{
	"id": "6cd1e483-871c-4f20-b12c-ac73c1f2b9a5",
	"created_at": "2026-04-10T03:20:21.177236Z",
	"updated_at": "2026-04-10T03:22:16.763662Z",
	"deleted_at": null,
	"sha1_hash": "584eeac7723f24c28931ef596c3a3b70d6835ccf",
	"title": "BumbleBee: a new trendy loader for Initial Access Brokers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 441695,
	"plain_text": "BumbleBee: a new trendy loader for Initial Access Brokers\r\nBy Quentin Bourgue,\u0026nbsp;Pierre Le Bourhis\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-06-13 · Archived: 2026-04-10 03:10:50 UTC\r\nTable of contents\r\nTechnical Analysis\r\nTypical infection chain\r\nModifications in the latest version\r\nTracking BumbleBee\r\nIOCs \u0026 Technical Details\r\nThis blog post on BumbleBee malware was originally published as a FLINT report (SEKOIA.IO Flash\r\nIntelligence) sent to our clients on June 02, 2022.\r\nBumbleBee is a new malicious loader, first reported by Google TAG in March 2022, that is being used by\r\nseveral Initial Access Brokers (IABs) to gain an initial foothold within victims’ networks.\r\nIn recent weeks, many campaigns distributing BumbleBee have been observed in the wild and the successful\r\ncompromises often lead to ransomware attacks. Indeed, affiliates of several ransomware gangs (Conti, LockBit,\r\nAvosLocker, Diavol) were observed delivering BumbleBee in order to drop another payload (Cobalt Strike,\r\nMeterpreter, Sliver, IcedID, Redline, and more) and deploy ransomware. Furthermore, SEKOIA.IO analysts\r\nobserved the malware is still in development with new features, and improvements. All these reasons make the\r\nBumbleBee loader a major threat that companies must deal with at the moment.\r\nSEKOIA.IO analysts have been tracking this threat since early April 2022 and have seen a significant increase in\r\nthe number of active BumbleBee C2 servers, and observed samples. The analysis of multiple BumbleBee\r\nsamples allowed us to identify several versions and improvements made to the product.\r\nTechnical Analysis\r\nIn this section, we briefly describe the typical infection chain used to deliver the BumbleBee loader. We then share\r\ntechnical details on the modifications made in the latest versions of the malware, and how we track the active C2\r\nserver and the malware samples.\r\nBefore getting into the technical details, the BumbleBee malware is a sophisticated loader that aims to download\r\nand execute a second payload. It implements several defense and evasion techniques to hide from detection\r\nsystems, and to make it harder for security researchers to analyze the payload.\r\nTypical infection chain\r\nhttps://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/\r\nPage 1 of 8\n\nMost of the spearphishing campaigns distributing the BumbleBee loader use the same attack pattern: an email is\r\nsent to the victim with a ZIP archive which contains an ISO file. The beginning of the attack chain consists of\r\nusing an ISO file which contains a Windows link (LNK) used to execute the payload (DLL).\r\nIn the following example, the ISO file contains two files:\r\n1. a LNK file New Folder.lnk\r\n2. a DLL executed by the LNK file\r\nAs shown in the figure below, when the LNK file is executed, it runs the command below to start the malicious\r\nDLL using  rundll32.exe :  C:\\\\Windows\\\\System32\\\\rundll32.exe procsvc.dll,HWgullOFkZ\r\n \r\nFigure 1. Example of an attachment (uncompressed ISO file) from a spearphishing campaign distributing\r\nBumbleBee\r\nThis infection vector is more and more used by various actors: APT (such as NOBELIUM) , IABs (to distribute\r\nIcedID, BazarLoader, BumbleBee, and more) and other threat actors. This trend appears to be the consequence of\r\nthe disabling by default of VBA macros in Microsoft Office products, which is one (code execution via Office\r\nmacros) of the most used techniques by adversaries to get into the network.\r\nModifications in the latest version\r\nThe BumbleBee DLL uses a crypter to deobfuscate another PE that is loaded in a new memory section. This\r\nspecific section is quickly identifiable: a simple pattern search in a debugger on “DOS mode” can highlight the\r\nnewly allocated memory with read-write-execute permission.\r\nOnce the new section is dumped, the BumbleBee payload can be analyzed. Before anything else, it is worth noting\r\nthat the malware used almost a full copy/paste of al-khaser github project, as mentioned in others articles or\r\nrelated BumbleBee discussions. The al-khaser code implements several anti-detection techniques. The figure\r\nbelow shows that the main function of the BumbleBee payload avoids execution if one of the anti-virtual\r\nenvironments is spotted.\r\nhttps://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/\r\nPage 2 of 8\n\nFigure 2. Anti-virtual machine checks in the BumbleBee code\r\nOnce the loaded PE is ready and anti-VM checks are passed, the malware decrypts its Command and Control (C2)\r\nIP addresses with a key stored in cleartext in the  .data  section using RC4 algorithm. This decryption routine is\r\nalso used to deobfuscate its campaign ID.\r\n Figure 3. Deobfuscation routine in BumbleBee loader\r\nIn most of the payloads we investigate, three blobs of data are obfuscated using RC4:\r\n1. A list of C2 IP addresses with their associated port\r\n2. A campaign identifier, other analysts identify this ID as the botnet ID\r\n3. A number (often 444 or 4444)\r\nhttps://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/\r\nPage 3 of 8\n\nFigure 4.  Recipe in CyberChef to get the obfuscated data\r\nOnce, the C2 IP addresses have been deobfuscated, the malware contacts one of its C2 and then loads the final\r\npayload (Meterpreter, Cobalt Strike, or else).\r\nIn the initial BumbleBee versions analyzed in April 2022, the malware did not implement any C2 obfuscation: the\r\nIP addresses were stored in clear in the PE. This evolution shows that BumbleBee is still under development.\r\nNB: We observed a massive usage of the key “ BLACK ” in the dataset of samples we analyzed and also the key\r\n“ iKInPE9WrB “.\r\nTracking BumbleBee\r\nC2 infrastructure\r\nTracking the BumbleBee C2 infrastructure is not much different from other botnets such as BazarLoader, Qakbot\r\nand IcedID. The SSL certificates used for the BumbleBee C2 server are quite specific. After some analysis of\r\nmalware samples and thanks to search engines for Internet-connected devices, we were able to identify a common\r\nand unique pattern to find the BumbleBee C2 servers. The final heuristic is based on the SSL certificate and the\r\nHTTP response.\r\nThe heuristic results have increased, from 5 C2 servers at the beginning of April to over 130 at the time of writing\r\nthis FLINT, as shown by the following figure.\r\nhttps://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/\r\nPage 4 of 8\n\nFigure 5. Number of active BumbleBee C2 servers by date\r\nThis shows that the BumbleBee loader has gained in popularity among the threat actors, particularly for the Initial\r\nAccess Brokers.\r\nSamples\r\nAt the same time, we have written a YARA rule to find BumbleBee samples – it can be found in the section of\r\nIOCs \u0026 Technical Details. The results of the YARA rule uploaded on a sample sharing platform confirm the trend\r\ndescribed previously.\r\nBumbleBee has become in two months a major threat, mostly deployed by Initial Access Brokers to gain a\r\nfoothold within a network and drop a second payload. With the malware being used by affiliates of ransomware\r\ngangs, companies need to monitor this threat and protect their assets from possible BumbleBee compromises.\r\nIOCs \u0026 Technical Details\r\nBumbleBee’s C2 servers\r\n23.82.140[.]133\r\n23.254.217[.]20\r\n23.254.227[.]144\r\n37.120.198[.]248\r\n49.12.241[.]35\r\n51.68.144[.]94\r\nhttps://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/\r\nPage 5 of 8\n\n51.68.146[.]200\r\n51.68.147[.]233\r\n51.75.62[.]99\r\n51.83.251[.]245\r\n51.83.253[.]244\r\n51.83.254[.]164\r\n54.37.130[.]166\r\n54.37.131[.]107\r\n54.38.136[.]187\r\n54.38.137[.]18\r\n54.38.138[.]141\r\n54.38.139[.]20\r\n64.44.101[.]250\r\n64.44.102[.]6\r\n64.44.102[.]150\r\n64.44.135[.]230\r\n64.44.135[.]250\r\n70.34.216[.]103\r\n104.168.156[.]224\r\n145.239.29[.]119\r\n145.239.30[.]26\r\n146.70.95[.]244\r\n146.70.106[.]47\r\n167.235.245[.]35\r\n176.107.177[.]124\r\n192.236.161[.]191\r\n192.236.162[.]127\r\n192.236.194[.]136\r\n193.29.104[.]147\r\n193.233.203[.]156\r\n194.37.97[.]135\r\n209.141.52[.]25\r\nBumbleBee’s SHA-25\r\ne2147cb6039d1b065b0d59d6e60a1e5f526415afefdfddcbbd7b1e8a33194d64\r\n064d21a62fc8718a707c3cf6ca91fddeb2fd407dfee47a923638a91a57b338a4\r\n7140becbc882cab84038ad87e977cd3cb0dc864d2437eb1e2aebab78cc3eb193\r\n0f78561577ce1a5ab8b98634fb9b2ff0392e173fb354e3625f6bab53e0f28b05\r\n94f7bc1e910866c5ed1b06242e82c8d5379d143123ff255b87fc78db98c49ae2\r\n2ca8fcce17d0ca5dc6c260c34b14b969fbc20c4a4520e19aed0a0be23a199243\r\n7b3a33baf89095f9b7d2be8dfa184c274e7f27a05a7e57faf8b32882a60bfe5c\r\n3a2112ed78bbec16929d9f39aca09efe2eb44abb80bbfa765e451a87aef84a99\r\n85019644110b9473b93e3757ed9b324666ac515a1b91afdfbc3b17241b2d9376\r\n873aa6d30e38c79b478eb04a83104bb31fd62989d3cca4b61164065038dadd29\r\n7413426f5afd78b7abc0ca0a3035c2f8578c41e18548ad530ead3ee93f638a3c\r\nhttps://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/\r\nPage 6 of 8\n\n86984171de311b006bc86780e5a415b3698edb864d42e72f851a7d64c2656748\r\n9d6808021c1336763e212c787a669eb0400b089e586457b88373dd87dfcf41c9\r\nea6690f028157aec343e21484eab136379e35c6296b3e8eab4a7ba7bdfe13e5d\r\n8709e8dfe6bf8b8fdc91c342fc2da948d5b77b05e7a6dba79866f42dfe8ca04b\r\n1389ec4bde4a8970e95d8a48438395578ae81e0649f33c5ca0febe062e56712c\r\nfad36c037c93c48ef5cdf31b8ed31e452a100ad14b75dce88597ef1eea115e9e\r\nYARA rule\r\nrule loader_win_bumblebee {\r\n meta:\r\n version = \"1.0\"\r\n malware = \"BumbleBee\"\r\n reference = \"https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/\"\r\n source = \"SEKOIA.IO\"\r\n classification = \"TLP:WHITE\"\r\n strings:\r\n $str0 = { 5a 00 3a 00 5c 00 68 00 6f 00 6f 00 6b 00 65 00 72 00 32 00 5c 00 43 00 6f 00 6d 00 6d 00 6f 00\r\n $str1 = \"/gates\" ascii\r\n $str2 = \"3C29FEA2-6FE8-4BF9-B98A-0E3442115F67\" wide\r\n condition:\r\n uint16be(0) == 0x4d5a and all of them\r\n}\r\nExternal References\r\n[Google] Exposing initial access broker with ties to Conti\r\n[Cynet] Orion Threat Alert: Flight of the BumbleBee\r\n[Eli Salem’s Medium] The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection\r\n[Proofpoint] This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming\r\n[Github] Al-Khaser v0.81\r\nYou can also read our article on:\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nShare\r\nhttps://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/\r\nPage 7 of 8\n\nCTI Detection Ransomware\r\nShare this post:\r\nSource: https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/\r\nhttps://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/"
	],
	"report_names": [
		"bumblebee-a-new-trendy-loader-for-initial-access-brokers"
	],
	"threat_actors": [],
	"ts_created_at": 1775791221,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/584eeac7723f24c28931ef596c3a3b70d6835ccf.pdf",
		"text": "https://archive.orkl.eu/584eeac7723f24c28931ef596c3a3b70d6835ccf.txt",
		"img": "https://archive.orkl.eu/584eeac7723f24c28931ef596c3a3b70d6835ccf.jpg"
	}
}