{
	"id": "7fa1a265-f9b6-4a79-8d9f-14da6932961b",
	"created_at": "2026-04-26T02:19:44.748859Z",
	"updated_at": "2026-04-26T02:20:25.034279Z",
	"deleted_at": null,
	"sha1_hash": "8002a481ae477a283086842e197b2826b81695c3",
	"title": "Bumblebee: increasing its capacity and evolving its TTPs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89239,
	"plain_text": "Bumblebee: increasing its capacity and evolving its TTPs\r\nBy itayc\r\nPublished: 2022-10-03 · Archived: 2026-04-26 02:14:41 UTC\r\nResearch by: Marc Salinas Fernandez\r\nBackground \u0026 Key Findings\r\nThe spring of 2022 saw a spike in activity of Bumblebee loader, a recent threat that has garnered a lot of attention due to its\r\nmany links to several well-known malware families. In this piece we outline the conclusions of our research into this piece\r\nof malware:\r\nBumblebee is in constant evolution, which is best demonstrated by the fact that the loader system has undergone a\r\nradical change twice in the range of a few days — first from the use of ISO format files to VHD format files\r\ncontaining a powershell script, then back again.\r\nChanges in the behavior of Bumblebee’s servers that occurred around June 2022 indicate that the attackers may have\r\nshifted their focus from extensive testing of their malware to reach as many victims as possible.\r\nAlthough the threat contains a field called group_name , it may not be a good indicator for clustering-related activity:\r\nsamples with different group_name values have been exhibiting similar behavior, which may indicate a single actor\r\noperating many group_names . The same is not true for encryption keys: different encryption keys generally imply\r\ndifferent behavior, as expected.\r\nBumblebee payloads vary greatly based on the type of victim. Infected standalone computers will likely be hit with\r\nbanking trojans or infostealers, whereas organizational networks can expect to be hit with more advanced post-exploitation tools such as CobaltStrike.\r\nBumblebee Analysis\r\nThe Bumblebee loader usually comes in the form of a DLL-like binary packed with a custom packer. The method by which\r\nthis DLL is delivered seems to be subject to change on the whims of the threat’s adventurous developers: while the\r\nprevailing method is to embed the packed DLL directly inside another file (usually an ISO), during a short stint in June the\r\nmalware’s operators experimented with using VHD files that executed PowerShell downloading and decrypting the packed\r\nDLL itself (packed with a very different packer), as documented by Deep Instinct. This trend seems to have died out and\r\nnow the DLL can be found directly embedded in the 1st-stage file again, whether an ISO or a VHD.\r\nOnce unpacked, Bumblebee will perform checks to avoid being executed in sandboxing or analyst environments; most of\r\nthe code responsible for this is open source, lifted directly from the Al-Khaser project. If these checks pass, Bumblebee\r\nproceeds to load its configuration into memory. This is done by loading four pointers from its .data section which point to\r\nfour different buffers in a contiguous encrypted configuration struct. The first of these points to an 80-byte section that stores\r\nan RC4 ascii key (much shorter in all cases we’ve observed). The other three pointers point to two 80-byte sections and a\r\n1024-byte section, all of which contain data that is then decrypted using the above-mentioned RC4 key.\r\nOnce decrypted, the first 80-byte buffer in most of the samples to date has simply contained the number “444”; the malware\r\nmakes no use of this number so its significance is not clear. The second buffer contains an ASCII code which is called\r\ngroup_name by the malware. Finally, the 1024-byte block contains a list of command and control servers (most of them are\r\nusually fake).\r\nFigure 1: Bumblebee ciphered configuration\r\nBumblebee computes a machine-specific pseudorandom victim ID (internally named client_id ) via the usual method of\r\nconcatenating some immutable machine parameters (in this case, machine name and GUUID) and then calculating a hash of\r\nthe result (in this case, an MD5 digest).\r\nhttps://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/\r\nPage 1 of 7\n\nUsing this data and some other elements collected from the victim system, Bumblebee builds a C\u0026C check-in in JSON\r\nformat, such as the one below:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\r\n\"client_id\":\"3f4aa6d4e02790dea90186c5376c0064\",\r\n\"group_name\":\"1406r\",\r\n\"sys_version\":\"Microsoft Windows 10 pro \\\\nUser name: LUCAS-PC\\\\nDomain name: WORKGROUP\",\r\n\"client_version\":1\r\n}\r\n{ \"client_id\":\"3f4aa6d4e02790dea90186c5376c0064\", \"group_name\":\"1406r\", \"sys_version\":\"Microsoft Windows 10 pro\r\n\\\\nUser name: LUCAS-PC\\\\nDomain name: WORKGROUP\", \"client_version\":1 }\r\n{\r\n \"client_id\":\"3f4aa6d4e02790dea90186c5376c0064\",\r\n \"group_name\":\"1406r\",\r\n \"sys_version\":\"Microsoft Windows 10 pro \\\\nUser name: LUCAS-PC\\\\nDomain name: WORKGROUP\",\r\n \"client_version\":1\r\n}\r\nThis string is encrypted using the same RC4 key used earlier for the configuration, and repeatedly sent to its C2 server with\r\nrandom delays between 25 seconds and 3 minutes regardless of whether the server responds or it’s down. The response from\r\nthe command and control server is also in JSON format and also encrypted with the same RC4 key (we appreciate this\r\nelegant design and encourage malware authors to aspire to this standard of legibility). The content of the response itself\r\nnaturally varies, and can be for example an empty response:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\r\n\"response_status\":1,\r\n\"tasks\":null\r\n}\r\n{ \"response_status\":1, \"tasks\":null }\r\n{\r\n \"response_status\":1,\r\n \"tasks\":null\r\n}\r\nOr some payload to inject or execute:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\r\nhttps://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/\r\nPage 2 of 7\n\n\"response_status\": 1,\r\n\"tasks\": [\r\n{\r\n\"task\": \"shi\",\r\n\"task_id\": 5245,\r\n\"task_data\":\r\n\"/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAAB\r\n\"file_entry_point\": \"\"\r\n}\r\n]\r\n}\r\n{ \"response_status\": 1, \"tasks\": [ { \"task\": \"shi\", \"task_id\": 5245, \"task_data\":\r\n\"/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAAB\r\n\"file_entry_point\": \"\" } ] }\r\n{\r\n \"response_status\": 1,\r\n \"tasks\": [\r\n {\r\n \"task\": \"shi\",\r\n \"task_id\": 5245,\r\n \"task_data\": \"/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUU\r\n \"file_entry_point\": \"\"\r\n }\r\n ]\r\n}\r\nIn the case of receiving a payload, the structure of the response will contain a list of elements in the tasks section of the\r\njson, each with a command and a payload. Each of the elements will contain, among others, a task field with the name of\r\nthe command to be executed, and a base64 encoded payload inside a section called task_data .\r\nBotnet Behavior Analysis\r\nUntil early July we have observed a very curious behavior of the command and control servers. Once a client_id was\r\ngenerated for an infected victim and sent to a command and control server, that command and control server would stop\r\naccepting other different client_id codes from that same victim external IP. This means that if several computers in an\r\norganization, accessing the internet with the same public IP were infected, the C2 server will only accept the first one\r\ninfected. But several weeks ago this feature was abruptly turned off, drastically increasing the number of established\r\nconnections to infected victims at the expense of… whatever this feature was supposed to achieve (possibly it was indicative\r\nof a testing phase for the malware, which has now ended).\r\nThis behavior motivated us to pay special attention to the behavior of Bumblebee in different execution environments.\r\nNotably, despite having a field called group_name hardcoded in every sample, this value is sent in each request to the\r\ncommand and control server. Further, the above-described “one client_id per IP address” policy curiously seemed to\r\napply across different group_name s — but not across different RC4 encryption keys, which seems to imply the use of\r\nseveral group_name s by what is effectively the same botnet, possibly to mark different campaigns or different sets of\r\nvictims. As a result, grouping activity by encryption key seems to be a more coherent approach than grouping by\r\ngroup_name .\r\nThis hypothesis is further supported by the fact that we’ve observed several samples with the same RC4 key and different\r\ngroup_name acting identically and dropping the same threats within a very close time range, while samples that differ in\r\ntheir used RC4 key exhibit completely different behavior.\r\nhttps://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/\r\nPage 3 of 7\n\nFigure 2: Different Bumblebee samples dropping the same payloads based on their RC4 Keys\r\nThe fact that command and control servers with different IP addresses contacted by different samples using the same RC4\r\nkey are returning the same payloads and blocking the same client_id for their victims also suggests that these IP\r\naddresses actually only act as fronts for a main command and control server to which all Bumblebee connections are\r\nrelayed.\r\nAnother interesting element of the behavior of these botnets is how the toolset dropped by Bumblebee into victim machines\r\ndiffers depending on the kind of target. To deploy a threat, of the 5 commands supported by bumblebee, 3 lead to code being\r\ndownloaded from the C2 server and executed:\r\nDEX : deploys an executable to disk and runs it.\r\nDIJ : Injects a library into a process and executes it.\r\nSHI : injects and executes shellcode into a process.\r\nAs part of our ongoing monitoring of various Bumblebee botnets, we have been monitoring differences in behavior based on\r\nfactors such as type of network or geolocation. While the victim’s geographical location didn’t seem to have any effect on\r\nthe malware behavior, we observed a very stark difference between the way Bumblebee behaves after infecting machines\r\nthat are part of a domain (a logical group of network that share the same Active Directory server), as opposed to machines\r\nisolated from a company network that are connected to a workgroup (a Microsoft term to denote a peer to peer local area\r\nnetwork).\r\nIf the victim is connected to WORKGROUP, in most cases it receives the DEX command (Download and Execute), which\r\ncauses it to drop and run a file from the disk. These payloads are usually common stealers like Vidar Stealer, or banking\r\ntrojans:\r\nFigure 3: Bumblebee C2 response with a DEX command containing a Base64 encoded payload\r\nOn the other hand, if the victim is connected to an AD domain, it generally receives DIJ (Download and Inject) or SHI\r\n(Download shellcode and Inject) commands.\r\nFigure 4: Bumblebee C2 response with a DIJ command containing a Base64 encoded payload\r\nIn these cases, the resulting threats have been payloads from more advanced post-exploitation frameworks, such as\r\nCobaltStrike, Sliver or Meterpreter.\r\nIn these cases, it has also been observed that regardless of the IP of the command and control server and the group_name\r\nfield, samples with the same RC4 key drop the same Cobalt Strike beacons with the same Team servers, which has proven to\r\nbe a very useful means of relating different samples to each other as part of the same botnet.\r\nOne last interesting feature of the payloads dropped by Bumblebee is that both the binaries downloaded using the DEX\r\ncommand and those downloaded with the DIJ command are in many cases packaged using the same Bumblebee packer.\r\nConclusion\r\nAnalyzing the behavior of the command and control servers used by Bumblebee operators, we have observed how they have\r\ntweaked the way their infection chains behave, sometimes in ways that served to drastically expand the number of active\r\nhttps://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/\r\nPage 4 of 7\n\nvictims and volume of C2 traffic.\r\nFor the moment, behavior until the deployment of the 2nd-stage payload is very similar even across different Bumblebee\r\nbotnets, but further behavior starting with the choice of 2nd-stage payload sharply diverges based on RC4 key used. This\r\nbehavior can also serve to group activity into different clusters, on top of using the RC4 key itself.\r\nUnlike other threats that use third-party packers and off-the-crimeware-shelf antivirus evasion tools, Bumblebee uses its\r\nown packer both for the threat itself and for some of the samples it deploys on victims’ computers, just like other advanced\r\nmalware families such as Trickbot. While this allows Bumblebee operators greater flexibility in changing behavior and\r\nadding features, the use of unique custom tools also serves as a method to quickly identify Bumblebee activity in the wild.\r\nCheck Point’s security products are designed to prevent any cyber attack and protect against threats such as described in\r\nthis blog\r\nYara Rule\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nrule malware_bumblebee_packed {\r\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\nmalware_family = \"BumbleBee\"\r\ndate = \"13/07/2022\"\r\ndescription = \"Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a\r\ncritical structure in its logic.\"\r\ndll_jul = \"6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db\"\r\ndll_jun = \"82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb\"\r\ndll_may = \"a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c\"\r\niso_jul = \"ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa\"\r\niso_jun = \"13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78\"\r\niso_may = \"b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e\"\r\nzip_jun = \"7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad\"\r\nzip_may = \"68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce\"\r\nstrings:\r\n$heapalloc = {\r\n48 8? EC [1-6] // sub rsp, 80h\r\nFF 15 ?? ?? 0? 00 [0-5] // call cs:GetProcessHeap\r\n33 D2 // xor edx, edx ; dwFlags\r\n4? [2-5] // mov rcx, rax ; hHeap\r\n4? ?? ?? // mov r8d, ebx ; dwBytes\r\nFF 15 ?? ?? 0? 00 // call cs:HeapAlloc\r\n[8 - 11] // (load params)\r\n48 89 05 ?? ?? ?? 00 // mov cs:HeapBufferPtr, rax\r\nE8 ?? ?? ?? ?? // call memset\r\n4? 8B ?? ?? ?? ?? 00 // mov r14, cs:HeapBufferPtr\r\nhttps://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/\r\nPage 5 of 7\n\n}\r\ncondition:\r\n$heapalloc\r\n}\r\nrule malware_bumblebee_packed { meta: author = \"Marc Salinas @ CheckPoint Research\" malware_family =\r\n\"BumbleBee\" date = \"13/07/2022\" description = \"Detects the packer used by bumblebee, the rule is based on the code\r\nresponsible for allocating memory for a critical structure in its logic.\" dll_jul =\r\n\"6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db\" dll_jun =\r\n\"82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb\" dll_may =\r\n\"a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c\" iso_jul =\r\n\"ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa\" iso_jun =\r\n\"13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78\" iso_may =\r\n\"b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e\" zip_jun =\r\n\"7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad\" zip_may =\r\n\"68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce\" strings: $heapalloc = { 48 8? EC [1-6] // sub\r\nrsp, 80h FF 15 ?? ?? 0? 00 [0-5] // call cs:GetProcessHeap 33 D2 // xor edx, edx ; dwFlags 4? [2-5] // mov rcx, rax ; hHeap\r\n4? ?? ?? // mov r8d, ebx ; dwBytes FF 15 ?? ?? 0? 00 // call cs:HeapAlloc [8 - 11] // (load params) 48 89 05 ?? ?? ?? 00 //\r\nmov cs:HeapBufferPtr, rax E8 ?? ?? ?? ?? // call memset 4? 8B ?? ?? ?? ?? 00 // mov r14, cs:HeapBufferPtr } condition:\r\n$heapalloc }\r\nrule malware_bumblebee_packed {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n malware_family = \"BumbleBee\"\r\n date = \"13/07/2022\"\r\n description = \"Detects the packer used by bumblebee, the rule is based on the code responsible for all\r\n \r\n dll_jul = \"6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db\"\r\n dll_jun = \"82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb\"\r\n dll_may = \"a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c\"\r\n iso_jul = \"ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa\"\r\n iso_jun = \"13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78\"\r\n iso_may = \"b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e\"\r\n zip_jun = \"7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad\"\r\n zip_may = \"68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce\"\r\n \r\n strings:\r\n $heapalloc = {\r\n 48 8? EC [1-6] // sub rsp, 80h\r\n FF 15 ?? ?? 0? 00 [0-5] // call cs:GetProcessHeap\r\n 33 D2 // xor edx, edx ; dwFlags\r\n 4? [2-5] // mov rcx, rax ; hHeap\r\n 4? ?? ?? // mov r8d, ebx ; dwBytes\r\n FF 15 ?? ?? 0? 00 // call cs:HeapAlloc\r\n [8 - 11] // (load params)\r\n 48 89 05 ?? ?? ?? 00 // mov cs:HeapBufferPtr, rax\r\n E8 ?? ?? ?? ?? // call memset\r\n 4? 8B ?? ?? ?? ?? 00 // mov r14, cs:HeapBufferPtr\r\n }\r\n \r\n condition:\r\n $heapalloc\r\n}\r\nIOCs\r\nBumblebee samples\r\nc70413851599bbcd9df3ce34cc356b66d10a5cbb2da97b488c1b68894c60ea69\r\n14f04302df7fa49d138c876705303d6991083fd84c59e8a618d6933d50905c61\r\n76e4742d9e7f4fd3a74a98c006dfdce23c2f9434e48809d62772acff169c3549\r\n024f8b16ee749c7bb0d76500ab22aa1418cd8256fb12dcbf18ab248acf45947e\r\nhttps://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/\r\nPage 6 of 7\n\n2691858396d4993749fec76ac34cf3cc3658ee3d4eaf9c748e2782cfc994849d\r\n6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db\r\n083a4678c635f5d14ac5b6d15675d2b39f947bb9253be34d0ab0db18d3140f96\r\n21df56d1d4b0a6a54bae3aba7fe15d307bac0e3391625cef9b05dd749cf78c0c\r\n31005979dc726ed1ebfe05558f00c841912ca950dccdcdf73fd2ffbae1f2b97f\r\n2d67a6e6e7f95d3649d4740419f596981a149b500503cbc3fcbeb11684e55218\r\n3c0f67f71e427b24dc77b3dee60b08bfb19012634465115e1a2e7ee5bef16015\r\nca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa\r\n82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb\r\na5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c\r\n07f277c527d707c6138aae2742939e8edc9f700e68c4f50fd3d17fe799641ea8\r\n68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce\r\n13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78\r\n7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad\r\nee27cceac88199bf3546e8b187d77509519d6782a0e114fc9cfc11faa2d33cd1\r\nb2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e\r\nBumblebee C2 servers\r\n104.168.201.219 142.11.234.230 145.239.30.26\r\n145.239.135.155 145.239.28.110 146.19.173.202\r\n146.70.125.122 152.89.247.79 185.17.40.189\r\n185.62.58.175 205.185.122.143 205.185.123.137\r\n209.141.46.50 209.141.58.141 51.210.158.156\r\n51.68.144.94 51.68.145.54 51.68.146.186\r\n51.68.147.233 51.75.62.99 51.83.250.240\r\n51.83.251.245 51.83.253.131 51.83.253.244\r\n54.37.130.166 54.37.131.14 54.38.136.111\r\n54.38.136.187 54.38.138.94 54.38.139.20\r\nSource: https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/\r\nhttps://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/\r\nPage 7 of 7\n\nb2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e Bumblebee C2 servers  \n104.168.201.219 142.11.234.230 145.239.30.26\n145.239.135.155 145.239.28.110 146.19.173.202\n146.70.125.122 152.89.247.79 185.17.40.189\n185.62.58.175 205.185.122.143 205.185.123.137\n209.141.46.50 209.141.58.141 51.210.158.156\n51.68.144.94 51.68.145.54 51.68.146.186\n51.68.147.233 51.75.62.99 51.83.250.240\n51.83.251.245 51.83.253.131 51.83.253.244\n54.37.130.166 54.37.131.14 54.38.136.111\n54.38.136.187 54.38.138.94 54.38.139.20\nSource: https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/  \n Page 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/"
	],
	"report_names": [
		"bumblebee-increasing-its-capacity-and-evolving-its-ttps"
	],
	"threat_actors": [],
	"ts_created_at": 1777169984,
	"ts_updated_at": 1777170025,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8002a481ae477a283086842e197b2826b81695c3.pdf",
		"text": "https://archive.orkl.eu/8002a481ae477a283086842e197b2826b81695c3.txt",
		"img": "https://archive.orkl.eu/8002a481ae477a283086842e197b2826b81695c3.jpg"
	}
}