{
	"id": "ab9997b2-5541-4f5a-a0b6-98f2fd9abb26",
	"created_at": "2026-04-06T00:07:00.683469Z",
	"updated_at": "2026-04-10T03:24:24.789582Z",
	"deleted_at": null,
	"sha1_hash": "1611678ae4b80b56d640dede90033844f845ed8a",
	"title": "Cyble - Bumblebee Returns With New Infection Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1224057,
	"plain_text": "Cyble - Bumblebee Returns With New Infection Technique\r\nPublished: 2022-09-07 · Archived: 2026-04-05 17:15:45 UTC\r\nCyble Research \u0026 Intelligence Labs analyzes a new infection chain of the Bumblebee loader malware being\r\ndistributed via spam campaigns.\r\nDelivers Payload Using Post Exploitation Framework\r\nDuring our routine threat-hunting exercise, Cyble Research \u0026 Intelligence Labs (CRIL) came across a Twitter post\r\nwherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed\r\nvia spam campaigns.\r\nBumblebee is a replacement for the BazarLoader malware, which acts as a downloader and delivers known attack\r\nframeworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc. It also downloads\r\nother types of malware such as ransomware, trojans, etc.\r\nWorld's Best AI-Native Threat Intelligence\r\nTechnical Details\r\nThe initial infection starts with a spam email that has a password-protected attachment that contains a .VHD\r\n(Virtual Hard Disk) extension file.\r\nThe VHD file contains two files. The first is named “Quote.lnk” and the second is a hidden file “imagedata.ps1”.\r\nThe LNK shortcut file has the parameters to execute the file “imagedata.ps1”, which further loads the Bumblebee\r\npayload in the memory of the PowerShell. Figure 1 shows the VHD file and its contents, along with LNK file\r\nproperties.\r\nhttps://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/\r\nPage 1 of 8\n\nFigure 1 – Content of VHD and the properties of LNK file\r\nThe following target command line is used by the LNK for executing the PowerShell Script “imagedata.ps1”\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass -file imagedata.ps1\r\nFirst Stage PowerShell Loader\r\nUpon execution of the “imagedata.ps1” file, it hides the PowerShell window and runs the PowerShell code\r\nstealthily in the background. By default, the malware uses the –windowstyle hidden PowerShell command for\r\nhiding the PowerShell window. However, in this case, the malware uses an alternate command, ShowWindow, to\r\nevade detection by Anti-virus scanners. The figure below shows the code snippet used for hiding the PowerShell\r\nwindow.\r\nhttps://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/\r\nPage 2 of 8\n\nFigure 2 – Code snippet to hide the PowerShell window\r\nThe PowerShell script contains strings that are split into multiple lines and concatenated later for execution. This is\r\none of the techniques used by the malware to evade detection by Anti-virus products. The figure below shows the\r\nobfuscated Base64 encoded streams that are normalized using the “insert” and “remove” keywords and stored in a\r\nlist, as shown below.\r\nFigure 3 – Obfuscated Base64 encoded streams\r\nNext, the malware iterates through the list of normalized Base64 elements, concatenates, decodes them using\r\n[System.Convert]::FromBase64String method, and finally performs the gzip decompression operation using the\r\n[System.IO.Compression.CompressionMode]::Decompress method. The gzip decompressed data contains the\r\nsecond stage of the PowerShell script, which is further executed by the “Invoke-Expression”, as shown below.\r\nhttps://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/\r\nPage 3 of 8\n\nFigure 4 – Decompressing and invoking Second stage PowerShell script\r\nSecond Stage PowerShell Loader\r\nThis PowerShell script contains a large code block that loads the embedded DLL payload into the memory of\r\n“powershell.exe”. The second stage PowerShell code also employs the same obfuscation technique used in the first\r\nstage, as shown below.\r\nFigure 5 – Obfuscated Second stage PowerShell script\r\nThe malware utilizes the PowerSploit module for its execution. The PowerSploit is an open-source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading\r\nhttps://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/\r\nPage 4 of 8\n\nthe DLL into the PowerShell Process. This methodvalidates the embedded file and performs multiple checks to\r\nensure that the file is loaded properly on the executing system.\r\nThe image below shows the code similarities between the second stage PowerShell script present in the memory of\r\n“PowerShell.exe” and the Invoke-ReflectivePEInjection code from GitHub.\r\nFigure 6 – Code similarities\r\nThe second stage PowerShell script contains a byte array in which the first byte is replaced with 0x4d to get the\r\nactual PE DLL file, as shown below. This DLL file is the final Bumblebee payload that performs other malicious\r\nactivities.\r\nFigure 7 – Embedded payload\r\nThe image below showcases the DLL payload (LdrAddx64.dll) injected into the memory of Powershell process by\r\nusing the Invoke-ReflectivePEInjection function. The DLL is reflectively loaded and avoids detection by tools used\r\nto identify the DLLs of the active/running processes.\r\nhttps://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/\r\nPage 5 of 8\n\nFigure 8 – Presence of injected DLL in PowerShell memory\r\nBumblebee payload\r\nFigure 9 shows the file information of the final Bumblebee malware payload. Based on our static analysis, we\r\nfound that the payload is a 64-bit, DLL binary compiled with a Microsoft Visual C/C++ compiler.\r\nFigure 9 – Payload file details\r\nIn June 2022, we published a technical blog on the Bumblebee loader. Our research indicates that the payload\r\nbehaviour of the current variant under our analysis is similar to the one we analyzed earlier.\r\nConclusion\r\nhttps://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/\r\nPage 6 of 8\n\nBumblebee, a recently developed malware loader, has quickly become a key component in a wide range of\r\ncyberattacks, besides replacing the existing BazarLoader. In an attempt to stay a step ahead of cybersecurity\r\nentities, Threat Actors (TAs) are constantly adapting new techniques and continuously monitoring to stay updated\r\non the defense mechanisms employed by enterprises. Similarly, TAs behind the sophisticated Bumblebee loader\r\nkeep updating its capabilities in order to strengthen its evasive maneuvers and anti-analysis tricks.\r\nCRIL has been closely monitoring the Bumblebee malware group and other similar TA groups for a better\r\nunderstanding of their motivations and keeping our readers well-informed on the latest cybercrime news and\r\ncybersecurity challenges.\r\nOur Recommendations\r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.\r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.\r\nAvoid downloading files from unknown websites.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices.\r\nUse a reputed antivirus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nBlock URLs that could spread the malware, e.g., Torrent/Warez.\r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.\r\nEnable Data Loss Prevention (DLP) Solutions on the employees’ systems.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1566 Phishing\r\nExecution\r\nT1204\r\nT1059\r\nUser Execution\r\nPowerShell\r\nPrivilege Escalation\r\nT1574\r\nT1055\r\nDLL Side-Loading\r\nProcess Injection\r\nDefence Evasion\r\nT1027\r\nT1497\r\nT1574\r\nObfuscated Files or Information\r\nVirtualization/Sandbox Evasion\r\nDLL Side-Loading\r\nDiscovery\r\nT1012\r\nT1082\r\nT1518\r\nQuery Registry\r\nSystem Information Discovery\r\nSecurity Software Discovery\r\nIndicators Of Compromise (IoC)\r\nhttps://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/\r\nPage 7 of 8\n\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n59fc33d849f9ad2ab4e4b7fe4b443a33\r\ne4ed0f94e8ad9aeeb019e6d253e2eefa83b51b5a\r\n2102214c6a288819112b69005737bcfdf256730ac859e8c53c9697e3f87839f2\r\nMD5\r\nSHA1\r\nSha256\r\nVHD file\r\nb3b877f927898a457e35e4c6a6710d01\r\n8ed3dfa1ece8dbad0ccc8be8c1684f5a3de08ccb\r\n1285f03b8dbe35c82feef0cb57b3e9b24e75efabba0589752c2256a8da00ad85\r\nMD5\r\nSHA1\r\nSha256\r\nLNK file\r\n254d757d0f176afa59ecea28822b3a71\r\n3e59fff860826055423dde5bbd8830cceae17cf3\r\n0ff8988d76fc6bd764a70a7a4f07a15b2b2c604138d9aadc784c9aeb6b77e275\r\nMD5\r\nSHA1\r\nSha256\r\nPS1 file –\r\nStage 1\r\n225b9fb42b5879c143c56ef7402cbcbc\r\n03369886e9fc4b7eacc390045aa9c4b7fffad69a\r\ndb91155087bd2051b7ac0576c0994e9fffb5225c26ea134cb2f38e819f385730\r\nMD5\r\nSHA1\r\nSha256\r\nPS1 file –\r\nStage 2\r\nda6feac8dff2a44784be3d078f2d4ac3\r\nc0f43d1d3e87b0e8b86b4b9e91cb55b4a1893b48\r\n9bd9da44cc2d259b8c383993e2e05bbe1bcdac917db563b94e824b4b1628e87c\r\nMD5\r\nSHA1\r\nSha256\r\nBumblebee\r\n DLL\r\npayload\r\nSource: https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/\r\nhttps://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/"
	],
	"report_names": [
		"bumblebee-returns-with-new-infection-technique"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434020,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1611678ae4b80b56d640dede90033844f845ed8a.pdf",
		"text": "https://archive.orkl.eu/1611678ae4b80b56d640dede90033844f845ed8a.txt",
		"img": "https://archive.orkl.eu/1611678ae4b80b56d640dede90033844f845ed8a.jpg"
	}
}