VERY IMPORTANT

In 2020, Proofpoint observed an increase in BazaLoader campaign volume peaking in October. During that time, Proofpoint observed specific campaigns correlated to public reports of affiliate campaigns delivering BazarLoader and associated with Ryuk ransomware infections. Notably, in January 2021, Proofpoint researchers observed a few of BazarLoader campaigns leveraging Valentine's Day themes such as flowers and lingerie. The attack chains required an unusual amount of human interaction before a payload was delivered. While Proofpoint tracks a fair amount of BazarLoader delivered by TA800 and TA572, these campaigns are not associated with either TA800 or TA572 and are likely leveraged by other affiliates.