S0534: Bazar
Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[1]
Analyst context for executives and security teams
Bazar matters because ATT&CK describes it as a Windows downloader and backdoor associated with intrusions that can lead to additional malware deployment, sensitive data theft, and ransomware. For leaders, the key decision value is not simply “do we block Bazar,” but whether the organization can detect and contain a Windows foothold that performs discovery, persistence, command-and-control fallback, obfuscation, process injection, and follow-on payload delivery before it becomes a broader ransomware or data-loss event.
Executive priority
Prioritize Bazar as a resilience and incident-readiness scenario for Windows environments, especially where ransomware would materially affect operations. ATT&CK links Bazar to a ransomware intrusion campaign using Bazar, Cobalt Strike, and Conti, and to financially motivated groups including Wizard Spider and EXOTIC LILY. Executives should ask whether the SOC can rapidly confirm endpoint scope, identify scheduled-task or WMI-based persistence/execution, validate command-and-control activity including fallback channels, and preserve evidence for incident response, insurance, and compliance needs.
Technical view
SOC and IR teams should validate coverage against the ATT&CK techniques associated with this malware rather than relying on a named-malware alert. Relevant behaviors include Windows registry queries, network and remote-system discovery, user and process discovery, PowerShell and Windows command shell execution, WMI execution, scheduled tasks, masqueraded tasks/services and filenames, double file extensions, file deletion, process injection variants, software packing, dynamic API resolution, encrypted or encoded files, and fallback command-and-control channels. Because official detection text is not provided, teams should test whether host, process, registry, task scheduler, WMI, script, file, and network telemetry can reconstruct the intrusion timeline.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution logs and script block/module logging where available
- Windows command shell activity
- WMI operational logs and remote/local WMI execution evidence
- Scheduled task creation, modification, and execution events
Detection direction
- Build behavior-based detections around the related techniques, not only Bazar-specific signatures, because ATT&CK notes obfuscation behaviors such as packing, dynamic API resolution, and encrypted or encoded files.
- Tune for suspicious combinations: discovery commands followed by WMI, PowerShell or cmd execution; scheduled task creation with masqueraded names; process injection indicators; and outbound network activity with fallback patterns.
- Review false positives carefully for administrative tooling, since WMI, PowerShell, cmd, registry queries, and scheduled tasks are common in legitimate IT operations.
- Validate whether telemetry survives file deletion and whether IR teams can recover enough process, file, and network history after cleanup activity.
- Use the relationship context as a scenario: Bazar may be part of intrusions involving additional malware and ransomware, so alerts should trigger rapid scoping for lateral discovery, payload staging, and data-access indicators.
Mitigation priorities
- Harden and monitor Windows administrative execution paths first: PowerShell, cmd, WMI, and scheduled tasks.
- Enforce least privilege and administrative access controls to reduce the value of discovery, persistence, and execution opportunities.
- Improve endpoint prevention and EDR visibility for process injection, suspicious child processes, masquerading, and obfuscated executables.
- Strengthen egress monitoring and network controls so command-and-control and fallback communications are visible and interruptible.
- Prepare ransomware-oriented IR playbooks that include rapid host isolation, evidence preservation, credential review, and checks for additional payloads or sensitive-data access.
Analyst notes and limits
ATT&CK identifies Bazar as a downloader and backdoor used since at least April 2020, primarily against professional services, healthcare, manufacturing, IT, logistics, and travel companies in the US and Europe. Relationship context connects it to campaign C0015 and groups Wizard Spider and EXOTIC LILY, and lists multiple techniques across execution, persistence, privilege escalation, defense evasion, discovery, collection, and command and control. Use those relationships to guide validation and tabletop exercises, but confirm applicability against the local Windows environment and business-critical systems.
The supplied object does not include official detection guidance, aliases, labels, or explicit tactics on the malware object itself. Some related techniques are multi-platform, but the Bazar object’s supported platform is Windows; defensive planning here should therefore be centered on Windows unless local intelligence supports broader scope. The relationship descriptions support ransomware and data-theft risk framing, but they do not prove current activity or exposure in any specific organization.
Bazar
Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | Bazar can enumerate the victim's desktop.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020 |
| Enterprise | T1482 | Domain Trust Discovery | |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Bazar can use TLS in C2 communications.CitationZscaler Bazar September 2020 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Bazar has the ability to identify domain administrator accounts.CitationNCC Group Team9 June 2020CitationDFIR Ryuk's Return October 2020 |
| Enterprise | T1018 | Remote System Discovery | Bazar can enumerate remote systems using |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.CitationCybereason Bazar July 2020CitationZscaler Bazar September 2020CitationCrowdStrike Wizard Spider October 2020 |
| Enterprise | T1135 | Network Share Discovery | Bazar can enumerate shared drives on the domain.CitationNCC Group Team9 June 2020 |
| Enterprise | T1055 | Process Injection | Bazar can inject code through calling |
| Enterprise | T1197 | BITS Jobs | Bazar has been downloaded via Windows BITS functionality.CitationNCC Group Team9 June 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Bazar can launch cmd.exe to perform reconnaissance commands.CitationCybereason Bazar July 2020CitationZscaler Bazar September 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Bazar can execute a PowerShell script received from C2.CitationNCC Group Team9 June 2020CitationCrowdStrike Wizard Spider October 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Bazar has used XOR, RSA2, and RC4 encrypted files.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020CitationCrowdStrike Wizard Spider October 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Bazar can identify the installed antivirus engine.CitationCybereason Bazar July 2020 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Bazar can attempt to overload sandbox analysis by sending 1550 calls to |
| Enterprise | T1055.013 | Process Doppelgänging Sub-technique | Bazar can inject into a target process using process doppelgänging.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020 |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | Bazar's loader can delete scheduled tasks created by a previous instance of the malware.CitationNCC Group Team9 June 2020 |
| Enterprise | T1005 | Data from Local System | Bazar can retrieve information from the infected machine.CitationCybereason Bazar July 2020 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | Bazar can hash then resolve API calls at runtime.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian.CitationNCC Group Team9 June 2020 |
| Enterprise | T1124 | System Time Discovery | Bazar can collect the time on the compromised host.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020 |
| Enterprise | T1057 | Process Discovery | Bazar can identity the current process on a compromised host.CitationCybereason Bazar July 2020 |
| Enterprise | T1104 | Multi-Stage Channels | |
| Enterprise | T1012 | Query Registry | Bazar can query |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020CitationCrowdStrike Wizard Spider October 2020 |
| Enterprise | T1518 | Software Discovery | Bazar can query the Registry for installed applications.CitationCybereason Bazar July 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Bazar can send C2 communications with XOR encryption.CitationNCC Group Team9 June 2020 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | Bazar can use Winlogon Helper DLL to establish persistence.CitationZscaler Bazar September 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Bazar can create a task named to appear benign.CitationCybereason Bazar July 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Bazar can collect the IP address and NetBIOS name of an infected machine.CitationCybereason Bazar July 2020 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Bazar can use a timer to delay execution of core functionality.CitationNCC Group Team9 June 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Bazar can identify the username of the infected user.CitationNCC Group Team9 June 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.CitationCybereason Bazar July 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Bazar can delete its loader using a batch file in the Windows temporary folder.CitationNCC Group Team9 June 2020 |
| Enterprise | T1008 | Fallback Channels | Bazar has the ability to use an alternative C2 server if the primary server fails.CitationNCC Group Team9 June 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Bazar has been spread via emails with embedded malicious links.CitationCybereason Bazar July 2020CitationZscaler Bazar September 2020CitationCrowdStrike Wizard Spider October 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.CitationCybereason Bazar July 2020CitationZscaler Bazar September 2020CitationNCC Group Team9 June 2020CitationCrowdStrike Wizard Spider October 2020 |
| Enterprise | T1087.001 | Local Account Sub-technique | Bazar can identify administrator accounts on an infected host.CitationNCC Group Team9 June 2020 |
| Enterprise | T1685 | Disable or Modify Tools | Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.CitationNCC Group Team9 June 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Bazar can create a scheduled task for persistence.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020 |
| Enterprise | T1102 | Web Service | Bazar downloads have been hosted on Google Docs.CitationCybereason Bazar July 2020CitationZscaler Bazar September 2020 |
| Enterprise | T1036.007 | Double File Extension Sub-technique | The Bazar loader has used dual-extension executable files such as PreviewReport.DOC.exe.CitationCybereason Bazar July 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1047 | Windows Management Instrumentation | Bazar can execute a WMI query to gather information about the installed antivirus engine.CitationCybereason Bazar July 2020CitationDFIR Ryuk's Return October 2020 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Bazar can inject into a target process including Svchost, Explorer, and cmd using process hollowing.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020 |
| Enterprise | T1106 | Native API | Bazar can use various APIs to allocate memory and facilitate code execution/injection.CitationCybereason Bazar July 2020 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Bazar can establish persistence by writing shortcuts to the Windows Startup folder.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Bazar can create or add files to Registry Run Keys to establish persistence.CitationCybereason Bazar July 2020CitationNCC Group Team9 June 2020 |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1027.002 | Software Packing Sub-technique | Bazar has a variant with a packed payload.CitationCybereason Bazar July 2020CitationZscaler Bazar September 2020 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | Bazar can implement DGA using the current date as a seed variable.CitationCybereason Bazar July 2020 |
Groups, software, and campaigns
G1011: EXOTIC LILY
EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.[1]
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
C0015: C0015
C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 08192cbbbc78… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Bazar July 2020
Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
Open source URL -
[2]
Bazaloader
(Citation: Microsoft Ransomware as a Service)
-
[3]
CrowdStrike Wizard Spider October 2020
Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
Open source URL -
[4]
FireEye KEGTAP SINGLEMALT October 2020
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
Open source URL -
[5]
KEGTAP
(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: CrowdStrike Wizard Spider October 2020)
-
[6]
Microsoft Ransomware as a Service
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Open source URL -
[7]
NCC Group Team9 June 2020
Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
Open source URL -
[8]
Team9
(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
-
[9]
mitre-attack S0534Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.