New versions of Bazar loader and backdoor are circulating. A number of versions, including development versions, were analyzed for the report. The first version of Bazar appeared in April 2020 with further versions appearing in June. Prior investigations and commonalities in the malware led researchers to conclude that the Bazar malware is from the same actors behind the well known Trickbot banking Trojan. The Bazar code is obfuscated and designed to evade detection while retaining persistence. Bazar makes use of EmerDNS blockchain domains, uses the Twilio SendGrid email platform, has a different network callback system than prior malware related to Trickbot, and leverages signed loader files. While Bazar is being actively developed, versions of it have been used in attacks against a small number of high value targets.