{
	"id": "fc7346d3-f95d-4475-84b6-2c13255ae877",
	"created_at": "2026-04-06T00:16:00.696364Z",
	"updated_at": "2026-04-10T03:22:00.816734Z",
	"deleted_at": null,
	"sha1_hash": "941b0e55f1477ae9835b57a62d9ccdc3f459a87f",
	"title": "BuerLoader Updates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1276263,
	"plain_text": "BuerLoader Updates\r\nBy Jason Reaves\r\nPublished: 2021-05-05 · Archived: 2026-04-05 14:37:04 UTC\r\nBy: Joshua Platt and Jason Reaves\r\nPress enter or click to view image in full size\r\nExecutive Summary\r\nBuer task includes domain profiler that appears to have code reuse with the version of Buer being\r\nleveraged by TrickBots crew\r\nBuers new functionality around loading shellcode[4] as a task allowing for broader functionality against\r\ntargets without the need for downloading a separate CobaltStrike stager\r\nBuers new panel also includes functionality for helping setup distribution for spamming operations and\r\ncreation of pre-loader objects\r\nOne of the crews involved in TrickBot has been utilizing Buer[1] loader for sometime now[2,5] to ultimately\r\ndeliver CobaltStrike[3] and ultimately leading to ransomware. The version of Buer being leveraged for these\r\nhttps://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96\r\nPage 1 of 7\n\ncampaigns has more updates being done to it that appear to be completely designed around an enterprise focus.\r\nOne such piece that hasn’t been discussed very publicly is that Buer also has a component that is frequently\r\ndelivered in memory as a task and communicates with the same C2 as Buer but over a different port.\r\nDomainInfo\r\nEnter Buers ‘DomainInfo’ component which is ultimately designed to profile some information about the infected\r\nsystem and the network that it is joined to.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe data gathered is constructed into a JSON blob listing ‘Id’, ‘Domains’, ‘Group’ and ‘Server’.\r\nhttps://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96\r\nPage 2 of 7\n\nBelow is the table explaining what data is harvested:\r\nAfter all the data has been collected it will simply post it off to the C2, in doing so a hardcoded User-Agent is\r\npassed in.\r\nThe User-Agent ends up being pretty weird looking but as it turns out the Buer sample that delivered this file had\r\nthe same User-Agent.\r\nhttps://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96\r\nPage 3 of 7\n\nTraffic example:\r\nPOST: /api/v1/modules/domains/dns\r\nUser-Agent: Rt\\x7fnqqf4:35%-Fuuqj2nUmtsj\u003cH74675739;;@%Z@%HUZ%qnpj%Rfh%TX%]@%js.%Fuuqj\\\\jgPny49750%-PM\r\n \"Id\": \"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"\r\n \"Domains\": {\r\n \"DomainsError\": \"\",\r\n \"DomainsNetBios\": [\"\"],\r\n \"DomainsDns\": [\"\"]\r\n },\r\n \"Group\": {\r\n \"JoinStatus\": \"NetSetupWorkgroupName\",\r\n \"GroupType\": \"WORKGROUP\"\r\n },\r\n \"Server\": {\r\n \"PCNames\": [\"\"]\r\n }\r\n}\r\nShellCode\r\nhttps://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96\r\nPage 4 of 7\n\nShellcode as a task in Buer has been around but its addition in a bot being leveraged for primarily distributing\r\nCobaltStrike makes complete sense as removing a middle man separate stager and allowing Buer to directly load\r\nstager shellcode or even a reflectively loaded beacon directly.\r\nPress enter or click to view image in full size\r\nSpammer Workplace\r\nBuer now also includes the ability to help with spamming through the creation of document based loaders and\r\nvarious delivery chains from the panel:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96\r\nPage 5 of 7\n\nInside the spammer workshop binaries can also be leveraged such as the recently mentioned Rust based loader\r\nversion from ProofPoint[6]. Buer loader has been one of the most actively developed and updated loaders that we\r\nhave tracked in 2021.\r\nIOCs\r\nC2s:\r\nitmanagersupporter[.]click\r\nhxxps://officewestunionbank[.]com/api/v1/modules/domains/dns\r\nhxxps://tokacpebanking[.]com/api/v1/modules/domain/dns\r\nhxxps://webgraitupeople[.]com/api/v1/modules/domain/dns\r\nDomainInfo hashes:\r\n38a41e8128ae3955d541c8a00a93de1cd10a01c58368c8254a35659f8627ba30\r\nRelated OSINT campaigns:\r\nhttps://pastebin.com/U2kNQ3kd\r\nReferences\r\n1:https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace\r\n2:https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/\r\n3:https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718\r\nhttps://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96\r\nPage 6 of 7\n\n4:https://twitter.com/vk_intel/status/1262618254251614215?lang=en\r\n5:https://twitter.com/VK_Intel/status/1359689043735416835?s=20\r\n6:https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust\r\nSource: https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96\r\nhttps://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96"
	],
	"report_names": [
		"buerloader-updates-3e34c1949b96"
	],
	"threat_actors": [],
	"ts_created_at": 1775434560,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/941b0e55f1477ae9835b57a62d9ccdc3f459a87f.pdf",
		"text": "https://archive.orkl.eu/941b0e55f1477ae9835b57a62d9ccdc3f459a87f.txt",
		"img": "https://archive.orkl.eu/941b0e55f1477ae9835b57a62d9ccdc3f459a87f.jpg"
	}
}