{
	"id": "96e131de-1c0e-42a8-b7b6-6e486cb10472",
	"created_at": "2026-04-06T00:12:16.723482Z",
	"updated_at": "2026-04-10T03:30:37.605524Z",
	"deleted_at": null,
	"sha1_hash": "97a25b36d9759aa1aaf64c23febbea486e41980e",
	"title": "TA578 using thread-hijacked emails to push ISO files for Bumblebee malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1612948,
	"plain_text": "TA578 using thread-hijacked emails to push ISO files for\r\nBumblebee malware\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 18:14:04 UTC\r\nINTRODUCTION:\r\nIdentified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing\r\nISO files for Bumblebee malware through thread-hijacked emails.  These threat-hijacked emails either have links\r\nto storage.googleapis.com URLs similar to those used in the Contact Forms campaign, or they have password-protected zip attachments.  Either method delivers an ISO file containing files to install Bumblebee malware.\r\nToday's diary compares two examples of ISO files for Bumblebee malware from Monday 2022-05-09 that appear\r\nto be from TA578.\r\nShown above:  Infection chains from TA578 on Monday 2022-05-09.\r\nINFECTION CHAIN COMPARISON: LINK TO 'DOCUMENT' DOWNLOAD PAGE:\r\nhttps://isc.sans.edu/diary/rss/28636\r\nPage 1 of 6\n\nShown above:  TA578 Thread-hijacked email with malicious storage.googleapis.com link.\r\nShown above:  TA578 'document' download page hosted on storage.googleapis.com URL delivers malicious ISO\r\nfile for Bumblebee malware.\r\nhttps://isc.sans.edu/diary/rss/28636\r\nPage 2 of 6\n\nShown above:  Contents of downloaded document.iso file.\r\nINFECTION CHAIN COMPARISON: PASSWORD-PROTECTED ZIP ATTACHMENT:\r\nShown above:  TA578 email with password-protected zip attachment.\r\nhttps://isc.sans.edu/diary/rss/28636\r\nPage 3 of 6\n\nShown above:  Malicious ISO file for Bumblebee malware extracted from password-protected zip attachment.\r\nISO FILE COMPARISON:\r\nSHA256 hash: 330b01256efe185fc3846b6b1903f61e1582b5a5127b386d0542d7a49894d0c2\r\nFile size: 2,883,584 bytes\r\nFile name: document.iso\r\nFile description: malicious ISO file sent by 'documents' download page\r\nSHA256 hash: e9084037805a918e00ac406cf99d7224c6e63f72eca3babc014b34863fb81949\r\nFile size: 2,883,584 bytes\r\nFile name: invoice_pdf_49.iso\r\nFile description: malicious ISO file extracted from password-protected zip attachment\r\nISO CONTENT COMPARISON:\r\nSHA256 hash: 22e033c76bb1070953325f58caeeb5c346eca830033ffa7238fb1e4196b8a1b9\r\nFile size: 1,612 bytes\r\nFile name: documents.lnk\r\nFile description: Windows shortcut in both document.iso and invoice_pdf_49.iso\r\nShortcut: %windir%\\system32\\rundll32.exe ramest.dll,SjVjlixjPb\r\nSHA256 hash: e6357f7383b160810ad0abb5a73cfc13a17f4b8ea66d6d1c7117dbcbcf1e9e0f\r\nFile size: 1,390,592 bytes\r\nFile name: ramest.dll\r\nhttps://isc.sans.edu/diary/rss/28636\r\nPage 4 of 6\n\nFile description: Bumblebee 64-bit DLL in document.iso\r\nSHA256 hash: f398740233f7821184618c6c1b41bc7f41da5f2dbde75bbd2f06fc1db70f9130\r\nFile size: 1,3900,80 bytes\r\nFile name: ramest.dll\r\nFile description: Bumblebee 64-bit DLL in invoice_pdf_49.iso\r\nNote: Both of the above ramest.dll files have the same import hash (imphash) of\r\n66356a654249c4824378b1a70e7cc1e5\r\nSIMILARITIES TO CONTACT FORMS CAMPAIGN:\r\nTA578 'document' download pages are similar to 'Stolen Images Evidence' pages used for the Contact Forms\r\ncampaign.  Both are hosted on storage.googleapis.com pages with appspot.com in the URL.  Both generate traffic\r\nto a malicious URL ending in logo.jpg that returns script with base64 text used to generate a malicious ISO file for\r\ndownload.\r\nThe following are 4 examples of URLs generated by 'document' download pages for malicious ISO files in May\r\n2022:\r\nhxxps://baronrtal[.]com/img/logo.jpg\r\nhxxps://bunadist[.]com/img/logo.jpg\r\nhxxps://omnimature[.]com/img/logo.jpg\r\nhxxps://vorkinal[.]com/img/logo.jpg\r\nThe following are 4 examples of URLs generated by 'Stolen Images Evidence' pages for malicious ISO files in\r\nMay 2022:\r\nhxxps://bunadist[.]com/images/logo.jpg\r\nhxxps://curanao[.]com/images/logo.jpg\r\nhxxps://goranism[.]com/images/logo.jpg\r\nhxxps://olodaris[.]com/images/logo.jpg\r\nAs seen above, 'Stolen Images Evidence' pages generate URLs ending in /images/logo.jpg, while 'document'\r\ndownload pages generate URLs ending in /img/logo.jpg.\r\nURLs hosted on storage.googleapis.com for 'Stolen Images Evidence' pages end with ?l= or ?h= or similar strings\r\nollowed by a numeric value.  For example,\r\nhxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fWpa4HT4ck6v6.html?\r\nl=827470894993112750 is a URL for a recent 'Stolen Images Evidence' page.\r\nURLs hosted on storage.googleapis.com for 'document' download pages end in .html.  For example:\r\nhxxps://storage.googleapis[.]com/pz3ksj5t45tg4t.appspot.com/q/pub/file/0/filejBWdkst6Ua3s.html is a URL for\r\na recent 'document' download page.\r\nFINAL WORDS:\r\nhttps://isc.sans.edu/diary/rss/28636\r\nPage 5 of 6\n\nThe Contact Forms campaign switches between pushing ISO files for Bumblebee malware, or pushing ISO files\r\nfor IcedID (Bokbot) malware, and I've seen both during the same week.  Since February 2022, TA578 has been\r\nnoted pushing both families of malware.  And in recent weeks, TA578 has been using thread-hijacked emails to\r\ndistribute ISO files for Bumblebee malware.  TA578 might also distribute IcedID using the same type of thread-hijacked messages.\r\nWhile the malware may be different, I occasionally find Cobalt Strike from either Bumblebee or IcedID when\r\ntesting samples in Active Directory (AD) environments.  Cobalt Strike can lead to ransomware or other malicious\r\nactivity.\r\nIf TA578 activity is caught and stopped in its early stages, potential victims might avoid more serious harm.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/28636\r\nhttps://isc.sans.edu/diary/rss/28636\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/28636"
	],
	"report_names": [
		"28636"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "62585174-b1f8-47b1-9165-19b594160b01",
			"created_at": "2023-01-06T13:46:39.369991Z",
			"updated_at": "2026-04-10T02:00:03.304964Z",
			"deleted_at": null,
			"main_name": "TA578",
			"aliases": [],
			"source_name": "MISPGALAXY:TA578",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0",
			"created_at": "2024-11-01T02:00:52.694476Z",
			"updated_at": "2026-04-10T02:00:05.410572Z",
			"deleted_at": null,
			"main_name": "TA578",
			"aliases": [
				"TA578"
			],
			"source_name": "MITRE:TA578",
			"tools": [
				"Latrodectus",
				"IcedID"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434336,
	"ts_updated_at": 1775791837,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97a25b36d9759aa1aaf64c23febbea486e41980e.pdf",
		"text": "https://archive.orkl.eu/97a25b36d9759aa1aaf64c23febbea486e41980e.txt",
		"img": "https://archive.orkl.eu/97a25b36d9759aa1aaf64c23febbea486e41980e.jpg"
	}
}