{
	"id": "b4103b8c-0519-4940-8f72-4657eb63de15",
	"created_at": "2026-04-06T00:13:14.504473Z",
	"updated_at": "2026-04-10T13:11:20.963477Z",
	"deleted_at": null,
	"sha1_hash": "ac9dc190477f7e6cd6e6246b8ca75fa77e9799a1",
	"title": "THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2183599,
	"plain_text": "THREAT ANALYSIS REPORT: Bumblebee Loader – The High\r\nRoad to Enterprise Domain Control\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 20:55:15 UTC\r\nThe Cybereason Global Security Operations Center (GSOC) Team issues Cybereason Threat Analysis Reports to\r\ninform on impacting threats. The Threat Analysis Reports investigate these threats and provide practical\r\nrecommendations for protecting against them.\r\nIn this Threat Analysis report, Cybereason GSOC team analysts have analyzed a case that involved a Bumblebee\r\nLoader infection. Following this introduction, we describe in detail the attack chain from the initial Bumblebee\r\ninfection to the compromise of the entire network.\r\nKey Findings\r\nUser-Driven Execution: The majority of the infections with Bumblebee we have observed started by end-users executing LNK files which use a system binary to load the malware. Distribution of the malware is\r\ndone by phishing emails with an attachment or a link to the malicious archive containing Bumblebee.\r\nIntensive Reconnaissance and Data Exfiltration: Bumblebee operators conduct intensive reconnaissance\r\nactivities and redirect the output of executed commands to files for exfiltration.\r\nActive Directory Compromise: The attackers compromised Active Directory and leveraged confidential\r\ndata such as users’ logins and passwords for lateral movement. The time it took between initial access and\r\nActive Directory compromise was less than two days. \r\nUnder Active Development: Cybereason GSOC has observed threat actors transitioning from\r\nBazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be in active development and generally\r\nthe loader of choice for many threat actors.\r\nCritical Severity: Attacks involving Bumblebee must be treated as critical. Based on GSOC findings, the\r\nnext step for the threat actors is ransomware deployment, and this loader is known for ransomware\r\ndelivery. \r\nCybereason Managed Detection and Response (MDR): The Cybereason GSOC team has a zero-tolerance policy towards attacks involving Bumblebee and any other loader, and categorizes such attacks as\r\ncritical, high-severity incidents. The Cybereason GSOC MDR Team issues a comprehensive report to\r\ncustomers when such an incident occurs. The report provides an in-depth overview of the incident, which\r\nhelps to understand the scope of the compromise and the impact on the customer’s environment. These\r\nreports also provide attribution information whenever possible, as well as recommendations for threat\r\nmitigation and isolation. \r\nDetected and Prevented: The Cybereason Defense Platform effectively detects and prevents infections\r\nfrom Bumblebee.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 1 of 20\n\nIntroduction\r\nIn March 2022, a new malware loader was discovered by Google Threat Analysis Group. This loader is named\r\nBumblebee because of its unique user agent, “Bumblebee,” that is used as part of the communication with the\r\ncommand and control server (C2).\r\nCybereason GSOC observed the distribution of the loader via spear phishing emails which contain archives with\r\nISO files as attachments or links to download the archive from external sources. The initial execution relies on the\r\nend-user execution which has to extract the archive, mount an ISO image file, and click a Windows shortcut\r\n(LNK) file.\r\nAfter initial execution, the most notable post-exploitation activities performed by Bumblebee are privilege\r\nescalation, reconnaissance, and credential theft, which are detailed in this report. \r\nBumblebee operators use the Cobalt Strike framework throughout the attack. The threat actors use the obtained\r\ncredentials to access Active Directory and make a copy of ntds.dit containing data for the entire Active Directory.\r\nLastly, a domain administrator account is used to move laterally, create local user accounts, and exfiltrate data\r\nusing Rclone software.\r\nCybereason GSOC has observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to\r\nBumblebee, which seems to be in active development and generally the loader of choice for many threat actors.\r\nWe have previously analyzed the loader in detail, and the report is available here. In this research, we chose to\r\nfocus on post-exploitation actions and Tactics, Techniques, and Procedures (TTPs). \r\nAnalysis\r\nTimeline\r\nFollowing table summarizes the activities timeline from initial compromise to the data exfiltration:\r\nActivities Time\r\nInitial access T0\r\nReconnaissance / nltest, net, whoami T0 + 30 minutes\r\nCommand and Control / Loading Meterpreter agent T0 + 4 hours\r\nPrivilege Escalation / Zerologon exploitation T0 + 4 hours\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 2 of 20\n\nCommand and Control / Cobalt Strike beacon execution T0 + 6 hours\r\nCredential Theft / registry hive T0 + 6 hours\r\nReconnaissance / adfind, ping, curl\r\nT0 + 6 hours and 30\r\nminutes\r\nCredential Theft and Privilege Escalation / LSASS memory dump with\r\nprocdump64.exe\r\nT0 + 19 hours\r\nCredential Theft / NTDS.dit exfiltration with Active Directory full privilege T0 + 22 hours\r\nLateral Movement / Cobalt Strike socks-tunnel (RDP) T0 + 24 hours\r\nData Exfiltration / Rclone T0 + 3 days\r\nInitial Access and Execution\r\nCybereason GSOC team observed the following distribution method to deliver the Bumblebee malware: \r\nA spear phishing email is received containing an archive or a link to an external source to download the\r\narchive.\r\nUser extracts the archive and mounts the resulting ISO image.\r\nThe content of the mounted ISO image is a LNK file executing the Bumblebee payload upon user\r\ninteraction:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 3 of 20\n\nBumblebee infection flow\r\nBumblebee operators host malicious websites that implement a drive-by download. To infect the system, an end-user has to first manually decompress the archive containing the ISO file, mount the file and then execute the\r\nWindows shortcut (LNK). \r\nThe LNK file has an embedded command to run Bumblebee Dynamic-link library (DLL) using odbcconf.exe\r\nLiving Off the Land Binary (LOLBin) and response (.rsp) file. The file [Bumblebee specific name].rsp has the\r\nreference to the Bumblebee DLL:\r\nBumblebee infection steps\r\nAn end-user interactively decompresses and executes a LNK file that Bumblebee operators distribute as seen in\r\nthe Cybereason Defense Platform\r\nOdbcconf.exe loadsBumblebee DLL with the internal name LdrAddx64.dll. The figure below illustrates the ISO\r\nimage content (DLL, RSP and LNK files) for Bumblebee:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 4 of 20\n\nContent of the mounted ISO image\r\nBumblebee DLL is executed using odbcconf.exe -f [Bumblebee specific name].rsp in the LNK file target property.\r\n[Bumblebee specific name].rsp has a reference to [Bumblebee specific name].dll which is the Bumblebee payload\r\nFoothold\r\nAfter the initial infection, Bumblebee injects code into multiple processes in order to establish a strong foothold\r\non infected endpoints. The process odbcconf.exe creates local Windows Management Instrumentation (WMI)\r\ncalls to spawn new processes. \r\nAs a result, the following two processes are spawned from wmiprivse.exe (Windows Management Instrumentation\r\nProvider Service) :\r\nwabmig.exe (Microsoft contacts import tool) with injected Meterpreter agent code (Meterpreter agent is a\r\nsecurity product used for penetration testing and provides remote control capabilities).\r\nwab.exe (Microsoft address book application) with an injected Cobalt Strike beacon:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 5 of 20\n\nBumblebee leveraging WMI to run wab.exe and wabmig.exe with injected floating code as seen in the Cybereason\r\nDefense Platform\r\nPrivilege Escalation and Cobalt Strike deployment\r\nBumblebee performs privilege escalation by loading an exploit for CVE-2020-1472 (Zerologon) into\r\nrundll32.exe:\r\nExploitation of CVE-2020-1472, Zerologon as seen in the Cybereason Defense Platform\r\nBumblebee uses a User Account Control (UAC) bypass technique to deploy post exploitation tools with elevated\r\nprivileges on infected machines. The method uses fodhelper.exe which is a trusted binary, meaning Windows 10\r\nwon't show a UAC window when launched into execution:\r\nUAC bypass using fodhelper.exe and code injection into winlogon.exe as seen in the Cybereason Defense Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 6 of 20\n\nFodhelper.exe is used to run \"cmd.exe\" /c rundll32.exe C:\\ProgramData\\Cisco\\[Cobalt strike].dll”,MainProc\r\nwhere [Cobalt strike].dll is a Cobalt Strike framework beacon and MainProc is the exported function to run.\r\nCobalt Strike is an adversary simulation framework with the primary use case of assisting red team operations.\r\nHowever, Cobalt Strike is also actively used by malicious actors for conducting post-intrusion malicious activities.\r\nCobalt Strike is a modular framework with an extensive set of features that are useful to malicious actors, such as\r\ncommand execution, process injection, and credential theft.\r\nCredential Theft\r\nAfter obtaining system privileges on the infected machine, Bumblebee performs credential theft using two\r\nmethods detailed below.\r\nFirst method used is Local Security Authority Subsystem Service (LSASS) process memory dump. On Windows\r\nsystems domain, local usernames and passwords are stored in the memory space of the LSASS process.\r\nBumblebee dumps the memory of this process using procdump64.exe to access the sensitive information:\r\nBumblebee dumping lsass.exe memory as seen in the Cybereason Defense Platform\r\nThe second method of credential theft that Bumblebee operators use is registry hive extraction using reg.exe:\r\nHKLM SAM: The Security Account Manager (SAM) database is where Windows stores information\r\nabout user accounts.\r\nHKLM Security: Local Security Authority (LSA) stores user logins and their LSA secrets.\r\nHKLM System: Contains keys that could be used to decrypt/encrypt the LSA secret and SAM database:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 7 of 20\n\nBumblebee extracting registry hives as seen in the Cybereason Defense Platform\r\nBumblebee operators :\r\nObtain registry dumps \r\nCompress the data\r\nExfiltrate it over their network tunnel:\r\nBumblebee exfiltrating dumps containing credentials as seen in the Cybereason Defense Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 8 of 20\n\nBumblebee operators process retrieved credentials offline, attempting to extract cleartext passwords. The time\r\nbetween credentials theft and the next activity is approximately 3 hours.\r\nReconnaissance\r\nAfter the attackers gain a foothold in the organization network, they gather information in various ways. We have\r\nobserved attackers using tools such as nltest, ping, netview, tasklist and Adfind to collect wide information related\r\nto the organization. The attackers collect information such as the domain names, users, hosts and domain\r\ncontrollers.\r\nAdFind (named “af.exe”) is a publicly available tool for querying Active Directory and has been used by multiple\r\nthreat actors:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 9 of 20\n\nBumblebee executed multiple reconnaissance commands as seen in the Cybereason Defense Platform\r\nDuring the reconnaissance phase, Bumblebee operators contacted more than 200 IP addresses and domain names\r\nwithin the organization. The most notable ones are Microsoft Exchange, Windows Server Update Services\r\n(WSUS) servers.\r\nThe following table summarizes the reconnaissance commands observed by Cybereason GSOC analysts:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 10 of 20\n\nCommand Description\r\nnltest /domain_trusts\r\nEnumerates trust relationships in a Windows Active Directory (AD)\r\nenvironment.\r\nnltest /dclist: Enumerates all domain controllers in the domain.\r\naf.exe -f \"(objectcategory=person)\" \u003e\r\nad_users.txt\r\nEnumerates all user objects in Active Directory and stores the\r\noutput in a file.\r\naf.exe -f \"objectcategory=computer\"\r\n\u003e ad_computers.txt\r\nEnumerates all computer objects in Active Directory and stores the\r\noutput in a file.\r\nwhoami /all\r\nDisplays all information in the current access token, including the\r\ncurrent user name, security identifiers (SID), privileges, and groups\r\nthat the current user belongs to.\r\ncurl ifconfig[.]me\r\nRetrieves the publicly visible IP address of the machine using an\r\nexternal service.\r\nping {hostname} -n 1 Enumerates live hosts.\r\nTasklist /s {IP address} Enumerates a list of processes on a specific host.\r\nnet user {username} /domain\r\nSwitch forces the net user to execute on the current domain\r\ncontroller instead of on the local computer.\r\nnet group \"domain admins\" /domain\r\nEnumerates users that are members of the domain admins group\r\nsuch that the designated Domain Controller (DC) is conducting the\r\nenumeration activity.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 11 of 20\n\nnet view \\\\{IP address} /all\r\nEnumerates all shared computers and resources on a specific\r\nsystem.\r\nLateral Movement\r\nBumblebee uses a Cobalt Strike agent for lateral movement. We can see multiple connections from the process to\r\ninternal addresses on Remote Desktop Protocol (RDP), on TCP port 3389:\r\nBumblebee lateral movement from Cobalt Strike agent as seen in the Cybereason Defense Platform\r\nFollowing the lateral movement, the attacker persists on the organization network using the remote management\r\nsoftware “any desk”:\r\nBumblebee operators using Anydesk for lateral movement as seen in the Cybereason Defense Platform\r\nActive Directory Compromise\r\nAfter the attacker obtains a highly privileged user and its password, the attacker accesses the shadow copy.\r\nShadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of\r\ncomputer files or volumes. \r\nBumblebee accesses the remote Active Directory machines using Windows Management Instrumentation\r\ncommand-line utility (WMIC) and creates a shadow copy using vssadmin command. In addition, the attacker\r\nsteals the ntds.dit file from the domain controller. \r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 12 of 20\n\nThe ntds.dit file is a database that stores Active Directory data, including information about user objects, groups\r\nand group membership. The file also stores the password hashes for all users in the domain:\r\nBumblebee creates shadow copies on remote Active Directory server and exfiltrates Ntds.dit as seen in the\r\nCybereason Defense Platform\r\nThe following are the commands related to credential theft used to escalate privileges on the Active Directory:\r\nwmic /node:\"[Active Directory IP address]\" /user:\"[Compromised user name]\" /password:\"[Compromised\r\nuser password]\" process call create \"cmd /c vssadmin create shadow /for=C: 2\u003e\u00261\"\r\nwmic /node:\"[Active Directory IP address]\" /user:\"[Compromised user name]\" /password:\"[Compromised\r\nuser password]\" process call create \"cmd /c vssadmin list shadows \u003e\u003e c:\\log.txt\"\r\ntype \\\\[Active Directory IP address]\\c$\\log.txt\r\nwmic /node:\"[Active Directory IP address]\" /user:\"[Compromised user name]\" /password:\"[Compromised\r\nuser password]\" process call create \"cmd /c copy \\\\?\r\n\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy635\\Windows\\NTDS\\NTDS.dit c:\\ProgramData\\nt \u0026\r\ncopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy635\\Windows\\System32\\config\\SYSTEM\r\nc:\\ProgramData\\nt \u0026 copy \\\\?\r\n\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy635\\Windows\\System32\\config\\SECURITY\r\nc:\\ProgramData\\nt\"\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 13 of 20\n\n7za.exe a -mx3 nt.7z \\\\[Active Directory IP address]\\c$\\ProgramData\\nt\r\nIn order to obtain maximum privileges on the Active Directory domain, the threat actor: \r\nCreates a shadow copy of the machine file’s volume\r\nLists all available shadow copies and stored the result in a file.\r\nCopies the Active Directory database (ntds.dit) as well as registry hives containing credentials and sensitive\r\ndata from the shadow copy. \r\nCompress the output directory for exfiltration. \r\nAccount Creation and Data Exfiltration\r\nThe threat actor uses a domain administrator account obtained previously to move laterally on multiple systems.\r\nAfter initial connection, they create a local user and exfiltrate data using Rclone software.\r\nUser creation commands are as follows :\r\nnet user [Attacker created username] P@ssw0rd!1 /add\r\nnet localgroup Administrators [Attacker created username] /add\r\nCreation of a local user and exfiltration of data using rclone.exe as seen in the Cybereason Defense Platform\r\nThe rclone.exe process transfers approximately 50 GB of data to an endpoint with an IP address over TCP port 22\r\n(SSH), which is located in the United States.\r\nDetection and Prevention\r\nCybereason Defense Platform\r\nThe Cybereason Defense Platform is able to detect and prevent infections with Bumblebee and post exploitation\r\nactivities, using multi-layer protection that detects and blocks malware with threat intelligence, machine learning,\r\nand Next-Gen Antivirus (NGAV) capabilities:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 14 of 20\n\nThe Cybereason Defense Platform labels as suspicious the execution of a malicious Bumblebee DLL script using\r\nodbcconf.exe\r\nThe Cybereason Defense Platform detects the credential theft with both reg.exe and procdump64.exe\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 15 of 20\n\nThe Cybereason Defense Platform detects data exfiltration activities\r\nThe Cybereason Defense Platform detects a Meterpreter agent\r\nCybereason GSOC MDR\r\nThe Cybereason GSOC recommends the following:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 16 of 20\n\nEnable the Anti-Malware feature on the Cybereason NGAV and enable the Detect and Prevent modes of\r\nthis feature.\r\nSecurely handle files downloaded from the Internet and email messages that originate from external\r\nsources.\r\nRegularly backup files to a secured remote location and implement a data recovery plan. Regular data\r\nbackups ensure that you can restore your data after a ransomware attack.\r\nUse secure passwords, regularly rotate passwords, and use multi-factor authentication where possible.\r\nFollow Best Practices for Securing Active Directory provided by Microsoft.\r\nTo hunt for infections with Bumblebee proactively, use the Investigation screen in the Cybereason Defense\r\nPlatform and the query in the Hunting Queries section to search for machines that are potentially infected\r\nwith this malware. Based on the search results, take further remediation actions such as isolating the\r\ninfected machines.\r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric\r\napproach to security.\r\nMITRE ATT\u0026CK Mapping\r\nTactic Technique or Sub-technique\r\nTA0001: Initial Access T1189: Drive-by Compromise\r\nTA0001: Initial Access T1566.002: Phishing: Spear phishing Link\r\nTA0001: Initial Access T1078: Valid Accounts\r\nTA0002: Execution T1204.001: User Execution: Malicious Link\r\nTA0002: Execution T1204.002: User Execution: Malicious File\r\nTA0002: Execution T1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nTA0002: Execution T1047: Windows Management Instrumentation\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 17 of 20\n\nTA0004: Privilege\r\nEscalation\r\nT1548.002: Abuse Elevation Control Mechanism: Bypass User Account\r\nControl\r\nTA0004: Privilege\r\nEscalation\r\nT1068: Exploitation for Privilege Escalation\r\nTA0005: Defense Evasion T1036.005: Masquerading: Match Legitimate Name or Location\r\nTA0005: Defense Evasion T1055: Process Injection\r\nTA0005: Defense Evasion T1218.008: System Binary Proxy Execution: Odbcconf\r\nTA0005: Defense Evasion T1218.011: Signed Binary Proxy Execution: Rundll32\r\nTA0005: Defense Evasion T1620: Reflective Code Loading\r\nTA0006: Credential Access T1003.001: OS Credential Dumping: LSASS Memory\r\nTA0006: Credential Access T1003.002: OS Credential Dumping: Security Account Manager\r\nTA0006: Credential Access T1003.003: OS Credential Dumping: NTDS\r\nTA0006: Credential Access T1003.004: OS Credential Dumping: LSA Secrets\r\nTA0007: Discovery T1018: Remote System Discovery\r\nTA0007: Discovery T1033: System Owner/User Discovery\r\nTA0007: Discovery T1057: Process Discovery\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 18 of 20\n\nTA0007: Discovery T1082: System Information Discovery\r\nTA0007: Discovery T1087: Account Discovery\r\nTA0009: Collection T1560.001: Archive Collected Data: Archive via Utility\r\nTA0009: Collection T1039: Data from Network Shared Drive\r\nTA0010: Exfiltration T1048: Exfiltration Over Alternative Protocol\r\nIndicators of Compromise\r\nIOC type IOC values\r\nExecutables\r\nSHA-1 hash: af.exe (AdFind) - known publicly\r\n4acc9ddf7f23109216ca22801ac75c8fabb97019\r\nIP addresses\r\nC2 server: \r\n185.62.56[.]129 (known publicly, affiliated with Bumblebee)\r\nAbout the Researchers\r\nMeroujan Antonyan, Senior Security Analyst, Cybereason Global SOC \r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 19 of 20\n\nMeroujan Antonyan is a Senior Security Analyst with the Cybereason Global SOC team. Meroujan hunts for\r\nemerging threats and analyzes incidents in order to improve hunting techniques and procedures. He contributes in\r\nautomation and interconnection of various cybersecurity projects to collect and leverage threat intelligence and\r\nbring value from security events. Meroujan has Digital Forensics \u0026 Incident Response experience and is\r\ninterested in low level malware development, oriented towards improving security solutions capabilities.\r\nAlon Laufer, Security Analyst, Cybereason Global SOC \r\nAlon Laufer is a Security Analyst with the Cybereason Global SOC team. Alon analyses critical incidents. He\r\nbegan his career in the Israeli Air Force where he was responsible for protecting critical infrastructures. Alon is\r\ninterested in malware analysis, digital forensics, and incident response.\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control"
	],
	"report_names": [
		"threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control"
	],
	"threat_actors": [],
	"ts_created_at": 1775434394,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac9dc190477f7e6cd6e6246b8ca75fa77e9799a1.pdf",
		"text": "https://archive.orkl.eu/ac9dc190477f7e6cd6e6246b8ca75fa77e9799a1.txt",
		"img": "https://archive.orkl.eu/ac9dc190477f7e6cd6e6246b8ca75fa77e9799a1.jpg"
	}
}