DGA) once again. The change in\r\nthe algorithm is very minor, but it yields more domain names.\r\nSample\r\nI looked at this sample:\r\nMD5\r\n9ad20d0e6da3cf135a93bf162a0a8cfb\r\nSHA1\r\na97893ab95f794cabc261483423f942f552926d0\r\nSHA256\r\n8e244f1a5b4653d6dbb4cc3978c7dd773b227a443361fbc30265b79f102f7eed\r\nSize\r\n288 KB (295616 Bytes)\r\nCompile Timestamp\r\n2021-01-20 19:37:37 UTC\r\nLinks\r\nMalwareBazaar, Malpedia, Dropping_sha256, Cape, VirusTotal\r\nFilenames\r\nPreview_report20-01.exe (VirusTotal)\r\nDetections\r\nMalwareBazaar: BazaLoader, Virustotal: 33/76 as of 2021-01-23 07:31:37 - Trojan.Win32.Zenpak.4!c\r\n(AegisLab), Backdoor:Win32/KZip.90c5e0b2 (Alibaba), BackDoor.Bazar.55 (DrWeb),\r\nTrojan.Win32.Zenpak.bfcu (Kaspersky), Trojan:Win64/Bazarldr.BMB!MSR (Microsoft),\r\nTrojan.Win32.Zenpak.bfcu (ZoneAlarm)\r\nit unpacks to this\r\nMD5\r\n63784053ac2f608d94c18b17c46ab5d4\r\nSHA1\r\ne01c814d6a4993c74a2bfb87b1b661fe78c41291\r\nSHA256\r\nc0a087a520fdfb5f1e235618b3a5101969c1de85b498bc4670372c02756efd55\r\nSize\r\n98 KB (100864 Bytes)\r\nCompile Timestamp\r\nhttps://johannesbader.ch/blog/yet-another-bazarloader-dga/\r\nPage 1 of 6\n\n2021-01-20 19:10:11 UTC\r\nLinks\r\nMalwareBazaar, Malpedia, Dropping_sha256, Dropping_sha256, Cape, VirusTotal\r\nFilenames\r\nnone\r\nDetections\r\nMalwareBazaar: BazaLoader, Virustotal: 21/75 as of 2021-01-23 13:37:55 - Gen:Variant.Bulz.163525\r\n(ALYac), Gen:Variant.Bulz.163525 (Ad-Aware), Trojan.Bulz.D27EC5 (Arcabit), Gen:Variant.Bulz.163525\r\n(BitDefender), Gen:Variant.Bulz.163525 (B) (Emsisoft), Gen:Variant.Bulz.163525 (GData),\r\nGen:Variant.Bulz.163525 (MicroWorld-eScan), Trojan:Win32/TrickBot.VSF!MTB (Microsoft),\r\nTrojan.TrickBot!8.E313 (TFE:5:6iToUtBEDBC) (Rising)\r\nwhich finally drops\r\nMD5\r\n7e8eddaef14aa8de2369d1ca6347b06d\r\nSHA1\r\n4543e6da0515bb7d93e930c9f30e40912d495373\r\nSHA256\r\nf29253139dab900b763ef436931213387dc92e860b9d3abb7dcd46040ac28a0e\r\nSize\r\n89 KB (91136 Bytes)\r\nCompile Timestamp\r\n2021-01-18 14:29:29 UTC\r\nLinks\r\nMalwareBazaar, Malpedia, Dropped_by_sha256, Cape, VirusTotal\r\nFilenames\r\nnone\r\nDetections\r\nMalwareBazaar: None, Virustotal: 19/76 as of 2021-01-23 15:04:35 - Gen:Variant.Bulz.163525 (ALYac),\r\nGen:Variant.Bulz.163525 (Ad-Aware), Trojan.Win32.Bulz.4!c (AegisLab), Trojan.Bulz.D27EC5 (Arcabit),\r\nGen:Variant.Bulz.163525 (BitDefender), Gen:Variant.Bulz.163525 (B) (Emsisoft),\r\nGen:Variant.Bulz.163525 (FireEye), Gen:Variant.Bulz.163525 (GData), Gen:Variant.Bulz.163525\r\n(MicroWorld-eScan)\r\nDifference from the Last Version\r\nThe current version is just a slight modification to the version from December. Like the previous version of the\r\nalgorithm, this version calculates all ordered pairs of 19 consonants and 6 vowels (including y ). These pairs are\r\nthen permuted based on a fixed value. This value is the same, so the resulting list of 228 pairs is also the same.\r\nThe calculation of the first four letters is the same – that is, the selection of the first two pairs of letters: The\r\npermuted list of letters is divided into groups of 19 pairs. Then the two digits of the current month determine\r\nwhich group is selected. From these, one pair at a time is randomly – and unpredictably – selected.\r\nhttps://johannesbader.ch/blog/yet-another-bazarloader-dga/\r\nPage 2 of 6\n\nThe last four letters (two pairs) are still determined by the two year digits. However, the division of letter pairs\r\ninto groups is different. Based on the current decade, two letters are chosen from a group of 22 pairs. The groups\r\nof 22 pairs partly overlap, so that theoretically after every 10 years identical domains could be generated again.\r\nThis in contrast to the version from December, where the decade still determined a non-overlapping group of 6\r\npairs only. The last two letters are picked from groups of 4 — instead of 6 — letter pairs.\r\nThe DGA still generates 10'000 domains. But because there are 88 potential monthly combinations for the last for\r\nletters instead of just 36 previously, the excepted number of unique domains is larger:\r\n𝐸 = 31768(1 − (\r\n31768 − 1\r\n31768 )\r\n10000\r\n) ≈ 8579\r\nSince domain names partially repeat after each decade, domains can no longer be uniquely assigned to a seed. But\r\nsince I strongly doubt that the domain generation algorithm will still have any relevance in a few months, let alone\r\n10 years, the domain to seed tool assumes domains are from the 20s.\r\nIP Transformation\r\nhttps://johannesbader.ch/blog/yet-another-bazarloader-dga/\r\nPage 3 of 6\n\nThe A record of the domains is encrypted, just as in previous versions. Meaning, the four bytes of the IP are\r\nXORed with 0xFE . The IP is then used in URLs of format https://{ip}:443 . For example, if the domain\r\nomleekyw.bazar has an A record of 220.39.239.27 , then the actual contacted URL is\r\nhttps://34.217.17.229:443 .\r\nReimplementation in Python\r\nThis is the new version reimplemented in Python\r\nfrom itertools import product\r\nfrom datetime import datetime\r\nimport argparse\r\nfrom collections import namedtuple\r\nParam = namedtuple('Param', 'mul mod idx')\r\npool = (\r\n \"qeewcaacywemomedekwyuhidontoibeludsocuexvuuftyliaqydhuizuctuiqow\"\r\n \"agypetehfubitiaziceblaogolryykosuptaymodisahfiybyxcoleafkudarapu\"\r\n \"qoawyluxqagenanyoxcygyqugiutlyvegahepovyigqyqibaeqynyfkiobpeepby\"\r\n \"xaciyvusocaripfyoftesaysozureginalifkazaadytwuubzuvoothymivazyyz\"\r\n \"hoevmeburedeviihiravygkemywaerdonoyryqloammoseweesuvfopiriboikuz\"\r\n \"orruzemuulimyhceukoqiwfexuefgoycwiokitnuneroxepyanbekyixxiuqsias\"\r\n \"xoapaxmaohezwoildifaluzihipanizoecxyopguakdudyovhaumunuwsusyenko\"\r\nhttps://johannesbader.ch/blog/yet-another-bazarloader-dga/\r\nPage 4 of 6\n\n\"atugabiv\"\r\n)\r\ndef dga(date):\r\n seed = date.strftime(\"%m%Y\")\r\n params = [\r\n Param(19, 19, 0),\r\n Param(19, 19, 1),\r\n Param(4, 22, 4),\r\n Param(4, 4, 5)\r\n ]\r\n ranges = []\r\n for p in params:\r\n s = int(seed[p.idx])\r\n lower = p.mul*s\r\n upper = lower + p.mod\r\n ranges.append(list(range(lower, upper)))\r\n for indices in product(*ranges):\r\n domain = \"\"\r\n for index in indices:\r\n domain += pool[index*2:index*2 + 2]\r\n domain += \".bazar\"\r\n yield domain\r\nif __name__ == \"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\r\n \"-d\", \"--date\", help=\"date used for seeding, e.g., 2020-06-28\",\r\n default=datetime.now().strftime('%Y-%m-%d'))\r\n args = parser.parse_args()\r\n d = datetime.strptime(args.date, \"%Y-%m-%d\")\r\n for domain in dga(d):\r\n print(domain)\r\nEdit 23 March, 2021: There is also a version with a different character pool, but otherwise same algorithm (see\r\nmy GitHub repo for the full code).\r\npool = (\r\n \"yzewevmeywreomviekwyavygontowaerudsoyr\"\r\n \"exvuamtyseweesuvizpituiqowuzoretzemuul\"\r\n \"tiazicukoqiwolxuykosupwiymitisneroxeyx\"\r\n \"anlekyixxirasiasxoapuxqaohezwooxdigyqu\"\r\nhttps://johannesbader.ch/blog/yet-another-bazarloader-dga/\r\nPage 5 of 6\n\n\"ziutpavezohexyvyguqyqidyovynumunuwsusy\"\r\n \"enxaatyvusivaripfyoftesaysozureginalif\"\r\n)\r\nCharacteristics\r\nExcept for the number of domains per month, the characteristics are the same as for the previous verion:\r\nproperty value\r\ntype TDD (time-dependent-deterministic)\r\ngeneration scheme arithmetic\r\nseed current date\r\ndomain change frequency every month\r\nunique domains per month 19·19·22·4 = 31'768\r\nsequence random selection, might pick domains multiple times\r\nwait time between domains 10 seconds\r\ntop level domain .bazar\r\nsecond level characters a-z, without j\r\nregex [a-ik-z]{8}\\.bazar\r\nsecond level domain length 8\r\nSource: https://johannesbader.ch/blog/yet-another-bazarloader-dga/\r\nhttps://johannesbader.ch/blog/yet-another-bazarloader-dga/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://johannesbader.ch/blog/yet-another-bazarloader-dga/"
	],
	"report_names": [
		"yet-another-bazarloader-dga"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439044,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b1a2597e97a70e0338b115cc3db02262fa999e9.pdf",
		"text": "https://archive.orkl.eu/8b1a2597e97a70e0338b115cc3db02262fa999e9.txt",
		"img": "https://archive.orkl.eu/8b1a2597e97a70e0338b115cc3db02262fa999e9.jpg"
	}
}