VERY IMPORTANT

In July, Thedfirreport observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while looking for interesting data to exfiltrate. Their preferred method of operation was through GUI applications such as RDP and AnyDesk. Historically, BazarLoader was used to deploy Ryuk, as they reported on many occasions. In one of their latest reports, they saw BazarLoader result in the deployment of Conti ransomware.