{
	"id": "b7703d44-6198-475a-90f8-ee5416533cbc",
	"created_at": "2026-04-06T01:30:42.714089Z",
	"updated_at": "2026-04-10T03:23:51.824085Z",
	"deleted_at": null,
	"sha1_hash": "9cffa87d90580ffa1372d302b548fcafe914ece2",
	"title": "Nimar Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 802602,
	"plain_text": "Nimar Loader\r\nBy Joshua Platt\r\nPublished: 2021-03-01 · Archived: 2026-04-06 00:59:03 UTC\r\nBaza (BazarLoader \u0026 BazarBackdoor) has been attributed to the organized cybercrime group behind Trickbot by\r\nmultiple security vendors over the past year. Initially appearing around April of 2020 , the malware was spread in\r\nemail campaigns utilizing infrastructure previously used to distribute Trickbot. [1] The term BazarLoader was\r\ncoined due to the reliance and use of Blockchain-DNS and the associated bazar domains used to communicate\r\nwith the controllers. Since then, the terms Baza or Bazarloader have been used interchangeably to reference this\r\nparticular malware family.\r\nAfter the initial appearance of Baza, multiple reports attributing various code to the malware family appeared. [2]\r\n[3] It became increasingly obvious that development was on going and multiple projects were under construction.\r\nThe downside to such a public following, is the common acceptance of activity based on previous TTPS.\r\nCombining TTPs such as loading powershell stagers into red team utilities along with similar campaign structures\r\nand C2 traffic patterns, can quickly lead to incorrect attribution of malware families and actors.\r\nOn Feb 3, we detected campaigns previously attributed to Baza but the malware utilized request headers that were\r\ndifferent. Several others noticed oddities as well.[4][5] Further analysis indicated something completely different\r\nand new. Nimar loader did not share the same codebase as the baza family.\r\nNimarLoader or Nimrod recently mistaken as BazarLoader, is coded in Nim. The malware was obfuscated but did\r\nnot contain the typical hardening seen in large scale campaigns. Since it was something newly developed, crypting\r\nthe sample was unnecessary but it is curiously absent making analysis less difficult. From the strings, hints at the\r\ncapability can be clearly seen.\r\nverb in @[\"GET\", \"POST\"]\r\n@https\r\n@fKHMP]\r\n@SPMVDSD\r\njob_type\r\njob_args\r\njob_results\r\n@heartbeat set\r\n@HEARTBEAT set Failed\r\n@HEARTBEAT set\r\n@Shellcode Done\r\n@heartbeat\r\n@shellcode\r\n@handshake\r\n@No update data recieved\r\nagentId\r\nhttps://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\nPage 1 of 8\n\npathAdj\r\npathNoun\r\nseqNum\r\nseqTotal\r\njobIdHeader\r\nuserAgent\r\nserverPubKeyEncoded\r\njitterParamStr\r\nsessionKey\r\nsessionDie\r\nThe command table allows to handshake, heartbeat, shellcode, powershell or cmd, as evidenced in the strings seen\r\nduring execution.\r\nImage1: handshake\r\nhttps://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\nPage 2 of 8\n\nImage2: heartbeat\r\nImage3. powershell or cmd\r\nhttps://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\nPage 3 of 8\n\nImage4: shellcode\r\nImage5: unknown command\r\nWhile some of the strings are visible, a string encoding and decoding routine exists.\r\nImage6: Decoding routine\r\nThe decoding loop XORs every byte of the encoded string with every byte of the key and then increments the key\r\nby one, due to how XOR works this is the same as XOR encoding every byte with a single XOR byte and\r\nhttps://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\nPage 4 of 8\n\nincrementing the key by the iterator in a rolling single byte XOR loop.\r\nImage7: Decoding Loop\r\nAfter running the routine the following strings are decrypted:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\nPage 5 of 8\n\nAs referenced earlier, the sample functions a bit like a loader, with the ability to process shellcode and execute\r\ntasks or jobs via cmd or powershell. Similar to the majority of Baza campaigns, the tasks that were executed came\r\nin the form of cobalt strike stagers. The benefit of using this “fileless” mechanism, is nothing touches disk.\r\nGet Joshua Platt’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nUpon execution, a callout is made by the stager to topservicebin[.]com . During the campaign, the domain\r\nresolved to the ip 45.141.87 .41 which contained the following SSL certificate.\r\nImage8: SSL Cert\r\nThe following are all Cobalt Strike servers with matching or similar certs, sharing the same hosting provider.\r\nhttps://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\nPage 6 of 8\n\nNearly identical infrastructure has been positively associated with the deployment of not only BazarLoader but\r\nwith the deployment of RYUK by Mandiant last October. [6]\r\nNimar Loader appears to be partially based on existing code or perhaps the idea originated elsewhere. The actors\r\nbehind TrickBot have incorporated free utilities and software developed by the CyberSecurity or opensource\r\ncommunities for their own nefarious purposes (MiniLZO, BloodHound, CobaltStrike, PowerSploit, Obfuscator-LLVM, ADVobfuscator…) in the past. While the nim language is not new to the offensive scene, it is quite a\r\ndeparture for the traditional tooling of Trickbot. [7]\r\nhttps://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\nPage 7 of 8\n\nReferences:\r\n1. https://twitter.com/pancak3lullz/status/1252303608747565057\r\n2. https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\n3. https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\n4. https://twitter.com/James_inthe_box/status/1357009652857196546\r\n5. https://twitter.com/Casperinous/status/1357013722955399170\r\n6. https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html\r\n7. https://github.com/byt3bl33d3r/OffensiveNim\r\nSource: https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\nhttps://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e"
	],
	"report_names": [
		"nimar-loader-4f61c090c49e"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439042,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9cffa87d90580ffa1372d302b548fcafe914ece2.pdf",
		"text": "https://archive.orkl.eu/9cffa87d90580ffa1372d302b548fcafe914ece2.txt",
		"img": "https://archive.orkl.eu/9cffa87d90580ffa1372d302b548fcafe914ece2.jpg"
	}
}