{ "id": "47bb16bf-13ac-4683-84da-ed9d7f348f75", "created_at": "2026-04-06T00:20:16.889014Z", "updated_at": "2026-04-10T03:33:16.002127Z", "deleted_at": null, "sha1_hash": "4270b82d1c09e7f1217205669ad1cec8dc96c0e8", "title": "Bumblebee Malware: Deep Instinct Prevents Attack Pre-Execution | Deep Instinct", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1448483, "plain_text": "Bumblebee Malware: Deep Instinct Prevents Attack Pre-Execution\r\n| Deep Instinct\r\nBy Deep Instinct Threat Lab\r\nPublished: 2022-08-24 · Archived: 2026-04-05 18:20:08 UTC\r\nSummary\r\nDeep Instinct recently prevented a targeted Bumblebee malware attack in one of our clients’ environments. The\r\nattack, which was detected and prevented before execution, involved an obfuscated PowerShell script, a .VHD file\r\n(a type of disk image file similar to .ISO), a DLL, and spear phishing correspondence.\r\nCurrently, the relevant IoCs (indicators of compromise) are not detected by most security vendors. This blog will\r\nprovide a detailed review of these IoCs and provide technical details of the stages of the full Bumblebee malware\r\nattack.\r\nSpear Phishing and Delivery\r\nPhishing attacks have become threat actors’ tool of choice for malware delivery. The concept is quite simple: an\r\nattacker crafts a dropper and attaches it to an email with a compelling message meant to fool the target into\r\nopening the file. However, greater awareness and training on how to spot and avoid these attacks is leading threat\r\nactors to employ more sophisticated means to launch spear phishing attacks.\r\nThe most successful spear phishing campaigns rely on deception to gain a potential victim’s trust – often including\r\npersonal details about the recipient in the phishing note or sending the harmful email from a domain that is very\r\nsimilar to one that the recipient trusts. Threat actors also commonly impersonate close friends and colleagues to\r\ntrick their targets into opening compromised messages.\r\nDeep Instinct prevented an infection that started with a clever spear phishing attack where the malicious actor\r\npretended to be someone from a well-known organization, using a domain with an almost identical name,\r\nimpersonating an employee, and using a highly relevant subject line to trick the target into opening the note.\r\nTo further establish trust, the attacker did not include any attachments or requests to download files from a remote\r\nlocation in their first email – they only introduced themselves as the person they were impersonating and used the\r\npromise of a new business opportunity to increase their odds of getting a response.\r\nAfter the initial contact had been established and “trust” earned, the threat actor invited the recipient to a meeting\r\nwith them. Files were sent to be reviewed before the meeting, and the recipient was informed that another email\r\nwith a link to the file sharing platform “Smash” would also be sent.\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 1 of 11\n\nFigure 1 – The second email.\r\nThe attacker used a domain “hognose1” registered with porkbun.com, with Postfix smtpd.\r\nThe “Smash” link was provided in a separate email leading to a .VHD file. The file contained an .LNK (shortcut\r\nfile), which executes a hidden PowerShell script that resides in the disk image file as well.\r\nVHD container\r\nThe malicious VHD contains a shortcut file which runs a hidden PowerShell script when executed.\r\nFigure 2 - VHD container, as seen when mounted.\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 2 of 11\n\nFigure 3 – VHD container, hidden files shown.\r\nFigure 4 - Shortcut file runs hidden PowerShell script.\r\nFollowing Microsoft’s default disablement of Office Macro and requiring a few more steps to enable it, the\r\ncombination of a disk image file (.ISO/.VHD, etc.) and shortcut file has been gaining in popularity as a\r\n“replacement” to Office Macros in the threat landscape.\r\nPrice Quote for PowerShell Loader\r\n“quoutefile.ps1” - 1st Stage PowerShell loader\r\nOnce executed by the .LNK file, “quoutefile.ps1” will hide the open PowerShell window and continue running.\r\nThis is likely a measure to avoid using the “-windowstyle hidden” PowerShell command line parameter, which can\r\nlead to an increased chance of detection.\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 3 of 11\n\nFigure 5 - PowerShell code snippet to hide open window.\r\nAn interesting point of note: the code employs light, but effective, obfuscation intended to break up suspicious\r\nstrings and evade static scanning.\r\nHaving hidden the active PowerShell window, the code continues to de-obfuscate a series of more than 100\r\n“elem” variables which contain Gzip compressed data streams by replacing the first character in the stream with\r\nthe character “H” and forming a Gzip stream header by using “insert” and “remove” instead of the much more\r\ncommon “replace” method; the valid Gzip stream is then appended to an array.\r\nThis is another example of how cybercriminals use simple and very effective measures to evade static scanning.\r\nFigure 6 - \"Obfuscated\" Gzip streams.\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 4 of 11\n\nThe code then iterates through the array of Gzip compressed streams, decompresses them, and forms the 2nd\r\n stage\r\ncode block which will then be executed by “Invoke-Expression.”\r\nFigure 7 – 2nd stage is de-compressed and executed.\r\n2\r\nnd\r\n Stage PowerShell loader\r\nThe 2nd stage of the PowerShell loader is composed of a very large, very well written (even commented) code\r\nblock which loads an embedded 64-bit .DLL to memory.\r\nThis stage also continues the theme of simple, effective obfuscation intended to evade static analysis.\r\nFigures 8-9 – Suspicious string “breakup.”\r\nThe loader validates the embedded file and performs multiple checks to ensure the file is loaded properly on the\r\nexecuting system.\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 5 of 11\n\nFigures 10-11 – file validation and check.\r\nFigure 12 – References to the payload .DLL exported functions.\r\nFinally, the loader sleeps for five seconds and calls its main function in order to load the payload .DLL to memory.\r\nNote the “replacement trick” used here to conceal the executable MZ header; similar in fashion to the Gzip stream\r\n“obfuscation” used in the 1st stage.\r\nFigure 13 – Main function called to load payload .DLL\r\nLink to Bumblebee Malware\r\nThe final DLL is a 64-bit Bumblebee payload.\r\nIt is protected by what appears to be a unique private crypter that is present in all Bumblebee binaries. The crypter\r\nuses an export function named “setPath:”\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 6 of 11\n\nFigure 14 – Crypter export function “setPath.”\r\nEven before unpacking the sample (simply by looking at the strings of the file) it is clear that no major changes\r\nare made.\r\nThe “stolen” open-source code for the anti-vm is still present:\r\nFigure 15 – Strings associated with Anti-VM Code.\r\nThe code is a huge collection of various techniques used to identify if a program is executed in a virtual machine\r\nor using emulation and if debuggers and sandboxes indicators are present in the running environment.\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 7 of 11\n\nFigure 16 – Open-source code used for Anti-VM.\r\nThere are checks for processes of known malware analysis and debugging tools as well as processes related to\r\nvirtualization.\r\nSpecific registry keys are queried to identify whether the system is virtual. In addition, there are checks for DLL\r\nand SYS files and specific folders that will exist only in a virtual machine.\r\nThe MAC address is also checked as virtual network cards can be easily identified by the name of their\r\nvirtualization vendor.\r\nVarious WMI queries are done for system information, such as fan information.\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 8 of 11\n\nFigure 17 – Bumblebee hooking various Windows functions.\r\nA full, detailed overview of Bumblebee malware can be found here.\r\nLink to the Threat Actor\r\nThe observed attack chain is consistent with EXOTIC LILY activity.\r\nThe attackers registered a visually similar domain, using a lowercase “L” instead of a lowercase “I” which\r\nspoofed a legitimate U.S.-based cybersecurity company.\r\nThe attackers created an email box impersonating an employee of the company and sent business proposal leads.\r\nThe mails are written in proper English, including an email signature which looks very similar to the signature\r\nused by the company. The domain in the email signature is changed to the fake domain created by the attackers.\r\nAlthough it might be coincidental, the attackers chose to send the mails around the time of Black Hat USA; this\r\nmight be because many sales teams are out of office and attend the conference and we speculate that they may\r\nhave less security measures outside the office and are constantly networking, making it more realistic that a\r\nbusiness proposal email would be sent, received, and read during the show.\r\nOne notable change in EXOTIC LILY’s activity is the addition of the “Smash” file transfer platform to deliver\r\nBumblebee.\r\nAs noted by Google’s TAG, “EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial\r\naccess through email campaigns, with follow-up activities that include deployment of Conti and Diavol\r\nransomware, which are performed by a different set of actors.”\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 9 of 11\n\nIBM found connections and code similarities between Bumblebee, Ramnit, and Trickbot malware which seem to\r\nbe developed by the same group that developed the Conti ransomware.\r\nHowever, “Conti” no longer exists, and as noted by IBM, Bumblebee has been linked to Quantum ransomware.\r\nDeep Instinct Prevention of Bumblebee Attack\r\nWhile Deep Instinct prevented the attack pre-execution the detection rate of the PowerShell payload was zero on\r\nVT when first seen, and even a few days after only three more generic detections were added.\r\nFigure 18 – Malicious PowerShell zero detection on first seen in VT.\r\nFigure 19 – VirusTotal detection evolution for the malicious PowerShell.\r\nThe below prevention notification proves once again that a signature-based detection is not effective against new\r\nor modified attack flows.\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 10 of 11\n\nFigure 20 – Prevention by Deep Instinct.\r\nIf you’d like to learn more about our malware, ransomware, and zero-day prevention capabilities – including our\r\nindustry-best $3M no-ransomware guarantee – we’d be delighted to give you a demo.\r\nIOCs\r\ncontainer.vhd (sha256) 91d29cfe549d8c7ade35f681ea60ce73a48e00c2f6d55a608f86b6f17f494d0d\r\nQuote.lnk (sha256) 940182dd2eaf42327457d249f781274b07e7978b62dca0ae4077b438a8e13937\r\nquotefile.ps1 (sha256) d6cc3ac995484b99ed790b6f8ceb145492794eb5d01ec4a71123b9975e9bfd20\r\nstage2.ps1 (sha256) 5d000af554dcd96efa066301b234265892b8bf37bf134f21184096bdc3d7230b\r\npayload.dll (sha256) 0b0a5f3592df7b538b8d8db4ba621b03896f27c9f112b88d56761972b03e6e58\r\nhttps://www.youtube.com/watch?v=M93qXQWaBdE\r\nSource: https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nhttps://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader" ], "report_names": [ "the-dark-side-of-bumblebee-malware-loader" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434816, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4270b82d1c09e7f1217205669ad1cec8dc96c0e8.pdf", "text": "https://archive.orkl.eu/4270b82d1c09e7f1217205669ad1cec8dc96c0e8.txt", "img": "https://archive.orkl.eu/4270b82d1c09e7f1217205669ad1cec8dc96c0e8.jpg" } }