{ "id": "988025de-9092-439e-af5a-793129fc545e", "created_at": "2026-04-06T00:17:30.804678Z", "updated_at": "2026-04-10T03:36:11.305492Z", "deleted_at": null, "sha1_hash": "0f74dbb705fbe1d89e0b432aed2cb148aa58b929", "title": "Orion Threat Alert: Flight of the BumbleBee", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1901370, "plain_text": "Orion Threat Alert: Flight of the BumbleBee\r\nBy George Tubin\r\nPublished: 2022-04-14 · Archived: 2026-04-05 15:00:57 UTC\r\nCynet’s Threat Research and Intelligence team recently discovered a new malware campaign called BumbleBee.\r\nThe campaign is unique in its use of Initial Access Brokers’ (IAB) tactics to gain access to victims’ machines. In\r\nthis post, we will cover what this campaign is, and how the IAB distributes the BumbleBee malware and its TTPs.\r\nWe will also explain each TTP according to the MITRE ATT\u0026CK model, and its purpose.\r\nA new campaign in the wild: BumbleBee\r\nFrom our initial analysis, BumbleBee is a custom new loader that is used by different IAB groups. This malware\r\nwas observed injecting Cobalt Strike shellcodes in memory and using several tactics, techniques, and procedures\r\n(TTPs) in order to compromise the victim’s environment.\r\nAs part of the campaign, the threat actors abuse spoofed companies’ identities (like fake employee email\r\naddresses, fake websites, etc.) and use legitimate public storage services to deliver the malicious ISO image file.\r\nThe ISO image file is responsible for luring the victim to execute the BumbleBee malware.\r\nWe’ve seen Living Off the Land Binaries (LOLBins) execution with rundll32, which allows threat actors to avoid\r\ndefenses. BumbleBee also creates a scheduled task on the compromised host for persistence and executes a Visual\r\nBasic script via the scheduled task. The IAB relies on the user (victim) execution to execute the BumbleBee\r\npayload by luring the victim to mount an ISO image file and click on a Windows shortcut (LNK) file.\r\nThe malware name, BumbleBee, was chosen because of its unique user agent, “bumblebee,” that was used as part\r\nof the communication with the command and control server (C2).\r\nThreat Analysis Group (TAG) shared observations on the financially motivated threat actor, EXOTIC LILY, that\r\nuse the BumbleBee malware. In addition, TAG mentioned an interesting point of collaboration between EXOTIC\r\nLILY and the WIZARD SPIDER threat group.\r\nOrion’s observations\r\nThis type of attack is new, and the cybersecurity community is still gathering data to glean more insights on the\r\nnature of this attack and its targets.\r\nOrion found a high number of targeted companies based in the US with the following distribution method that\r\ndelivers the BumbleBee malware: Spear phishing email \u003e URL Link (TransferXL, TransferNow, WeTransfer) \u003e\r\nZipped ISO \u003e ISO (contains the LNK file and the BumbleBee payload).\r\nYou can see the execution flow in the image below.\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 1 of 20\n\nThe infection flow\r\nWe’ve handled several incident response (IR) cases where threat actors distributed BumbleBee malware. After the\r\ninitial infection, the threat actors inject Cobalt Strike shellcode in memory and execute discovery commands to\r\ncollect info about the victim’s network. We believe that threat actors performed this data collection in order to\r\nexecute the next stage of the infection.\r\nThe next stage is probably related to ransomware operations. We’re still investigating IR cases in order to find\r\nconclusive evidence that the next stage delivers ransomware.\r\nOn April 12, 2022, the BumbleBee IAB group was spotted using IMG file format in addition to ISO file format.\r\nYou can see an example in the image below.\r\nThe IMG file, which contains LNK and DLL\r\nOrion’s technical analysis\r\nInitial Access\r\nThe BumbleBee payload was delivered via a spear phishing email that was sent from a spoofed email address. The\r\nemail contains a URL link to the legitimate public storage service, TransferXL.\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 2 of 20\n\nSpear phishing email with a link to TransferXL\r\nBelow you’ll see the legitimate public storage site, which leads the victim to the link to the malicious file.\r\nTransferXL legitimate public storage services\r\nOnce they click download, the victim receives a ZIP folder that contains the malicious ISO image files.\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 3 of 20\n\nSpoofed company email address\r\nExecution\r\nBelow is an example of what the ZIP file from the TransferXL link looks like.\r\nZIP file download from TransferXL\r\nThe ZIP file contains an ISO image file with the following name “documents-04-106.iso.” Note that the following\r\nISO image file name pattern was used for all the files that we have analyzed:\r\ndocuments-[0-9]{1,4}-[0-9]{1,4}\\.iso\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 4 of 20\n\nISO image file\r\nFrom this step, threat actors rely on the victim (user) interaction with the ISO image file. The threat actors use a\r\nmasquerading technique by setting the LNK file icon to be a folder icon in order to lure the victim to click on the\r\nLNK file:\r\nISO image file contains LNK and DLL\r\nIn addition, the DLL payload attribute is set as “Hidden” in order to hide the DLL payload from the user when\r\ninteracting with the ISO image file:\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 5 of 20\n\nHidden attribute for the DLL\r\nThe masqueraded LNK file properties show that the execution target is as follows:\r\nC:\\Windows\\System32\\rundll32.exe settings.dll,IternalJob\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 6 of 20\n\nLNK executes the DLL via rundll32 command\r\nAfter the initial execution, the BumbleBee DLL is copied to the %programdata%/{RandomDir} directory. In\r\naddition to the DLL, a VBS script is also dropped to the same directory:\r\n[a-z]:\\\\programdata\\\\[a-z0-9]{16}\\\\[a-z0-9]{16}\\.[vbs|dll]\r\nTTPs indicators during the execution\r\nWe have other artifacts from different IR cases, where we have observed the following activity. The screenshot\r\nbelow shows an event that detected a creation of a payload in the %ProgramData%\\{Random} directory the DLL\r\npayload is a copy of the initial BumbleBee loader that executed by Rundll32 from the ISO image file:\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 7 of 20\n\nCopy of the BumbleBee DLL to %Programdata% directory\r\nIn other IR cases, we observed an execution flow that’s bit different. For example, a LNK that points to the\r\nfollowing execution targets:\r\ncmd.exe /c start rundll32 neqw.dll,IternalJob\r\nrundll32.exe advpack.dll,RegisterOCX sysctl.exe\r\nPersistence\r\nWe detected a scheduled task execution during the BumbleBee infection:\r\nGrandparent process:svchost.exe -k netsvcs -p -s ScheduleParent process:\r\nwscript.exe [a-z]:\\\\programdata\\\\[a-z0-9]{16}\\\\[a-z0-9]{16}\\.vbs\r\nChild process:\r\nrundll32.exe [a-z]:\\\\programdata\\\\[a-z0-9]{16}\\\\[a-z0-9]{16}\\.dll,{Export}\r\nStrings from the BumbleBee loader show the VBS script and the execution method\r\nWe also observed WMI execution. The VBS file that was executed via a scheduled task, was also executed\r\nthrough WMI:\r\nGrandparent process:svchost.exe -k DcomLaunchParent process:\r\nwmiprvse.exe -Embedding\r\nChild process:\r\nwscript.exe [a-z]:\\\\programdata\\\\[a-z0-9]{16}\\\\[a-z0-9]{16}\\.vbs\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 8 of 20\n\nStrings from the Bumblebee loader show the WMI Win32_Process execution\r\nDefense Evasion\r\nIn our labs, we observed that BumbleBee uses several anti-VM methods to avoid detection.\r\nOne of the anti-VM checks is related to the VirtualBox product:\r\nCheck for lpWindowName if matches VirtualBox\r\nOther anti-VM artifacts were found after unpacking, as can be seen in the following strings:\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 9 of 20\n\nList of strings that are related to VMware and VirtualBox\r\nBumbleBee also detects if it is running within a VM by checking for known services that are related to different\r\nVM products:\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 10 of 20\n\nList of services that are related to VM products\r\nBumbleBee checks whether certain user names reside in the victim’s machine by comparing against a hardcoded\r\nlist of user names. This allows BumbleBee to detect sandboxes and labs that are used for malware analysis:\r\nList of hardcoded usernames which are related to sandboxes and labs\r\nIn addition, it uses WMI queries to collect system details and information:\r\nSELECT * FROM Win32_BaseBoard\r\nSELECT * FROM Win32_Bus\r\nSELECT * FROM Win32_ComputerSystem\r\nSELECT * FROM Win32_Fan\r\nSELECT * FROM Win32_NTEventlogFile\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 11 of 20\n\nSELECT * FROM Win32_OperatingSystem\r\nSELECT * FROM Win32_PnPDevice\r\nSELECT * FROM Win32_PnPEntity\r\nDiscovery\r\nWe found that the threat actors used the AdFind tool to enumerate and map the victim’s network. The ADFind tool\r\nwas found in the %ProgramData% directory.\r\nIn the instance we observed, the following commands were used:\r\nadfind.exe -gcb -sc trustdmp\r\nadfind.exe -f “(objectcategory=group)”\r\nadfind.exe -f “(objectcategory=organizationalUnit)”\r\nadfind.exe -f “objectcategory=computer”\r\nadfind.exe -f “(objectcategory=person)”\r\nCommand and Control\r\nAfter the initial execution, the BumbleBee process (Rundll32) communicated with the Command-and-Control\r\nserver (C2). We’ve seen several C2 servers from different IR cases:\r\nIP: 23.82.19[.]208:443\r\nIP: 192.236.198[.]63:433\r\nIP: 45.147.229[.]177:433\r\nExample of the unique User-Agent: BumbleBee in the payload’s memory\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 12 of 20\n\nAdditional reference to the BumbleBee malware name\r\nAll the collected system and network information is sent to the C2 server, which sends back a response containing\r\nthe next step/command to execute based on that info.\r\nBumbleBee binary analysis\r\nIn this section, we will cover some interesting indicators and artifacts that highlighted the BumbleBee actions and\r\nheuristics. These artifacts also help us to identify the BumbleBee malware.\r\nWe analyzed several payloads and all of them had the same artifacts.\r\nAfter unpacking the BumbleBee loader and by searching in the metadata of the unpacked payload, we identified\r\nBumbleBee’s internal name, “LdrAddx64.dll,” and two export functions – “IternalJob” and “SetPath.”\r\nBumbleBee internal name, export functions, and TimeDateStamp\r\nIn the image below, we found the BumbleBee internal name and export function inside the process Rundll32.exe\r\nthat executed the BumbleBee DLL loader:\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 13 of 20\n\nBumblebee’s internal name and the export functions names in the memory\r\nBy inspecting the unpacked BumbleBee sections, we discovered that the .data section contains two executables:\r\nPEStudio shows the unpacked Bumblebee section and highlighted the .data section\r\nWe extracted the two hidden payloads from the .data section by using Hex-Editor tool:\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 14 of 20\n\nHex-Editor shows 3 MZ headers: the first one is the Bumblebee, and the other two are additional payloads\r\nThe first payload from the .data section is a 32-bit DLL payload:\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 15 of 20\n\nPEStudio showing the payload’s metadata\r\nWe found a few interesting functions in the payload strings indicating that this payload has process injection\r\ncapabilities. For example, “CreateProcess,” “NtWriteVirtualMemory,” “CreateRemoteThread,”and “WinExec.”\r\nPEStudio showing the payload’s strings that could be related to process injection\r\nThe second payload that we extracted from the .data section is a 64-bit DLL payload:\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 16 of 20\n\nPEStudio showing the payload’s metadata\r\nWe analyzed the payload binary and noticed that this payload is responsible for communicating with BumbleBee’s\r\nC2 server:\r\nIn the strings we can see the C2 server’s IP address and port\r\nBoth DLL payloads have the same internal name “RapportGP.dll.” An interesting point regarding the payloads\r\ninternal name is that there is a legitimate DLL named “RapportGP.dll” that is part of a “Trusteer Ltd” product\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 17 of 20\n\nfrom a computer security division of IBM.\r\nPayloads internal name and TimeDateStamp\r\nFinal notes\r\nBumbleBee threat actors are not the first to change the initial access method from malicious office documents to\r\nmalicious ISO image files. The ISO image file abuse was also seen a few years ago, but in recent months, we have\r\nobserved an increase in “ISO campaigns.”\r\nDifferent threat actors abuse ISO image files to deliver their payloads. For example, BazarISO deploys\r\nBazarloader, and IcedID started to use ISO image files instead of MalDocs like in the two examples below.\r\nDocuments-17.iso (Bazarloader)\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 18 of 20\n\nInvoice_pdf_1.iso (IcedID)\r\nIn most of the cases, we’ve seen that during different IR cases, the campaigns escalated to full-blown ransomware\r\nattacks. We believe that IAB groups work and collaborate with ransomware affiliates like CONTI, LockBit,\r\nAvosLocker, and more. For example, we observed an IcedID infection that leads to CONTI ransomware attack\r\n(Shelob Moonlight).\r\nThe Orion team is constantly monitoring BumbleBee and the IAB group’s activities closely and analyzing them to\r\nbetter understand their motivation. As we learn more, we will publish our findings and artifacts to share additional\r\ninsights for BumbleBee infection to ransomware post-attack chain.\r\nWe’re expecting to see more malware campaigns that will use the ISO delivery method in the near future. So, stay\r\nvigilant.\r\nAs a final note, we’d like to share these indicators of compromise with you.\r\nIndicators of compromise:\r\nBumbleBee payload\r\n88F5AE9691E6BCDD4065A420EAFAF3E3AA32C69605BF564A42FFD8ECD25C9920\r\n4a49e2f06ba48d3a88fdeb83fb8021f3d165535e8ea5319b16a7ebe4da9c0751\r\n08cd6983f183ef65eabd073c01f137a913282504e2502ac34a1be3e599ac386b\r\n186145f84ed6a473ec6bc4afa66bff156057888938793b12afd17659041ddbba\r\n4063fab9176db3960fa6014173b6c7ba52f19424887f5a6205ff73aa447ada61\r\n53b3ebaa3c485772f8e6abaa0f366ef192137496a7064e015ced4e6fc204b3c8\r\nd74a3f9b35d657516eb53d4e70582f93d22077d3e0936758cc4ef76d5171075d\r\n8f47c3962a7c418bae71fec42bbca9524b72f8f0fd2dd81d1175138f7d20b2f7\r\nc97b8bffcbe424cbc2a6e1135068d071c6f4e8f020fccd2db3dbee3aa80102ac\r\nBumbleBee C2 server\r\nIP: 23.82.19[.]208 Port 443\r\nIP: 192.236.198[.]63 Port 433\r\nIP: 45.147.229[.]177 Port 433\r\nCobalt Strike C2 server\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 19 of 20\n\nhojimizeg[.]com - 45.147.228[.]197\r\nnotixow[.]com - 23.19.58[.]154\r\nrewujisaf[.]com - 142.234.157[.]176\r\nWe hope this was helpful. And remember to check our blog page and follow us on social media to see when we\r\npublish updates.\r\nHave questions? Let us know.\r\nSource: https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nhttps://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/" ], "report_names": [ "orion-threat-alert-flight-of-the-bumblebee" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434650, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0f74dbb705fbe1d89e0b432aed2cb148aa58b929.pdf", "text": "https://archive.orkl.eu/0f74dbb705fbe1d89e0b432aed2cb148aa58b929.txt", "img": "https://archive.orkl.eu/0f74dbb705fbe1d89e0b432aed2cb148aa58b929.jpg" } }