{
	"id": "fc64ce41-7db2-474c-96a4-24e7883687de",
	"created_at": "2026-04-06T00:17:18.814149Z",
	"updated_at": "2026-04-10T13:11:33.335658Z",
	"deleted_at": null,
	"sha1_hash": "362b9a8c655921d16fd86c6fd529de65d801536b",
	"title": "BumbleBee DocuSign Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2285720,
	"plain_text": "BumbleBee DocuSign Campaign\r\nBy 0xToxin\r\nPublished: 2023-03-04 · Archived: 2026-04-05 15:49:02 UTC\r\nIntroPermalink\r\nIn this blog post I will be going through a recent bumblebee camapign that impersonates DocuSign, I will be\r\ngoing through the execution chain, the powershell loader and some IOC extractions\r\nThe PhishPermalink\r\nThe email delivered to the user simply tells the user that an invoice is waiting to be paid and that a “unique HTML\r\ncode” was created for him to download and view the invoice on the user’s computer. Additionally a password was\r\nprovided: RD4432\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 1 of 14\n\nHovering over the the “See The Document” can help us to see what is the click on action URL:\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 2 of 14\n\nThe URL is:\r\nhttps://onedrive.live[.com/download?cid=0F6CD861E2193F6E\u0026resid=F6CD861E2193F6E%21118\u0026authkey=ALbZV_c_Tn7O-OA\r\nso instead of going to the actual DocuSign site, the file will be hosted on onedrive which once clicked will trigger\r\nan auto download of an archive file.\r\nExecution ChainPermalink\r\nBelow you can see a diagram of the execution chain from the moment the phishing mail was opened:\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 3 of 14\n\nLets go quickly through this chains:\r\nDownloaded archive is being opened by the user, in order to extract the IMG file the user will have to enter\r\nthe given password: RD4432\r\nOnce the IMG file is opened the user will see only the LNK file requested information (because the\r\n.ps1 is hidden)\r\nThe LNK file will execute the hidden .ps1 script\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 4 of 14\n\nBumblebee Ps1 LoaderPermalink\r\nI will be focusing now on what is going on in the script and what I’ve done to extract the payload out of it. So I\r\nknow that there are about 42 base64 encoded strings (that are actually archives) each one of them stored in\r\nvariable with the name elem{X} , for example:\r\nThe script then removes the first char in the encoded string and replace it with H to match the .gz magic bytes:\r\n1f 8b .\r\nThis script will extract each string variable, decode it and save in the selected folder\r\nfrom base64 import b64decode\r\nimport re\r\nimport os\r\nPS1_FILE_PATH = '/Users/igal/malwares/bumblebee/21-02-2023/documents.ps1'\r\nOUTPUT_FOLDER = '/Users/igal/malwares/bumblebee/21-02-2023/archives/'\r\nREG_PATTERN = '^\\$elem.*\\=\\\"(.*)\\\"$'\r\narchiveIndex = 0\r\nif not os.path.exists(OUTPUT_FOLDER):\r\n os.makedirs(OUTPUT_FOLDER)\r\nps1File = open(PS1_FILE_PATH, 'rb').readlines()\r\nfor line in ps1File:\r\n regMatch = re.findall(REG_PATTERN, line.replace(b'\\x00',b'').decode('iso-8859-1'))\r\n if regMatch:\r\n varData = b64decode('H' + regMatch[0][1:])\r\n open(f'{OUTPUT_FOLDER}/archive{archiveIndex}.gz', 'wb').write(varData)\r\n print(f'[+] gz archive was created in:{OUTPUT_FOLDER}/archive{archiveIndex}.gz')\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 5 of 14\n\narchiveIndex += 1\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive0.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive1.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive2.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive3.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive4.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive5.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive6.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive7.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive8.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive9.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive10.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive11.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive12.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive13.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive14.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive15.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive16.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive17.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive18.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive19.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive20.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive21.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive22.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive23.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive24.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive25.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive26.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive27.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive28.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive29.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive30.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive31.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive32.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive33.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive34.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive35.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive36.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive37.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive38.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive39.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive40.gz\r\n[+] gz archive was created in:/Users/igal/malwares/bumblebee/21-02-2023/archives//archive41.gz\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 6 of 14\n\nEach archive contains code parts of a bigger powershell script, I will extract the content of those archives and\r\nconcatenate them to one big powershell script.\r\nimport gzip\r\nARCHIVES_FOLDER = '/Users/igal/malwares/bumblebee/21-02-2023/archives'\r\nOUTPUT_FILE = '/Users/igal/malwares/bumblebee/21-02-2023/powershellCommand.txt'\r\ncountArchives = sum(1 for file in os.scandir(ARCHIVES_FOLDER))\r\nfinalString = ''\r\nfor x in range(0,countArchives):\r\n with gzip.open(f'{ARCHIVES_FOLDER}/archive{x}.gz', 'rb') as f:\r\n finalString += f.read().decode('utf-8')\r\nopen(OUTPUT_FILE, 'w').write(finalString)\r\nOnce again the script contains a huge amount of b64 encoded strings that once concatenated they create an\r\nexecutable.\r\nps1FileContent = open(OUTPUT_FILE, 'r').readlines()\r\nREG_PATTERN = '^\\$mbVar.*FromBase64String\\(\\\"(.*)\\\"\\)$'\r\nOUTPUT_PAYLOAD = '/Users/igal/malwares/bumblebee/21-02-2023/payload.bin'\r\nfinalPayload = b''\r\nfor line in ps1FileContent:\r\n regMatch = re.findall(REG_PATTERN, line)\r\n if regMatch:\r\n finalPayload += b64decode(regMatch[0])\r\nopen(OUTPUT_PAYLOAD, 'wb').write(b'\\x4d' + finalPayload[1:])\r\nprint(f'[+] Payload was extracted to the path:{OUTPUT_PAYLOAD}')\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 7 of 14\n\n[+] Payload was extracted to the path:/Users/igal/malwares/bumblebee/21-02-2023/payload.bin\r\nInvestigating the extracted binary, I found out it’s 64bit DLL, I’ve opened the DLL in IDA to see what is being\r\nexecuted from DLLMain :\r\nDLLMain will execute the function sub_180001050 which contains interesting array variable, which has in it’s\r\nfirst value a pointer to MZ blob and in the second value what seems like the size of the blob:\r\nI took the starting offset of the blob ( 0x180007320 ) and addded the possible length ( 0x169400 ) (wrote it in the\r\nIDA output window)\r\nprint(hex(0x180007320 + 0x169400))\r\nAnd by double-clicking on the printed value it jumped to the offset which was the actual end of the blob data:\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 8 of 14\n\nI’ve opened the binary in x64Dbg and set a breakpoint at the array assign of the blob and dumped the embedded\r\nbinary:\r\nNow we can investigate the embedded binary.\r\nBumbleBee PayloadPermalink\r\nIn this part I will going over a quick triage process of extracting encrypted configs located in the BumbleBee\r\npayload.\r\nFirst of all by simply uploading the payload to Tria.ge we get a static incrimination that the payload is indeed\r\nBumbleBee payload:\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 9 of 14\n\nAdditionally Tria.ge shows us the botnet ID which is: 202lg .\r\nGoing through what possibly can be the main function of the loader I saw pretty at the beginning of the function a\r\ncall to a function which pass as an argument an hardcoded strange looking string:\r\nThe function contains inside of it RC4 encryptions routines that will use the hardcoded passed argument as a key\r\nand will pass alongside with it encrypted blob of data and the length of the data\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 10 of 14\n\nSo now that we know what the data is let’s implement a quick decryption script:\r\nfrom Crypto.Cipher import ARC4\r\nimport binascii\r\nKEY = \"XNgHUGLrCD\"\r\nBLOB_CONFIG_PORT = \"0b002425baa537efd52cf61f683f8116bc994d01c892b9c140f4a29c3f8a0b823f5a65b8dc08bb73c1e7ec5f5cb4\r\nBLOB_CONFIG_BOTNET = \"0d042549dda537efd52cf61f683f8116bc994d01c892b9c140f4a29c3f8a0b823f5a65b8dc08bb73c1e7ec5f5c\r\nBLOB_CONFIG_C2 = \"0e00260b8b9306c1e418c531590cb72c8eae7f2dfaa38def77c38ca50ca439b30a60578eef248a43f5c9dd69649a3d\r\ndef toRaw(hexVal):\r\n return binascii.unhexlify(hexVal.encode())\r\ndef initCipher():\r\n return ARC4.new(KEY.encode())\r\ncipher = initCipher()\r\nplainPort = cipher.decrypt(toRaw(BLOB_CONFIG_PORT)).split(b'\\x00\\x00\\x00\\x00')[0].decode()\r\ncipher = initCipher()\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 11 of 14\n\nplainBotnet = cipher.decrypt(toRaw(BLOB_CONFIG_BOTNET)).split(b'\\x00\\x00\\x00\\x00')[0].decode()\r\ncipher = initCipher()\r\nplainC2List = cipher.decrypt(toRaw(BLOB_CONFIG_C2)).split(b'\\x00\\x00\\x00\\x00')[0].decode().split(',')\r\nprint(f'[+] Botnet:{plainBotnet}')\r\nprint(f'[+] Port:{plainPort}')\r\nprint('[+] C2 List:')\r\nfor c2 in plainC2List:\r\n print(f'\\t[*] {c2}')\r\n[+] Botnet:202lg\r\n[+] Port:443\r\n[+] C2 List:\r\n[*] 141.161.143.136:272\r\n[*] 214.77.93.215:263\r\n[*] 104.168.157.253:443\r\n[*] 196.224.200.10:482\r\n[*] 254.65.104.229:127\r\n[*] 209.141.40.19:443\r\n[*] 107.189.5.17:443\r\n[*] 44.184.236.94:128\r\n[*] 60.231.88.20:422\r\n[*] 210.38.79.54:319\r\n[*] 23.254.167.63:443\r\n[*] 91.206.178.234:443\r\n[*] 72.204.201.249:374\r\n[*] 146.19.173.86:443\r\n[*] 103.175.16.104:443\r\n[*] 138.133.49.46:211\r\n[*] 150.18.156.130:256\r\n[*] 93.216.14.249:213\r\n[*] 73.73.80.51:127\r\n[*] 216.73.114.69:379\r\n[*] 58.249.161.153:350\r\n[*] 140.157.121.40:433\r\n[*] 194.135.33.85:443\r\n[*] 6.66.255.6:433\r\n[*] 173.234.155.246:443\r\n[*] 179.55.218.145:322\r\n[*] 241.163.228.200:362\r\n[*] 38.174.252.233:131\r\n[*] 146.29.236.141:457\r\n[*] 32.234.39.72:191\r\n[*] 181.87.160.175:479\r\n[*] 114.70.235.72:357\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 12 of 14\n\n[*] 51.68.144.43:443\r\n[*] 172.86.120.111:443\r\n[*] 160.20.147.242:443\r\n[*] 207.12.58.212:419\r\n[*] 51.75.62.204:443\r\n[*] 174.72.94.173:309\r\n[*] 205.185.113.34:443\r\n[*] 194.135.33.184:443\r\n[*] 246.6.106.79:340\r\n[*] 23.82.140.155:443\r\n[*] 185.173.34.35:443\r\n[*] 255.115.3.251:370\r\n[*] 177.232.32.155:257\r\n[*] 122.125.104.16:475\r\n[*] 24.64.127.190:229\r\nThe retrieved botnet ID is: 202lg which is fairly correlated with a recent tweet coming from k3dg3 regarding\r\nBumbleBee activity utilized by TA579:\r\nSummaryPermalink\r\nIn this blogpost we went over a recent BumbleBee campaign that uses multi layered powershell script in order to\r\nload the BumbleBee loader.\r\nI’ve mainly focused on breaking down the powershell script part rather then focusing on the loader capabilities, if\r\nyou want to learn more about the BumbleBee Loader, check this blog written by Eli Salem\r\nUpdate 1Permalink\r\nDuring my writing i found yet another campaign with the botnet ID of lg0203 I’ve run my scripts on the hidden\r\npowershell script and managed to extract the DLL without any problem :)\r\nIOC’sPermalink\r\nSamples:\r\nrequested_documents_714407544541.zip -\r\nd4a358c875ab55c811368eabe8fa33d09fe67f2d3beafa97b9504bf800a7a02d\r\n8702268950347.img - a55979165779c3c4fc1bc80b066837df206d9621b0162685ed1a6f6a5203d8af\r\nrequested information.lnk -\r\n6fb690fbeb572f4f8f0810dd4d79cff1ca9dbd2caa051611e98d0047f3f2aa56\r\ndocuments.ps1 - b6d05d8f7f1f946806cd70f18f8b6af1b033900cfaa4ab7b7361b19696be9259\r\nLoaderDLL.bin - 2d5c9b33ed298f5fb67ce869c74b2f2ec9179a924780da65fcbc1a0e0463c5d0\r\nBumbleBeeLoader.bin -\r\n4a5d5e6537044cdbf8de9960d79c85b15997784ba1b74659dbfcb248ccc94f59\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 13 of 14\n\nSource: https://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nhttps://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/"
	],
	"report_names": [
		"Bumblebee-DocuSign-Campaign"
	],
	"threat_actors": [
		{
			"id": "1f87ac52-682a-4bc7-b7ce-fac8d79815fa",
			"created_at": "2023-01-06T13:46:39.373008Z",
			"updated_at": "2026-04-10T02:00:03.305899Z",
			"deleted_at": null,
			"main_name": "TA579",
			"aliases": [],
			"source_name": "MISPGALAXY:TA579",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434638,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/362b9a8c655921d16fd86c6fd529de65d801536b.pdf",
		"text": "https://archive.orkl.eu/362b9a8c655921d16fd86c6fd529de65d801536b.txt",
		"img": "https://archive.orkl.eu/362b9a8c655921d16fd86c6fd529de65d801536b.jpg"
	}
}