{
	"id": "be27ccac-9cd3-4731-9beb-49f969b5fd2c",
	"created_at": "2026-04-06T00:19:50.977524Z",
	"updated_at": "2026-04-10T13:11:54.680977Z",
	"deleted_at": null,
	"sha1_hash": "d8c9c7ce0f2630053efe21d8aea572c7e2fb0078",
	"title": "BazarLoader Adds Compromised Installers, ISO to Arrival and Delivery Vectors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 367003,
	"plain_text": "BazarLoader Adds Compromised Installers, ISO to Arrival and\r\nDelivery Vectors\r\nBy By: Ian Kenefick Nov 23, 2021 Read time: 4 min (1078 words)\r\nPublished: 2021-11-23 · Archived: 2026-04-05 14:33:17 UTC\r\nWe continue monitoring the campaigns using information stealer BazarLoadernews- cybercrime-and-digital-threats (detected by Trend Micro as TrojanSpy.Win64.BAZARLOADER, TrojanSpy.Win64.BAZARLOADER,\r\nand Backdoor.Win64.BAZARLOADER). While InfoSec forums have noted the spike in detections during the\r\nthird quarter, we noticed two new arrival mechanisms included in the existing roster of delivery techniques that\r\nmalicious actors abused for data theft and ransomware.   \r\nOne of the methods involves the use of compromised software installers as malicious actors bundle BazarLoader\r\nwith legitimate programs. The second method involves the use of an ISO file with a Windows link (LNK) and\r\ndynamic link library (DLL) payload. We observed the Americas as the region with the highest counts of\r\nBazarLoader. For more technical analysis and insights into BazarLoader’s infection chains and campaigns, read\r\nour technical brief hereopen on a new tab.\r\nArrival via compromised installers\r\nDuring one of our monitoring routines, we found compromised versions of VLC and TeamViewer packages\r\nbundled with BazarLoader. While the initial delivery mechanism has yet to be identified, it’s possible that the use\r\nof these packages are part of a wider social engineering technique to deceive users into downloading and\r\nimplementing the compromised installers.\r\nFigure 1. Compromised installers bundled with BazarLoader\r\nAs the installers load, it drops and executes a BazarLoader executable. This is also one of the notable differences\r\nfrom recent BazarLoader arrival mechanisms wherein the malicious actors appeared to favor dynamic link\r\nlibraries (DLL).\r\nFigure 2. As the VLC installer executes, the bundle drops and executes ste.exe, a BazarLoader\r\nexecutable\r\nhttps://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\r\nPage 1 of 6\n\nUsing Trend Micro Vision One, we tracked the installer creating a process, “vlc-3.0.16-win3..2.tmp,” after\r\nexecuting ste.exe, which copies the latter executable to the disk and executes it. It then connects with the\r\ncommand and control (C\u0026C) server and injects a copy of itself into a new suspended MS Edge process.\r\nFigure 3. Tracking the BazarLoader executable’s process\r\nFigure 4. The ste.exe executable connects to the C\u0026C server via MS Edge\r\nhttps://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\r\nPage 2 of 6\n\nArrival via ISO file\r\nMeanwhile, we also found a delivery mechanism abusing ISO files, wherein DLL and LNK files contained inside\r\nexecute the BazarLoader DLL in it. The LNK file uses a folder icon to deceive the user into double clicking the\r\nicon, enabling the file to run the enclosed BazarLoader DLL file. \r\nFigure 5. LNK using a folder icon to trick users into double-clicking the BazarLoader DLL\r\nIt then calls the export function “EnterDLL,” a function that BazarLoader has used recently. Rundll32.exe loads\r\nthe malicious DLL and communicates with the C\u0026C server, then proceeds to spawn a suspended MS Edge\r\nprocess to inject itself into it.\r\nFigure 6. Observing EnterDll, an export function previously used by BazarLoader actors\r\nhttps://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\r\nPage 3 of 6\n\nFigure 7. Tracking BazarLoader opening MS Edge and injecting itself to it\r\nConclusion\r\nThe number of arrival mechanism variations used in BazarLoader campaigns continue to increase as threat actors\r\ndiversify their attack patterns to evade detection. However, both techniques are noteworthy and still work despite\r\ntheir lack of novelty due to singular detection technologies’ limitations. For instance, while the use of\r\ncompromised installers has been observed with other malware, the large file size can still challenge detection\r\nsolutions — such as sandboxes — which may implement file size limits. On the other hand, LNK files serving as\r\nshortcuts will also likely be obfuscated for the additional layers created between the shortcut and the malicious\r\nfiles itself.\r\nIn addition, the deployment of BazarLoader malware for initial access is a known technique for modern\r\nransomware such as Conti and Ryuk as service affiliates. Aside from these known ransomware families including\r\nmore tools for entry into their arsenal, other malware groups and ransomware operators may pick up on the\r\nadditional means, if they have not already done so.\r\nBest practices\r\nBazarLoader is an example of a versatile malware delivery mechanism that will likely find more ways to adapt to\r\ndeceive more users. For details on all the other measures that BazarLoader uses to get into systems, read our\r\ntechnical brief hereopen on a new tab.\r\nhttps://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\r\nPage 4 of 6\n\nHere are some best practices to defend against this threat:\r\nEnable security solutions that allow for visibility in tracking processes of files, allowing security teams to\r\ndetect malicious outgoing and incoming network communication and traffic.\r\nDownload installers and updates only from their respective official websites and platforms.\r\nTrend Micro solutions\r\nBazarLoader will continue to evolve as an information stealer malware on its own, an initial access malware-as-a-service (MaaS) for other malware operators, and as an enabler for secondary payload delivery for even more\r\ndisruptive attacks like modern ransomware. Security teams must make monitoring and tracking for known threats\r\nmore visible based on known data and use multilayered solutions capable of pattern recognition and behavior\r\nmonitoring for unknown threats.\r\nTrend Micro Vision One™products  helps detect and block suspicious activity, even those that might seem\r\ninsignificant when monitored from only a single layer, through multilayered protection and behavior detection. It\r\nhelps spot and block BazarLoader and its other components wherever it might be on the system. Trend Micro\r\nApex One™products employs behavior analysis to protect systems against malicious scripts, injection,\r\nransomware, and memory and browser attacks related to fileless threats from initial access, execution, and C\u0026C\r\ncommunication. Trend Micro Worry-Free™ Business Security can protect users and businesses from BazarLoader\r\nby detecting malicious files and spammed messages, JavaScript droppers, and DLL loaders, as well as URLs\r\nassociated with the threat.\r\nTrend Micro Email Securityproducts delivers continuously updated protection to stop spam, malware, spear\r\nphishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft\r\nExchange, Microsoft Office 365products, Google Apps, and other hosted and on-premises email solutions. Trend\r\nMicro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to ransomware attacks\r\nthrough specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle such\r\nas tool ingress, exploits, C\u0026C activities, and lateral movements. Trend Micro™ Deep Discovery™ Email\r\nInspectorproducts and InterScan™ Web Securityproducts perform custom sandboxing and advanced analysis\r\ntechniques to prevent malware from ever reaching end users, especially potentially vulnerable users working\r\nremotely. These effectively deter potential ransomware attacks that are delivered through malicious emails.\r\nCloud-specific security solutions such as Trend Micro™ Hybrid Cloud Securityproducts can help protect cloud-native systems and their various layers. Trend Micro Cloud One™products protects cloud-native systems by\r\nsecuring continuous-integration and continuous-delivery (CI/CD) pipelines and applications. It also helps identify\r\nand resolve security issues sooner and improves delivery time for DevOps teams. \r\nIndicators of Compromise (IOCs)\r\nVisit this pageopen on a new tab to view the full list of IOCs.\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\r\nPage 5 of 6\n\nSource: https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\r\nhttps://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html"
	],
	"report_names": [
		"bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434790,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8c9c7ce0f2630053efe21d8aea572c7e2fb0078.pdf",
		"text": "https://archive.orkl.eu/d8c9c7ce0f2630053efe21d8aea572c7e2fb0078.txt",
		"img": "https://archive.orkl.eu/d8c9c7ce0f2630053efe21d8aea572c7e2fb0078.jpg"
	}
}