{
	"id": "6b1a59c0-1425-49cd-92bb-42876789027a",
	"created_at": "2026-04-06T00:12:55.192383Z",
	"updated_at": "2026-04-10T03:24:24.66168Z",
	"deleted_at": null,
	"sha1_hash": "6890522aad79e2338bad83ada9a64db61f9b9980",
	"title": "Cyble - Bumblebee Loader On The Rise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1396920,
	"plain_text": "Cyble - Bumblebee Loader On The Rise\r\nPublished: 2022-06-07 · Archived: 2026-04-05 14:30:47 UTC\r\nCyble analyzes Bumblebee, a new malware variant on the rise that delivers Cobalt Strike Beacons and other malware\r\nonto victim systems.\r\nSophisticated loader delivers Cobalt-Strike Beacons\r\nIn March 2022, a new malware named “Bumblebee” was discovered and reportedly distributed via spam campaigns.\r\nResearchers identified that Bumblebee is a replacement for BazarLoader malware, which has delivered Conti\r\nRansomware in the past. Bumblebee acts as a downloader and delivers known attack frameworks and open-source\r\ntools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc. It also downloads other types of malware such as\r\nransomware, trojans, etc.\r\nOur intelligence indicates that the incidents of Bumblebee infection are on the rise, as shown below.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 1 of 12\n\nRise of Bumblebee Malware\r\nThe Bumblebee infection starts through spam email. This email contains a link to further download an ISO file that\r\neventually drops the malicious Dynamic Link Library (DLL) file. The DLL file further loads Bumblebee’s final\r\npayload on the victim’s machine.\r\nISO files are a type of archive file that contain an identical copy of data found on an optical disc, CDs, DVDs, etc.\r\nThey are primarily used to back up optical discs or distribute large file sets intended to burn onto an optical disc.\r\nFigure 1 – Bumblebee Infection Vector\r\nTechnical Details:\r\nThe complete technical analysis of Bumblebee is mentioned in the following sections. Cyble Research Labs analysed\r\nthe hash (SHA256),  “3e698d8d6e7820cc337d5e2eb3d8fbae752a4c05d11bcf00d3cb7d6dc45e1884” for analysis.\r\nBumblebee Initial Access:\r\nBumblebee has been distributed through spear-phishing email messages that use different methods to trick users into\r\ndownloading and opening the ISO files.\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 2 of 12\n\nThe spam email contains an HTML attachment as well as a hyperlink in the mail body to download the ISO file.\r\nSimilarly, the HTML attachment contains a link that downloads the ISO file from Microsoft OneDrive.\r\nFigure 2 shows the spam email that downloads ISO files from Microsoft OneDrive when users click on the\r\n“REVIEW THE DOCUMENT” hyperlink.\r\nFigure 2 – Spam Email (Source – Proofpoint)\r\nThe ISO file contains two files called Attachments.lnk and Attachments.dat. This malicious link file contains the\r\nparameters to execute “Attachments.dat,” which is the Bumblebee payload, using Windows’ rundll32.exe service.\r\nFigure 3 shows the contents of the ISO file and properties of the .lnk file.\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 3 of 12\n\nFigure 3 – Contents of the ISO File and Properties of Malicious .lnk File\r\nTarget command line:\r\ncmd.exe /c start /wait “” “C:\\Users\\Admin\\Local\\Temp\\Attachments.lnk” rundll32.exe\r\n“C:\\Windows\\System32\\rundll32.exe” Attachments.dat,ProcessLoad\r\nIn another case of infection, the ISO file contains three files, namely New Folder.LNK, 7z.exe, and arch.7z. The\r\nshortcut file New Folder.LNK launches powershell.exe and extracts the password-protected file arch.7z by using\r\n7z.exe.\r\nThe arch.7z file contains a 64-bit DLL file named “arch.dll,” which is a Bumblebee loader. The PowerShell\r\ncommand extracts the arch.dll file into the location C:\\ProgramData\\ and executes it using rundll32.exe.\r\nFigure 4 shows the contents of the ISO file and properties of the .lnk file.\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 4 of 12\n\nFigure 4 – Contents of Malicious ISO and Properties of .lnk file\r\nTarget command line:\r\nC:\\Windows\\System32\\cmd.exe /c powershell -WindowStyle Hidden -Command “.\\7za.exe x arch.7z -\r\np434330cf2449 -o\\”c:\\programdata\\” -y \u003e $null; rundll32 c:\\programdata\\arch.dll,oUlluzkNOs\r\nDefensive Evasion:\r\nBumblebee downloads and executes the other payloads on victim machines without being detected by any antivirus\r\nprograms. Bumblebee uses various techniques to inject and attach the payloads into the running process.\r\nThe Bumblebee loader has a list of process names related to tools used by security researchers to identify if the\r\nmalware is debugged or running in a virtual environment. The malware terminates its execution if it identifies any of\r\nthese processes running on the victim’s machine. The figure below shows the list of process names.\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 5 of 12\n\nFigure 5 – List of the Security Tools\r\nThe malware terminates its execution if it is identified to be running in a sandbox environment. The malware calls the\r\nWine_get_unix_file_name() API to identify the sandbox machine, as shown below.\r\nFigure 6 – Sandbox Detection using GetProcAddress()\r\nBumblebee also avoids running in the sandbox environment by comparing the victim’s specific usernames with a list\r\nof hard-coded usernames. The hard-coded names are commonly-used sandbox usernames seen in the wild.\r\nIf user account names match with the names on the list, the malware terminates itself. A list of user account names is\r\nshown in the figure below.\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 6 of 12\n\nFigure 7 – List of Hardcoded User Accounts\r\nThe malware performs additional checks to identify the virtual environment, such as Wine, Vbox, and VMware. To\r\nidentify the virtual environment, the malware performs the following actions:\r\nQueries registry keys related to Virtual Machine-related software\r\nExecutes WMI queries to identify them\r\nIdentifies emulator by reading the respective registry keys\r\nIdentify the window name of the running process\r\nThis technique used by malware is highlighted in the figure below.\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 7 of 12\n\nFigure 8 – Additional Defence Evasion Techniques\r\nAfter the evading detection, Bumblebee resolves its function names at runtime and creates a unique event name,\r\n3C29FEA2-6FE8-4BF9-B98A-0E3442115F67.\r\nFigure 9 – Bumblebee Creating Unique Event\r\nThe malware uses WMI queries to collect details such as system details, adapter details, etc., from the victim’s\r\nmachine. After that, it sends the stolen information to the Command and Control (C\u0026C) server.\r\nFigure 10 – WMI Queries\r\nThe Bumblebee Loader uses various commands to perform malicious activities such as DLL injection, downloading\r\nexecutables, uninstalling loaders, and enabling persistence. The commands used by the malware are mentioned\r\nbelow.\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 8 of 12\n\n“dij”         \r\n“dex”       \r\n“sdl”        \r\n“ins”        \r\nDLL Injection:\r\nThe malware receives the “dij” command for DLL and Shellcode injection. As shown in Figure 11, it injects\r\nShellcode into legitimate processes using the APC routine. It specifically injects code into the below processes:\r\n\\\\Windows Photo Viewer\\\\ImagingDevices.exe\r\n\\\\Windows Mail\\\\wab.exe\r\n\\\\Windows Mail\\\\wabmig.exe\r\nFigure 11 – Process injection via Asynchronous Procedure Calls (APC)\r\nThe loader then creates two new sections within the target process and copies the Shellcode to the newly created\r\nsections to properly inject the Shellcode. Then it invokes the Shellcode in the target executable via a dynamically\r\nresolved NtQueueApcThread().\r\nDownloading Additional Payloads:\r\nThe malware receives the “dex” command for downloading and executing additional payloads. After receiving this\r\ncommand along with payload data, it writes the file into a disk using the CreateFileA() and WriteFile() functions and\r\nexecutes it via the COM object.\r\nIn this example, the malware uses the hardcoded name “wab.exe” to store the payload.\r\nFigure 12 – The dex command operation\r\nPersistence:\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 9 of 12\n\nThe Ins command helps enable persistence by copying the Bumblebee malware DLL into the %appdata% directory\r\nand creating a VBS script that loads the malicious DLL using a scheduled task.\r\nThe sdl command uses PowerShell to delete files from the infected system without prompting the user. The\r\nPowerShell command used by the malware is:\r\nPS C:\\\u003e Remove-item -Path “filepath” -Force\r\nC\u0026C Communication:\r\nThe figure below shows the COBALT STRIKE traffic from the malware.\r\nFigure 13 – Cobalt Strike Network Traffic of Bumblebee Malware\r\nConclusion\r\nBumblebee is a new and highly sophisticated malware loader that employs extensive evasive maneuvers and anti-analysis tricks, including complex anti-virtualization techniques. To make the Bumblebee malware’s activity\r\nstealthier and harder to detect, its Threat Actors frequently update these capabilities.\r\nBumblebee loader can be deployed to facilitate initial access and deliver payloads such as Cobalt Strike, ransomware,\r\netc. It is likely to become a popular tool for ransomware groups to deliver their payload.\r\nCyble Research Labs closely monitors the BumbleBee malware group and other similar Threat Actor activities and\r\nanalyzes them to better understand their motivations and keep our readers well-informed.\r\nOur Recommendations \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.\r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. \r\nAvoid downloading files from unknown websites.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices. \r\nUse a reputed antivirus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nBlock URLs that could spread the malware, e.g., Torrent/Warez. \r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 10 of 12\n\nMonitor the beacon on the network level to block data exfiltration by malware or TAs. \r\nEnable Data Loss Prevention (DLP) Solutions on the employees’ systems. \r\nMITRE ATT\u0026CK® Techniques:\r\nTactic Technique ID Technique Name\r\nInitial Access\r\nT1566\r\nT1190\r\nPhishing\r\nExploit Public-Facing Application.\r\nExecution T1059 Command and Scripting Interpreter\r\nDefence Evasion T1497 Virtualization/Sandbox Evasion\r\nPersistence T1053 Scheduled Task/Job\r\nDiscovery\r\nT1012\r\nT1082\r\nQuery Registry\r\nSystem Information Discovery\r\nCredential Access T1552 Unsecured Credentials\r\nLateral Movement T1021 Remote Services\r\nImpact T1496 Resource Hijacking\r\nIndicators Of Compromise:\r\nIndicators\r\nIndicator\r\nType\r\nFile name\r\n7092d2c4b041db8009962e865d6c5cd7\r\n11838141f869e74225be8bd0d4c866cb46ef0248\r\n0e859acbd03e59eae287b124803ec052cf027b519e608c7ccfd920044b9ee1c7\r\nMD5\r\nSHA1\r\nSha256\r\nNew-Folder-00519.img\r\n42badc1d2f03a8b1e4875740d3d49336\r\ncee178da1fb05f99af7a3547093122893bd1eb46\r\nc136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf\r\nMD5\r\nSHA1\r\nSha256\r\n7z.exe\r\n310803b7d4db43f2bd0040e21a4ef9fc\r\nf42c381524b5f52f0e1a5a8c60d62464b8644968\r\nb091415c1939d1da9a7d07901dd3d317a47b2a8ccc9c666d8cf53a512a80b8d6\r\nMD5\r\nSHA1\r\nSha256\r\narch.7z\r\nfd21be3db76b714cb4dfae779d1ada1f\r\n8157b198c00de0a19b1d02ae7b76c78857baccd2\r\n315b3d80643da454b40cc938a0e8794f90ccbd05868e55b4848cacbf047850ae\r\nMD5\r\nSHA1\r\nSha256\r\nNew\r\nFolder.LNK\r\n16da4284ab7ab9d5669c34c339132ed6\r\n34dc625fc243d06cbc33d403ac7ee05edfd32819\r\nMD5\r\nSHA1\r\narch.dll\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 11 of 12\n\n1249075a0c4af8ecfeb4a3ab1e9ef692cb8876591d73f3470106402ab1592717 Sha256\r\nc9cf08565a10f4c46308037bd31a7f46\r\n17752edb2473b4a246d6a6980375bd87133e7514\r\n3e698d8d6e7820cc337d5e2eb3d8fbae752a4c05d11bcf00d3cb7d6dc45e1884\r\nMD5\r\nSHA1\r\nSha256\r\nLdrAddx64.dll\r\n33e03ca5dd9a8f85fdcf091a97312e45\r\n186981f889ad88a0d5f21c18adb8b35c78851c74\r\n64c299dc88a35d4ef551516be4f7ed95ae568a6ee0b66a1fcfc3f68bf80d87fe\r\nMD5\r\nSHA1\r\nSha256\r\nwab.exe\r\n23.254.229[.]131 IP C\u0026C\r\n79.110.52[.]71 IP C\u0026C\r\n51.75.62[.]99 IP C\u0026C\r\n23.106.215[.]123 IP C\u0026C\r\nSource: https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/"
	],
	"report_names": [
		"bumblebee-loader-on-the-rise"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434375,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6890522aad79e2338bad83ada9a64db61f9b9980.pdf",
		"text": "https://archive.orkl.eu/6890522aad79e2338bad83ada9a64db61f9b9980.txt",
		"img": "https://archive.orkl.eu/6890522aad79e2338bad83ada9a64db61f9b9980.jpg"
	}
}