Once installed on the target system, BazarLoader will sleep for a hardcoded number of seconds before connecting to a command and control (C2) server. Older variants of BazarLoader and BazarBackdoor used the EmerDNS decentralised DNS resolver to connect to C2 domains, whilst newer versions use the standard DNS resolver. C2 domains are dynamically assigned and change every few hours. If successful, BazarLoader downloads an XOR-encrypted BazarBackdoor payload, which it then decrypts and injects it into a running process using both process hollowing and doppelgänging. In most cases, BazarLoader will then remove itself from the target system.
BazarBackdoor will then connect to a separate C2 server using the same infrastructure. It is at this point that Wizard Spider operator's begin actively controlling the malware. Initially, an operator will download a post-exploitation toolkit, typically Cobalt Strike, Metasploit, or Empire. These are then used to gather system and user information, and to enumerate the network via LDAP, SMB, and WMI. They will also attempt to enumerate the Active Directory structure.
When they are satisfied with the information they have collected, Wizard Spider will attempt to harvest credentials using Mimikatz or some other tool. These credentials are then used, in combination with several exploits including EternalBlue and Zerologon, to move laterally to other connected systems, at which point the begin they repeat the process until the entire network is compromised.
Once full network access is achieved, Wizard Spider will drop other tools onto the network, namely Ryuk, or sell access to other attacks. The latest Bazar campaigns are able to achieve full network access in less than 5 hours from initial access.