In-depth analysis of the new Team9 malware family

This technical analysis from NCC Group/RIFT details the Team9 (Bazar) malware family (linked to the Trickbot group), describing two loader variants and the backdoor: their persistence methods (Run key, scheduled tasks, Winlogon hijack, shortcut hijacks), anti-analysis techniques (delays, API-hook detection, ntdll opcode checks), payload delivery and process injection methods (process hollowing, Doppelgänging), network C2 behavior over HTTP/HTTPS using Emercoin .bazar domains and IP addresses, and includes extensive IOCs (SHA-256 hashes, domains, C2 and DNS IP lists, mutex names and host indicators) to support detection and response.