Bumblebee
Bumblebee is a malicious Windows loader/downloader first observed in campaigns by March 2022 and used by multiple threat actors. Its primary purpose is to download and execute additional payloads; reported follow-on payloads include Cobalt Strike, shellcode, Sliver, and Meterpreter. Delivery has relied on user execution, particularly phishing or lure-based campaigns using malicious attachments, including ISO files containing malicious LNK shortcuts and DLLs. It has also been associated with .lnk-based delivery chains and was highlighted as an early adopter of ISO-based delivery with embedded LNK and DLL files.
Observed capabilities include use of PowerShell for execution, WMI for system information gathering and spawning processes for code injection, registry checks for specific keys, process injection into multiple processes, anti-virtualization checks, Base64 encoding of C2 server responses, and exfiltration or transmission of collected data to C2 in JSON format. For persistence, Bumblebee has been reported copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that loads the DLL via a scheduled task.
The malware has been linked in reporting to campaigns involving threat actors such as TA578, which favored IcedID and Bumblebee before later shifting to Latrodectus. In 2022 reporting, Bumblebee was identified among prominent malware families used as entry points for data exfiltration and ransomware operations, and in some cases Meterpreter agents were installed alongside Cobalt Strike beacons. One report also noted Sysinternals ProcDump being used to dump LSASS memory in a Bumblebee-related intrusion.
Separate reporting also uses the name BumbleBee for an ASPX webshell discovered in the xHunt campaign on compromised Microsoft Exchange and internal IIS servers at Kuwaiti organizations. That webshell supported command execution and file upload/download and was used for discovery and lateral movement. Because the provided content mixes these two distinct malware artifacts under the same name, the most widely recognized malware name for the loader remains Bumblebee.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
9 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Starting in March 2022, Proofpoint observed campaigns delivering a new downloader called Bumblebee. ... Bumblebee's objective is to download and execute additional payloads. Proofpoint researchers observed Bumblebee dropping Cobalt Strike, shellcode, Sliver and Meterpreter.
Starting in March 2022, Proofpoint observed campaigns delivering a new downloader called Bumblebee. ... Bumblebee's objective is to download and execute additional payloads. Proofpoint researchers observed Bumblebee dropping Cobalt Strike, shellcode, Sliver and Meterpreter.
This investigation resulted in the discovery of two new backdoors called TriFive and Snugy, which we discussed in a prior blog, as well as a new webshell that we call BumbleBee... The actor used the BumbleBee webshell to upload and download files to and from the compromised Exchange server, but more importantly, to run commands that the actor used to discover additional systems and to move laterally to other servers on the network.
“TA580 used it to drop Bumblebee, why don’t we have a VHD chain?”
Microsoft attributes this campaign to Storm-0249... known for distributing, at minimum, BazaLoader, IcedID, Bumblebee, and Emotet malware.
"...a supply chain attack that distributed a trojanized installer to drop the Bumblebee malware loader on users' machines."
In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022.
In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022.
Cyjax, highlighting the use of SEO poisoning to redirect users searching for software programs from companies like SonicWall, Hanwha Vision, and Pulse Secure (now Ivanti Secure Access) on Bing to fake sites and trick them into downloading MSI installers that deploy the Bumblebee loader.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueIn April 2022, Proofpoint observed a thread-hijacking campaign delivering emails that appeared to be replies to existing benign email conversations with malicious zipped ISO attachments.
Initial Access
4 techniquesIn the last months BUMBLEBEE, would use three different distribution methods: Distribution via ISO files, which are created either with StarBurn ISO or PowerISO software, and are bundled along with a LNK file and the initial payload. Distribution via OneDrive links. Email thread hijacking with password protected ZIPs
In April 2022, Proofpoint observed a thread-hijacking campaign delivering emails that appeared to be replies to existing benign email conversations with malicious zipped ISO attachments.
In March 2022, Proofpoint observed a DocuSign-branded email campaign with two alternate paths designed to lead the recipient to the download of a malicious ISO file. The first path began with the recipient clicking on the "REVIEW THE DOCUMENT" hyperlink in the body of the email.
In the last months BUMBLEBEE, would use three different distribution methods: ... Email thread hijacking with password protected ZIPs
Execution
7 techniquesThe following WMI queries are executed via a COM object to gather details needed for communication: SELECT * FROM Win32_ComputerSystem SELECT * FROM Win32_ComputerSystemProduct
The Ins command enables persistence by copying the Bumblebee DLL to a subdirectory of %APPDATA% folder and creating a Visual Basic Script that will load the DLL. A scheduled task is created that invokes the Visual Basic Script via wscript.exe.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
Process tree from the shortcut file: cmd.exe /c start /wait "" "C:\Users\[removed]\AppData\Local\Temp\ATTACHME.LNK"
Next, BUMBLEBEE copies itself to its new directory and creates a new VBS file with the following content: Set objShell = CreateObject(“Wscript.Shell”) objShell.Run “rundll32.exe my_application_path, IternalJob”
To properly inject, the loader creates two new sections within the injection target and copies the buffer from dij into the new section then invokes the copied contents in the target executable via a dynamically resolved NtQueueApcThread.
The ISO file contained files named "ATTACHME.LNK" and "Attachments.dat". If ran, the shortcut file "ATTACHME.LNK" executed "Attachments.dat" with the correct parameters to run the downloader, Bumblebee.
Persistence
2 techniquesThe Ins command enables persistence by copying the Bumblebee DLL to a subdirectory of %APPDATA% folder and creating a Visual Basic Script that will load the DLL. A scheduled task is created that invokes the Visual Basic Script via wscript.exe.
Privilege Escalation
4 techniquesThe Ins command enables persistence by copying the Bumblebee DLL to a subdirectory of %APPDATA% folder and creating a Visual Basic Script that will load the DLL. A scheduled task is created that invokes the Visual Basic Script via wscript.exe.
BUMBLEBEE has Rabbort.DLL embedded, using it for process injection... shi Injects task’s data into a new process... dij Injects task’s data into a new process.
Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2).
Stealth
9 techniquesDuring the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
BUMBLEBEE has Rabbort.DLL embedded, using it for process injection... shi Injects task’s data into a new process... dij Injects task’s data into a new process.
Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2).
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
rundll32.exe "C:\Windows\System32\rundll32.exe" Attachments.dat,IternalJob
Proofpoint researchers noticed that within a month of campaigns, Bumblebee developers added new features to the malware. Specifically, the inclusion of anti-VM and anti-sandbox checks.
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Discovery
6 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
At this point, a single instance of Bumblebee is confirmed to be running, and the malware begins gathering system information.
Proofpoint researchers noticed that within a month of campaigns, Bumblebee developers added new features to the malware. Specifically, the inclusion of anti-VM and anti-sandbox checks.
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Collection
1 techniqueThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
Command and Control
4 techniquesFirst, the loader picks an (command-and-control) IP address and sends a HTTPS GET request, which includes the following information in a JSON format (encrypted with RC4)
BUMBLEBEE has been observed to download and execute different malicious payloads such as Cobalt Strike beacons... NCC Group’s RIFT has observed mostly Cobalt Strike and Meterpeter being sent as tasks. However, third parties have confirmed the drop of Sliver and Bokbot payloads.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
The most significant change to the malware has been the addition of an encryption layer to the network communications. The developers added RC4 via a hardcoded key to the sample which is used to encrypt the requests and decrypt the responses.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
115 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
137 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a comparable loader-for-hire occupying the same operational niche as MintsLoader.
Bumblebee is referenced via defensive detection coverage as malware associated with the threat activity discussed in the report.
Mentioned only via a detection signature; the content does not describe its functionality in this report.
A loader delivered via fake software installers in SEO poisoning campaigns.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.