{
	"id": "02f87617-12c1-4354-8535-29f4ccf73296",
	"created_at": "2026-04-06T00:14:19.969141Z",
	"updated_at": "2026-04-10T13:12:07.235178Z",
	"deleted_at": null,
	"sha1_hash": "4c4b9b9d55c353f69d36357c307cfc72d7e806f7",
	"title": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1588960,
	"plain_text": "PindOS: New JavaScript Dropper Delivering Bumblebee and\r\nIcedID | Deep Instinct\r\nBy Shaul Vilkomir-PreismanThreat Intelligence Researcher\r\nPublished: 2023-06-22 · Archived: 2026-04-05 19:27:36 UTC\r\nDeep Instinct’s Threat Research Lab recently noticed a new strain of a JavaScript-based dropper that is delivering\r\nBumblebee and IcedID. The dropper contains comments in Russian and employs the unique user-agent string\r\n“PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia.\r\nBumblebee is a malware loader first discovered in March 2022. It was associated with Conti group and was being\r\nused as a replacement for BazarLoader. It acts as a primary vector for multiple types of other malware, including\r\nransomware.\r\nIcedID is a modular banking malware designed to steal financial information. It has been seen in the wild since at\r\nleast 2017 and has recently been observed shifting some of its focus to malware delivery.\r\nBumblebee’s Dilemma – PowerShell or JavaScript?\r\nBumblebee’s primary modus operandi, including its most recent major campaign, involves a PowerShell-based\r\nfirst stage with very characteristic obfuscation (“elemXXX”). This serves as a wrapper and loading routine for an\r\nembedded 64-bit payload .DLL. Our analysis of this flow can be found here.\r\nhttps://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid\r\nPage 1 of 9\n\nThe possible switch to JavaScript instead of PowerShell marks a significant change in Bumblebee’s well-established TTP’s.\r\nIcedID – From Banker to Loader?\r\nAs recent reports indicate, IcedID appears to be partially following in Emotet’s footsteps and may be abandoning\r\nits banking and financial functionalities in favor of becoming a more generalized loader-type malware. An\r\nassociation with a new JavaScript type of dropper can be seen as another step in this direction.\r\nPindOS JavaScript Technical Analysis\r\nOnce de-obfuscated, the dropper is surprisingly simple. It consists of a single function, “exec,” which gets four\r\nparameters:\r\n“UserAgent” – The user-agent string to be used when downloading Bumblebee’s .DLL\r\n“URL1” – First address to download from\r\n“URL2” – Second address to download from\r\n“RunDLL” – Payload .DLL exported function to call\r\nWhen executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling\r\non the specified export directly via rundll32.exe. If this fails, the dropper will attempt to download the payload\r\nfrom URL2 and execute it using a combination of PowerShell and rundll32.exe.\r\nThe downloaded payload is saved to %appdata%/Microsoft/Templates/\u003c6-char-random-number\u003e.dat\r\nFigure 1 – PindOS' main function\r\nThe function is then called twice, with four separate URLs:\r\nFigure 2 – exec function call from Bumblebee dropper\r\nhttps://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid\r\nPage 2 of 9\n\nFigure 3 – exec function call from IcedID dropper\r\nFigure 4 – Payload download\r\nThe retrieved payloads are generated pseudo-randomly “on-demand” which results in a new sample hash each\r\ntime a payload is fetched. This is commonly done to avoid signature-based detection. However, in Bumblebee’s\r\ncase, this seems somewhat ineffective compared to the previous flow (which did not write the payload directly to\r\ndisk), as the samples are fairly well detected even on “first-seen”. This is likely due to the generated payload’s\r\nexports and several other indicators which remain constant and do not vary across the different generated samples.\r\nhttps://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid\r\nPage 3 of 9\n\nFigure 5 – A generalized comparison of Bumblebee’s infection flows - “older” on the right; “newer”\r\non the left.\r\nAccording to Virus Total, on “first-seen” PindOS droppers have mostly received very low detection rates:\r\nhttps://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid\r\nPage 4 of 9\n\nFigures 6 \u0026 7 – VT first-seen detection for PindOS droppers\r\nBumblebee DLL Payload Analysis Highlights\r\nThe DLL payload is slightly different from the one previously encountered. Dynamically, it is very similar, with\r\nthe addition of a few layers of obfuscation. It’s anti-debugging and anti-VM/sandbox features remain the same but\r\nwith some additional “legitimate looking” strings taken from the FFmpeg project open-source project’s “error.c”\r\nfile and a few other files from the same project added for distraction purposes:\r\nFigure 8 – Strings found in Bumblebee DLL\r\nhttps://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid\r\nPage 5 of 9\n\nFigure 9 – FFmpeg project source, “error.c” file.\r\nAnother point of differentiation is that previously Bumblebee DLLs had two main export functions, while the new\r\none has four.\r\nFigure 10 – “New” Bumblebee DLL Exports\r\nFigure 11 – “Old” Bumblebee DLL exports, with main “SetPath” function\r\nhttps://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid\r\nPage 6 of 9\n\nFurther examination of the DLL brings us to the same main function as the previous variant.\r\nFigure 12 – “SetPath” in the “new” Bumblebee DLL.\r\nConclusion\r\nBumblebee’s latest “experiment” attempts to leverage pseudo-random sample generation as a means of reducing\r\nthe risk of detection. This has been used by threat actors in the financial/banking malware landscape for years,\r\nincluding IcedID, which “shares” the PindOS dropper.\r\nWhether PindOS is permanently adopted by the actors behind Bumblebee and IcedID remains to be seen. If this\r\n“experiment” is successful for each of these \"companion” malware operators it may become a permanent tool in\r\ntheir arsenal and gain popularity among other threat actors.\r\nAs Bumblebee and IcedID are known to deliver ransomware, we recommend that security teams take note of these\r\nIOCs. You can find updated lists of IOCs on our GitHub page.\r\nIOCs\r\nNetwork Artifact\r\nUser-Agent: PindOS\r\nBumblebee infection URLs\r\nhxxps://qaswrahc.com/wp-content/out/mn[.]php\r\nhxxp://tusaceitesesenciales.com/mn[.]php\r\nhxxp://carwashdenham.com/mn[.]php\r\nhxxps://intellectproactive.com/dist/out/mn[.]php\r\nBumblebee .JS dropper SHA256\r\nbcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91\r\n07d2cb0dc0cd353fb210b065733743078e79c4a27c42872cd516a6b1fb1f00d1\r\n00ec8f3900336c7aeb31fef4d111ee6e33f12ad451bc5119d3e50ad80b2212b0\r\n15da5b0a65dd8135273124da0c6e52e017e3b54642f87571e82d2314aae97eec\r\n180a935383b39501c7bdf2745b3a334841f01a7df9d063fecca587b5cc3f5e7a\r\nBumblebee DLL payload SHA256\r\n24dd5c33b8a5136bdf29d0c07cf56ef0e33a285bb12696a8ff65e4065cb18359\r\n76c9780256e195901e1c09cb8a37fb5967f9f5b36564e380e7cf2558652f875b\r\nhttps://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid\r\nPage 7 of 9\n\n28c87170f2525fdecc4092fb347acd9b8350ed65e0fd584ce9fc001fd237d523\r\nac261ac26221505798c65c61a207f3951cc7dce2e1014409d8a765d85bfd91d4\r\nIcedID infection URLs\r\nhxxps://masar-alulaedu.com/wp-content/woocommerce/out/berr[.]php\r\nhxxps://egyfruitcorner.com/wp-content/tareq/out/berr[.]php\r\nhxxps://tech21africa.com/wp-content/uploads/out/berr[.]php\r\nhxxps://www.posao-austrija.at/images/out/lim[.]php\r\nhxxps://logisticavirtual.org/wp-content/out/lim[.]php\r\nhxxps://adecoco.us/wp-content/out/lim[.]php\r\nhxxps://acsdxb.net/wp-content/out/lim[.]php\r\nIcedID .JS dropper SHA256\r\n92506fe773db7472e7782dbb5403548323e65a9eb2e4c15f9ac65ee6c4bd908b\r\nc84c84387f0b9e7bc575a008f36919448b4e6645e1f5d054e20b59be726ee814\r\n7355656f894ae26215f979b953c8fa237dc39af857a6b27754a93adb1823f3b6\r\n8f40ff286419eb4b0c4d15710dc552afb2c2a227a180f4b4f520d09b05724151\r\nIcedID DLL payload SHA256\r\n9101975f7aca998da796fc15a63b36ab8aa0fe0aed0b186aaed06a3383d5f226\r\n4f0c9c6fc1287ef16f4683db90dd677054a1f834594494d61d765fa3f2e1352c\r\ncb307d7fa6eaac6a975ad64ff966ff6b0b0fdd59109246c2f6f5e8d50a33e93c\r\n361b0157ef63d362fdd4399288f5f6a0e1536633dfb49c808a3590718c4d8f10\r\ne71c9ac9ddd55b485e636840da150db5cd2791d0681123457bd40623acd8311c\r\n8ae3be9f09f5fc64ec898a4d6467b2f6e50eaaa26fc460a4f1a9b9566e97a9a7\r\nMITRE ATT\u0026CK\r\nTactic Technique Description Observable\r\nExecution\r\nCommand and\r\nScripting Interpreter:\r\nJavaScript –\r\nT1059.007\r\nAdversaries may abuse various\r\nimplementations of JavaScript for execution.\r\n.JS Droppers\r\nDefense\r\nEvasion\r\nSystem Binary\r\nProxy Execution:\r\nRundll32 –\r\nT1218.001\r\nAdversaries may abuse rundll32.exe to proxy\r\nexecution of malicious code.\r\nRundll32.exe\r\nusage\r\nhttps://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid\r\nPage 8 of 9\n\nTactic Technique Description Observable\r\nDefense\r\nEvasion\r\nObfuscated Files or\r\nInformation – T1027\r\nAdversaries may attempt to make an\r\nexecutable or file difficult to discover or\r\nanalyze by encrypting, encoding, or otherwise\r\nobfuscating its contents on the system or in\r\ntransit.\r\nObfuscated JS,\r\n“Random”\r\ngenerated payloads\r\nSource: https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid\r\nhttps://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid\r\nPage 9 of 9\n\n https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid     \nFigure 5-A generalized comparison of Bumblebee’s infection flows -“older” on the right; “newer”\non the left.      \nAccording to Virus Total, on “first-seen” PindOS droppers have mostly received very low detection rates:\n   Page 4 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid"
	],
	"report_names": [
		"pindos-new-javascript-dropper-delivering-bumblebee-and-icedid"
	],
	"threat_actors": [],
	"ts_created_at": 1775434459,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c4b9b9d55c353f69d36357c307cfc72d7e806f7.pdf",
		"text": "https://archive.orkl.eu/4c4b9b9d55c353f69d36357c307cfc72d7e806f7.txt",
		"img": "https://archive.orkl.eu/4c4b9b9d55c353f69d36357c307cfc72d7e806f7.jpg"
	}
}