{
	"id": "d3a2d61a-bb34-43aa-8f1e-73029460deb9",
	"created_at": "2026-04-06T00:11:20.963741Z",
	"updated_at": "2026-04-10T03:36:11.094007Z",
	"deleted_at": null,
	"sha1_hash": "c8bb9777cca782124c9ca0a79190671b2472dc72",
	"title": "A Review and Analysis of 2021 Buer Loader Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 269321,
	"plain_text": "A Review and Analysis of 2021 Buer Loader Campaigns\r\nBy By: Christopher Boyton Nov 05, 2021 Read time: 2 min (447 words)\r\nPublished: 2021-11-05 · Archived: 2026-04-05 16:07:51 UTC\r\nIn this blog entry and technical brief we review Buer Loader 2021 activity and campaigns. Buer Loader is known\r\nfor entering the underground market at a pointedly competitive price in 2019. Now, it seems that Buer Loader has\r\nestablished itself well and remains actively used by threat actors.\r\nBuer Loader 2021 Lures\r\nPart of Buer Loader’s service is to setup a domain to facilitate C\u0026C. This helps researchers better monitor the\r\ncampaigns involving Buer Loader, because multiple customers or threat actors would end up using the same C\u0026C.\r\nHere we give an overview of the distinct aspect of the 2021 campaigns that used Buer Loader.\r\nA campaign in April used emails pretending to be shipping notices from DHL contain the new Buer Loader\r\nwritten in Rust. The attachments were either Word or Excel documents.\r\nhttps://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html\r\nPage 1 of 4\n\nFigure 1. Example of a DHL themed email\r\nThe email seen in Figure 2 uses a combination of a DHL lure and Covid-19. It is designed to entice users to open\r\nthe malicious attachment. It also bears a request to not reply to the mail and the common message “if you did not\r\nrequest registration with us, please ignore this email,” which are likely additional attempts to reassure users of the\r\ncontent’s legitimacy.\r\nhttps://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html\r\nPage 2 of 4\n\nFigure 2. The DHL themed lure with a reference to Covid-19\r\nLater campaigns shifted towards using Covid-19 entirely as a lure. Buer Loader was observed in spam runs which\r\nreferenced vaccination uptake results, healthcare warnings, and current infection rates. Many of these spam runs\r\ndo not make grammatical sense and should make most users suspicious, as seen in Figure 3.\r\nhttps://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html\r\nPage 3 of 4\n\nFigure 3. The Covid-19 themed lure\r\nRust variant and signed XLL\r\nAs mentioned earlier, these campaigns all use the version of the Buer Loader rewritten in the Rust programming\r\nlanguage. Aside from being rewritten in Rust, the loader’s code remained relatively unchanged which could\r\nindicate that this is a ploy to render detections for its C version obsolete. Another interesting update is the use of\r\nsigned XLL files because it can be misleading for those tasked to defend the system.\r\nWhile all these are noteworthy developments in Buer Loader, activity for this loader has been continuous since it\r\nwas first released into the underground market. It has been used to deliver payloads like Ryuk, Wizard Spider, and\r\nCobalt Strike beacon.\r\nOur primary goal is to identify key changes in infrastructure, distribution methods, and the TTPs being used by\r\nBuer Loader campaigns. In our technical brief we first review the notable events of the Buer Loader timeline,\r\nbefore delving into its current activities, and detections.\r\nThe technical brief can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html\r\nhttps://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html"
	],
	"report_names": [
		"a-review-and-analysis-of-2021-buer-loader-campaigns.html"
	],
	"threat_actors": [
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e",
			"created_at": "2024-06-04T02:03:07.799286Z",
			"updated_at": "2026-04-10T02:00:03.606456Z",
			"deleted_at": null,
			"main_name": "GOLD BLACKBURN",
			"aliases": [
				"ITG23 ",
				"Periwinkle Tempest ",
				"Wizard Spider "
			],
			"source_name": "Secureworks:GOLD BLACKBURN",
			"tools": [
				"BazarLoader",
				"Buer Loader",
				"Bumblebee",
				"Dyre",
				"Team9",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3",
			"created_at": "2022-10-25T16:07:24.422115Z",
			"updated_at": "2026-04-10T02:00:04.983298Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"DEV-0193",
				"G0102",
				"Gold Blackburn",
				"Gold Ulrick",
				"Grim Spider",
				"ITG23",
				"Operation BazaFlix",
				"Periwinkle Tempest",
				"Storm-0230",
				"TEMP.MixMaster",
				"Wizard Spider"
			],
			"source_name": "ETDA:Wizard Spider",
			"tools": [
				"AdFind",
				"Agentemis",
				"Anchor_DNS",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"Conti",
				"Diavol",
				"Dyranges",
				"Dyre",
				"Dyreza",
				"Dyzap",
				"Gophe",
				"Invoke-SMBAutoBrute",
				"KEGTAP",
				"LaZagne",
				"LightBot",
				"PowerSploit",
				"PowerTrick",
				"PsExec",
				"Ryuk",
				"SessionGopher",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"TrickMo",
				"Upatre",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434280,
	"ts_updated_at": 1775792171,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8bb9777cca782124c9ca0a79190671b2472dc72.pdf",
		"text": "https://archive.orkl.eu/c8bb9777cca782124c9ca0a79190671b2472dc72.txt",
		"img": "https://archive.orkl.eu/c8bb9777cca782124c9ca0a79190671b2472dc72.jpg"
	}
}