{ "id": "23d24f69-5550-4bb6-958f-a57485814559", "created_at": "2026-04-06T00:07:06.946845Z", "updated_at": "2026-04-10T03:36:13.550873Z", "deleted_at": null, "sha1_hash": "e1553ab5448c1a4b0c70d709e7b0ba2579ec0bc7", "title": "Next Version of the Bazar Loader DGA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75973, "plain_text": "Next Version of the Bazar Loader DGA\r\nArchived: 2026-04-05 18:50:50 UTC\r\nLast week, a new version of the Bazar Loader Domain Generation Algorithm (DGA) appeared. I already analyzed\r\ntwo previous versions, so I’m keeping this post short.\r\nThe DGA still uses the eponymous .bazar top level domain, but the second level domains are shorter with 8\r\ncharacters instead of 12 for the previous versions:\r\nliybelac.bazar\r\nizryudew.bazar\r\nbiymudqe.bazar\r\nfuicibem.bazar\r\nbiykonem.bazar\r\naqtielew.bazar\r\nyptaonem.bazar\r\nexyxtoca.bazar\r\niqfisoew.bazar\r\naguponew.bazar\r\nexogelqe.bazar\r\nexybonyw.bazar\r\netymonac.bazar\r\nI analysed the following sample without much obfuscation. There are many other samples that have additional\r\nreverse engineering counter measures such as junk code, but a quick comparison revealed no functional\r\ndifferences.\r\nMD5\r\nc6502d4dd27a434167686bfa4d183e89\r\nSHA1\r\nbddbceefe4185693ef9015d0a535eb7e034b9ec3\r\nSHA256\r\n35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780\r\nSize\r\n336 KB (344576 Bytes)\r\nCompile Timestamp\r\n2020-12-10 13:05:18 UTC\r\nLinks\r\nMalwareBazaar, Malpedia, Cape, VirusTotal\r\nFilenames\r\n1ld.3.v1.exe, 35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780 (VirusTotal)\r\nDetections\r\nhttps://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/\r\nPage 1 of 6\n\nVirustotal: 8/72 as of 2020-12-11 02:58:32 - Win64/Bazar.Y (ESET-NOD32), Backdoor.Win32.Bazdor.co\r\n(Kaspersky), Trojan.Win64.BAZALOADER.SMYAAJ-A (TrendMicro),\r\nTrojan.Win64.BAZALOADER.SMYAAJ-A (TrendMicro-HouseCall)\r\nUnpacking the sample leads to this:\r\nMD5\r\ne44cfd6ecc1ea0015c28a75964d19799\r\nSHA1\r\ncb294c79b5d48840382a06c4021bc2772fdbcf63\r\nSHA256\r\n52e72513fe2a38707aa63fbc52dabd7c7d2c5809ed7e27f384315375426f57bf\r\nSize\r\n96 KB (98816 Bytes)\r\nCompile Timestamp\r\n2020-12-09 10:16:56 UTC\r\nLinks\r\nMalwareBazaar, Malpedia, Cape, VirusTotal\r\nFilenames\r\ncontent.28641.20903.13470.9122.7127 (VirusTotal)\r\nDetections\r\nVirustotal: 4/75 as of 2020-12-15 21:30:37\r\nReverse Engineering\r\nApart from the common dynamic loading of Windows API functions and encrypted strings, Bazar Loader relies on\r\narithmetic substitution via identities to obfuscate the code. The following relationship is particularly often used:\r\n𝑎 ⊕ 𝑏 = ( ∼ 𝑎 ⋅ 𝑏) + (𝑎 ⋅ ∼ 𝑏)\r\nThe same obfuscation is also used by Zloader. It makes the code very hard to read. Here is a small snippet from\r\nthe DGA:\r\nhttps://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/\r\nPage 2 of 6\n\nHex Ray’s decompiler also produces really messy code because the arithmetic identities are not simplified:\r\nThe DGA uses the current month and year as the seed. The seed is stored as a string, and its four ASCII characters\r\nare the basis for picking four character pairs. These four pairs are joined to form the 8 second level characters.\r\nThe list of character pairs is generated by calculating the cartesian product of the consonants\r\n“bcdfghklmnpqrstvwxz” and vowels (with y) “aeiouy”. The product is calculated both ways, leading to 19·6·2\r\ncharacter pairs. These pairs are then concatenated into a large string of 456 characters by using a hardcoded\r\nsequence of random numbers:\r\nqeewcaacywemomedekwyuhidontoibeludsocuexvuuftyliaqydhuizuctuiqow\r\nagypetehfubitiaziceblaogolryykosuptaymodisahfiybyxcoleafkudarapu\r\nhttps://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/\r\nPage 3 of 6\n\nqoawyluxqagenanyoxcygyqugiutlyvegahepovyigqyqibaeqynyfkiobpeepby\r\nxaciyvusocaripfyoftesaysozureginalifkazaadytwuubzuvoothymivazyyz\r\nhoevmeburedeviihiravygkemywaerdonoyryqloammoseweesuvfopiriboikuz\r\norruzemuulimyhceukoqiwfexuefgoycwiokitnuneroxepyanbekyixxiuqsias\r\nThe string is then encrypted using a random xor key of the same length.\r\nApart from the date-based seed, the DGA also uses a standard linear congruential generator (LCG) to pick the four\r\ncharacter pairs. The LCG is seeded with the current processor tick count and thus unpredictable. For the first two\r\ncharacter pairs, the random number is taken mod 19, and for the remaining two pairs mod 6. These numbers\r\ncorrespond to the length of the consonants and vowels array, but make no sense in this context. Because the\r\nrandom numbers are unpredictable, any combination of the 19·19·6·6 = 12996 character pairs could be picked.\r\nBazar Loader generates 10'000 domains per run, but does not guarantee they are unique. On average, 6975 unique\r\ndomains are expected:\r\n𝐸 = 12996(1 − (\r\n12996 − 1\r\n12966 )\r\n10000\r\n) = 6975\r\nEven with the short waiting time between resolving domains, the malware will need to run a long time to get\r\nthrough the list of domains.\r\nReimplementation in Python\r\nThe following Python code shows how the domains are generated:\r\nfrom itertools import product\r\nfrom datetime import datetime\r\nimport argparse\r\nfrom collections import namedtuple\r\nParam = namedtuple('Param', 'mul mod idx')\r\npool = (\r\n \"qeewcaacywemomedekwyuhidontoibeludsocuexvuuftyliaqydhuizuctuiqow\"\r\n \"agypetehfubitiaziceblaogolryykosuptaymodisahfiybyxcoleafkudarapu\"\r\n \"qoawyluxqagenanyoxcygyqugiutlyvegahepovyigqyqibaeqynyfkiobpeepby\"\r\n \"xaciyvusocaripfyoftesaysozureginalifkazaadytwuubzuvoothymivazyyz\"\r\n \"hoevmeburedeviihiravygkemywaerdonoyryqloammoseweesuvfopiriboikuz\"\r\n \"orruzemuulimyhceukoqiwfexuefgoycwiokitnuneroxepyanbekyixxiuqsias\"\r\n \"xoapaxmaohezwoildifaluzihipanizoecxyopguakdudyovhaumunuwsusyenko\"\r\n \"atugabiv\"\r\n)\r\ndef dga(date):\r\n seed = date.strftime(\"%m%Y\")\r\n params = [\r\n Param(19, 19, 0),\r\nhttps://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/\r\nPage 4 of 6\n\nParam(19, 19, 1),\r\n Param(6, 6, 4),\r\n Param(6, 6, 5)\r\n ]\r\n ranges = []\r\n for p in params:\r\n s = int(seed[p.idx])\r\n lower = p.mul*s\r\n upper = lower + p.mod\r\n ranges.append(list(range(lower, upper)))\r\n for indices in product(*ranges):\r\n domain = \"\"\r\n for index in indices:\r\n domain += pool[index*2:index*2 + 2]\r\n domain += \".bazar\"\r\n yield domain\r\nif __name__ == \"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\r\n \"-d\", \"--date\", help=\"date used for seeding, e.g., 2020-06-28\",\r\n default=datetime.now().strftime('%Y-%m-%d'))\r\n args = parser.parse_args()\r\n d = datetime.strptime(args.date, \"%Y-%m-%d\")\r\n for domain in dga(d):\r\n print(domain)\r\nHere are all the domains for December 2020, January 2021, February 2021, and March 2021.\r\nCharacteristics\r\nThe following table summarizes the properties of the new Bazar Loader DGA.\r\nproperty value\r\ntype TDD (time-dependent-deterministic)\r\ngeneration scheme arithmetic\r\nseed current date\r\ndomain change frequency every month\r\nunique domains per month 12996\r\nsequence random selection, might pick domains multiple times\r\nhttps://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/\r\nPage 5 of 6\n\nproperty value\r\nwait time between domains 10 seconds\r\ntop level domain .bazar\r\nsecond level characters a-z, without j\r\nregex [a-ik-z]{8}\\.bazar\r\nsecond level domain length 8\r\nSource: https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/\r\nhttps://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/" ], "report_names": [ "next-version-of-the-bazarloader-dga" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434026, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e1553ab5448c1a4b0c70d709e7b0ba2579ec0bc7.pdf", "text": "https://archive.orkl.eu/e1553ab5448c1a4b0c70d709e7b0ba2579ec0bc7.txt", "img": "https://archive.orkl.eu/e1553ab5448c1a4b0c70d709e7b0ba2579ec0bc7.jpg" } }