{
	"id": "74cd4e9a-d5a6-44e8-821c-be27b2c1b261",
	"created_at": "2026-04-10T03:21:06.283457Z",
	"updated_at": "2026-04-10T13:12:28.843438Z",
	"deleted_at": null,
	"sha1_hash": "0786bc25a10467aaf5aa9335a55b1079bf54a883",
	"title": "New Bumblebee malware replaces Conti's BazarLoader in cyberattacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2114370,
	"plain_text": "New Bumblebee malware replaces Conti's BazarLoader in\r\ncyberattacks\r\nBy Ionut Ilascu\r\nPublished: 2022-04-28 · Archived: 2026-04-10 02:54:27 UTC\r\nA newly discovered malware loader called Bumblebee is likely the latest development of the Conti syndicate,\r\ndesigned to replace the BazarLoader backdoor used to deliver ransomware payloads.\r\nThe emergence of Bumblebee in phishing campaigns in March coincides with a drop in using BazarLoader for\r\ndelivering file-encrypting malware, researchers say.\r\nBazarLoader is the work of the TrickBot botnet developers, who provided access to victim networks for\r\nransomware attacks. The TrickBot gang is now working for the Conti syndicate.\r\nhttps://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/\r\nPage 1 of 6\n\nIn a report in March on a threat actor tracked as ‘Exotic Lily’ that provided initial access for Conti and Diavol\r\nransomware operations, Google's Threat Analysis Group says that the actor started to drop Bumblebee, instead of\r\nthe regular BazarLoader malware, to deliver Cobalt Strike.\r\nBumblebee delivery methods\r\nEli Salem, lead threat hunter and malware reverse engineer at Cybereason says that the deployment techniques for\r\nBumblebee are the same as for BazarLoader and IcedID, both seen in the past deploying Conti ransomware.\r\nProofpoint confirms Salem’s finding, saying that they’ve observed phishing campaigns where “Bumblebee [was]\r\nused by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID.”\r\n\"Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on\r\nransomware campaigns\" - Proofpoint\r\nThe company also notes that “several threat actors that typically use BazaLoader in malware campaigns have\r\ntransitioned to Bumblebee” to drop shellcode and the Cobalt Strike, Sliver, and Meterpreter frameworks designed\r\nfor red team security assessment.\r\nAt the same time, BazaLoader has been missing from Proofpoint's data since February.\r\nIn a report today, Proofpoint says that it observed multiple email campaigns distributing Bumblebee within ISO\r\nattachments that contained shortcut and DLL files.\r\nOne campaign leveraged a DocuSign document lure that led to a ZIP archive with a malicious ISO container\r\nhosted on Microsoft’s OneDrive cloud storage service.\r\nThe researchers say that the malicious email also included an HTML attachment that appeared as an email to an\r\nunpaid invoice, Proofpoint says.\r\nhttps://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/\r\nPage 2 of 6\n\nsource: Proofpoint\r\nThe URL embedded in the HTML file used a redirect service that relies on the Prometheus TDS (traffic\r\ndistribution service) that filters downloads based on the victim’s timezone and cookies. The final destination was\r\nalso the malicious ISO hosted on OneDrive.\r\nProofpoint researchers attributed this campaign with high confidence to the cybercriminal group TA579.\r\nProofpoint has tracked TA579 since August 2021. This actor frequently delivered BazaLoader and IcedID in past\r\ncampaigns\r\nIn March, Proofpoint observed a campaign that delivered Bumblebee through contact forms on a target’s website.\r\nThe messages claimed that the website used stolen images and included a link that ultimately delivered an ISO file\r\ncontaining the malware.\r\nProofpoint attributes this campaign to another threat actor that the company tracks as TA578 since May 2020 and\r\nuses email campaigns to deliver malware like Ursnif, IcedID, KPOT Stealer, Buer Loader, and BazaLoader, as\r\nhttps://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/\r\nPage 3 of 6\n\nwell as Cobalt Strike.\r\nThe researchers detected another campaign in April that hijacked email threads to deliver the Bumblebee malware\r\nloader in replies to the target with an archived ISO attachment.\r\nsource: Proofpoint\r\nAlthough it has not found undeniable evidence, Proofpoint believes that the threat actors deploying Bumblebee\r\nare initial network access brokers working with ransomware actors.\r\nHighly-complex malware\r\nResearchers agree that Bumblebee is a “new, highly sophisticated malware loader” that integrates intricate\r\nelaborate evasion techniques and anti-analysis tricks that include complex anti-virtualization methods.\r\nIn a technical analysis on Thursday, Eli Salem shows that Bumblebee’s authors used the entire anti-analysis code\r\nfrom the publicly available al-khaser PoC ‘malware’ application.\r\nSalem’s code examination revealed that the malware searches for multiple tools for dynamic and static analysis, it\r\ntries to detect “any kind of virtualization environment” by looking for their processes, and by checking registry\r\nkeys and file paths.\r\nThe researcher notes that one of the most interesting things he found in Bumblebee’s core loader component is the\r\npresence of two 32/64-bit DLL files called RapportGP.dll, a name used by the Trusteer’s Rapport security\r\nsoftware for protecting sensitive data like credentials.\r\nIn its separate technical analysis, Proofpoint found that the Bumblebee loader supports the following commands:\r\nShi: shellcode injection\r\nDij: DLL injection in the memory of other processes\r\nDex: Download executable\r\nSdl: uninstall loader\r\nIns: enable persistence via a scheduled task for a Visual Basic Script that loads Bumblebee\r\nBumblebee uses TrickBot code\r\nMalware researchers at cybersecurity companies Proofpoint and Cybereason analyzed Bumblebee and noticed\r\nsimilarities with the TrickBot malware in code, delivery methods, and dropped payloads.\r\nhttps://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/\r\nPage 4 of 6\n\nSalem established a connection between Bumblebee to TrickBot after seeing that both malware pieces rely on the\r\nsame installation mechanism for the hooks.\r\nThe similarities go even further, as Bumblebee uses the same evasion technique for RapportGP.DLL as TrickBot\r\nfor its web-inject module.\r\nAdditionally, both malware pieces try to use the LoadLibrary and get the address of the function they want to\r\nhook, the researcher found.\r\nSalem says that while there isn’t sufficient evidence to say that Bumblebee and TrickBot have the same author it is\r\nplausible to assume that Bumblebee’s developer has the source code for TrickBot’s web-inject module.\r\nRapid malware development\r\nBumblebee is actively developed, gaining new capabilities with each update. The most recent one Proofpoint\r\nobserved is from April 19 and it supports multiple command and control (C2) servers.\r\nsource: Proofpoint\r\nHowever, Proofpoint says that the most significant development is the addition of an encryption layer via the RC4\r\nstream cipher for network communications, which uses a hardcoded key to encrypt requests and decrypt responses\r\nfrom the C2.\r\nAnother modification appeared on April 22 when researchers noticed that Bumblebee integrated a thread that\r\nchecks for common tools used by malware analysts against a hardcoded list.\r\nsource: Proofpoint\r\nhttps://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/\r\nPage 5 of 6\n\nProofpoint believes that Bumblebee is a multifunctional tool that can be used for initial access to victim networks\r\nto later deploy other payloads such as ransomware.\r\nSherrod DeGrippo, Vice President of Threat Research and Detection at Proofpoint, says that “the malware is quite\r\nsophisticated, and demonstrates being in ongoing, active development introducing new methods of evading\r\ndetection.”\r\nThe reports [1, 2] from Cybereason's Eli Salem and Proofpoint came one day apart and include a detailed\r\ntechnical analysis of Bumblebee malware's most significant aspects.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/\r\nhttps://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/"
	],
	"report_names": [
		"new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775791266,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0786bc25a10467aaf5aa9335a55b1079bf54a883.pdf",
		"text": "https://archive.orkl.eu/0786bc25a10467aaf5aa9335a55b1079bf54a883.txt",
		"img": "https://archive.orkl.eu/0786bc25a10467aaf5aa9335a55b1079bf54a883.jpg"
	}
}