{ "id": "7d58e3ea-950f-4197-a44e-0fdd735a25ee", "created_at": "2026-04-06T00:07:05.200807Z", "updated_at": "2026-04-10T03:36:07.170828Z", "deleted_at": null, "sha1_hash": "bc03fef25c55746eaf1c85272e13c32db845559a", "title": "BumbleBee a New Modular Backdoor Evolved From BookWorm", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4643458, "plain_text": "BumbleBee a New Modular Backdoor Evolved From BookWorm\r\nBy By: Vickie Su, Ted Lee, Nick Dai Sep 02, 2022 Read time: 7 min (1918 words)\r\nPublished: 2022-09-02 · Archived: 2026-04-05 17:16:54 UTC\r\nMalware\r\nBuzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From\r\nBookWorm\r\nIn March 2021, we investigated a backdoor with a unique modular architecture and called it BumbleBee due to a\r\nstring embedded in the malware. However, in our recent investigations, we have discovered a controller\r\napplication that expands its capabilities.\r\nUpdated on Sept. 6, 2022, at 11:55 p.m. ET to clarify the reason behind the naming of this BumbleeBee malware.\r\nUpdated on Sept. 2, 2022, at 9:55 p.m. ET to clarify the difference between this BumbleBee malware and the\r\nBumblebee ransomware loader.\r\nIntroduction\r\nIn March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework\r\nmade our static analysis more challenging because it required us to first rebuild its structure or use dynamic\r\nanalysis to understand its functionality and behavior.\r\nWe called it “BumbleBee” since the developer of this tool originally named it as such (“bumblebee” in Chinese:\r\n大黄蜂).\r\nOur analysis found that BumbleBee only had little malicious code in its payload, and what it does on the surface is\r\ntrack keys and clipboard content. However, further investigation revealed a controller application that expands the\r\nmalware’s capabilities.\r\nThis type of backdoor is similar to another of its kind called BookWorm, in which it can be inferred that\r\nBumbleBee is a refactored version of BookWorm. At the time of writing, BumbleBee has only been deployed in\r\nTaiwan; together with its use of Simplified Chinese as the language for its user interface, this malware can be\r\nsuspected to be deployed by malicious Chinese actors. This blog will tackle BumbleBee’s capabilities and our\r\nanalysis of this backdoor. It's important to note that this BumbleBee malware family is different from the\r\nBumblebee loader,news article a loader malware that is used by ransomware groups to drop backdoors to gain\r\naccess to corporate networks. \r\nBumbleBee – a refactored modular backdoor\r\nhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nPage 1 of 10\n\nBumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and\r\nslaver application, respectively in the malware’s jargon). Once the client application is deployed on the target\r\ncomputer (these are commonly local government devices), threat actors can control the machine using the server\r\nmodule. Let us take a deeper look into this backdoor.\r\nLayered deployment – client application\r\nWe have encountered the client application in a security breach incident. Its unique “layer-in-layer” architecture\r\ncaught our attention. The module has a self-extracted file that contains three main parts: a legitimate executable\r\n(XcrSvr.exe), side-loaded DLL (XecureIO_v20.dll) and the shellcode binary file (ore) in the file system to execute\r\nthe legitimate executable.\r\nFigure 1. Architecture of BumbleBee\r\nhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nPage 2 of 10\n\nFigure 2. Metadata of XcrSvr.exe\r\nXCrSvr.exe is the executable in the XecureVistaCryptoSvr module developed by SoftForum. This file is exploited\r\nto launch the side-loaded DLL, XecureIO_v20.dll, which will work as the next-stage loader that executes the\r\nshellcode “ore,” which is the main component in this backdoor. This shellcode contains multiple modules of its\r\nown (shown in Table 1). Each module has corresponding 32-bit and 64-bit versions of binaries in the shellcode\r\nexcept for launcher.dll.\r\nName Description\r\nlauncher.dll\r\nThe first-stage launcher that loads all the subsequent modules. It decrypts a list of modules in\r\nmemory and executes each in order.\r\nkernel.dll The utility component that controls all the other modules.\r\ninstaller.dll The module used to install components in the compromised machine.\r\nkeylog.dll The keylog component monitors the keystrokes and clipboard content of the victim, and\r\nrecords actions from the victim such as running a process, entering a password, and getting the\r\ntext of a window. The stolen data will then be run through a XOR logic gate with a two-byte\r\nhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nPage 3 of 10\n\nkey 0xF29D and saved under %temp%\\kb\\[UserName]\\. The timestamp will be used as the file\r\nname.\r\nloader.dll The module that reads the shellcode.\r\nslaver.dll The main module that interacts with the other methods once the backdoor is launched.\r\nTable 1. BumbleBee's modules\r\nIf a victim is compromised for the first time, launcher.dll loads and launches all the other modules. The installer\r\nmodules will be responsible for the installation and establishing persistence on the compromised machine via the\r\nfollowing steps:\r\n1. Drop a copy of the XecureIO_v20.dll in %APPDATA%\\LOCAL\\TEMP folder.\r\n2. Encrypt original shellcode file (to be a “bin” file) and path information (to be a “path” file) by using RC4\r\nalgorithm (key is the value of “ProductID” from\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Registration”)\r\n3. Drop bpu.dll (used to bypass UAC) and launched by rundll32.exe.\r\n4. Establish persistence on compromised machine.\r\n5. Delete the original SFX file.\r\nNotably, as XecureIO_v20.dll is loaded by XcrSvr.exe, it will check if the parent process is “XcrSvr.exe.” If so, it\r\nwill patch the entry point of XcrSvr.exe with a long jump instruction to direct execution flow to the malicious\r\ncode.\r\nFigure 3. XecureIO_v20.dll hooks its parent process’ entry point\r\nhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nPage 4 of 10\n\nFigure 4. The original entry point\r\nFigure 5. The patched entry point\r\nBased on our analysis, we think the reason is that the malicious code embedded in XecureIO_v20 will not run if it\r\nfollowed the normal execution flow of XCrSvr.exe. Hence, once XecureIO_v20.dll is loaded by XCrSvr.exe, it will\r\npatch the entry point of XCrSvr.exe and jump to the address of the malicious code to make sure the code can be\r\nexecuted properly.\r\nAfter the client is installed and the persistence is established, the loader, XecureIO_v20.dll, will retrieve the value\r\nof “ProductID” from the registry key “HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet\r\nExplorer\\Registration” and use it as the key to decrypt the encrypted payload (the file “bin”) dropped in the first\r\ninstallation. Using the information on the compromised machine as a key to encrypt the payload makes it much\r\nmore difficult for analysts to decrypt and debug the malware in the analysis environment.\r\nFile\r\nname\r\nDescription\r\npath\r\nAn RC4-encrypted path string used to find the location of next-stage shellcode. It could be a file\r\npath or a registry path starting with HKLM or HKCU.\r\nbin The next-stage RC4-encrypted shellcode payload.\r\nTable 2. Payload file names\r\nExpanded control – server application\r\nDue to BumbleBee’s complex client application, it took some time for us to fully analyze its functionality. While\r\ndoing so, we ran across the server application of the malware that acts as a controller. This provided us with\r\nfurther understanding on how BumbleBee works.\r\nAs the client application is running on the infected device, it will communicate with the server application and\r\nshow the information of the machine it is in. Details, such as computer name, external IP address, geographic\r\nlocation, OS, CPU, and memory, are collected by the client application.\r\n \r\nhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nPage 5 of 10\n\nFigure 6. Connection established\r\nFigure 7. Built-in options in server application\r\nBased on the options in the server application shown in Figure 7, we can determine that it supports the following\r\nfunctions for controlling the compromised machine:\r\nFunctions Description\r\n文件管理 (File\r\nmanagement)\r\nUpload/download/delete/list files from the victim’s environment\r\n屏幕控制 (Remote desktop\r\ncontrol)\r\nControl the victim’s desktop remotely\r\n进程管理 (Process\r\nmanagement)\r\nList and manage running processes with the image names, current folder,\r\nprocess id and parent process id\r\n服务管理 (Service\r\nmanagement)\r\nList and manage current services status\r\n注冊表编辑 (Registry\r\neditor)\r\nList and manage the victim’s registry key\r\n控制台命令 (Command\r\nshell)\r\nExecute the command shell\r\nhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nPage 6 of 10\n\n交互式控制台 (Interactive\r\nconsole)\r\nExecute the command shell\r\n反向代理 (Reverse proxy)\r\nReverse proxy to help expose a local server behind a NAT or firewall to the\r\ninternet\r\n键盘记录 (Keylogger) Log keystrokes and clipboard contents\r\nTable 3. Supported functions\r\nBumbleBee’s modular framework allowed it to embed a small amount of malicious code that involves stealing\r\nkeystrokes and clipboard content in the client’s shellcode. However, it could expand its capabilities through its\r\nserver application by loading additional modules. This design proves that BumbleBee is flexible, allowing its\r\ndevelopers to focus on the development of additional modules instead of having to rebuild the malware itself. Its\r\nstructure could also reduce the risk of exposing itself to analysts and their own modules for comparison.\r\nNetwork communication\r\nBumbleBee communicates over the HTTP protocol. It first creates an HTTP request that acts as a network beacon\r\nto notify the command and control (C\u0026C) server. The POST request with the following URL, http://\u003cC\u0026C\r\nserver\u003e/update/, is the initial network beacon. The client application will send information of the compromised\r\nmachine, which is encrypted by RC4 (see Figure 8 and Figure 9) once the first connection is established\r\nsuccessfully. All other communication traffic, except for the victim information, are encrypted between server and\r\nclient applications using the RC4 and compressed by LZO (Lempel–Ziv–Oberhumer) algorithm.\r\nTo make sure the received payload is correct, BumbleBee adopts a CRC32 checksum with reversed-presentation\r\nmode to verify the received data. For the CRC32 calculation, a self-defined value, ”20200105” is used as the\r\ninitial value (typically, the value is 0xffffffff) for checksum calculation.\r\nFigure 8. Encrypted information of the compromised machine\r\nhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nPage 7 of 10\n\nFigure 9. Decrypted information (by RC4)\r\nPersistence\r\nDuring the investigation, we found that BumbleBee adopted several techniques for persistence. It will use\r\ndifferent techniques depending on the configuration. Here are the techniques adopted by the BumbleBee sample\r\nwe found:\r\nAbuse registry run key to repeatedly execute the malware once system boot\r\nCreate Windows services to repeatedly execute malicious payloads\r\nUse Windows logon scripts automatically executed at logon initialization to establish persistence via\r\nadding a Registry key HKEY_CURRENT_USER\\Environment \"UserInitMprLogonScript\"\r\nAttribution\r\nDue to the unique modular structure and installation procedures, we started to work on a literature review to\r\nclarify if it is an exclusive tool used by a certain threat actor. We found a similar backdoor, “BookWorm,” revealed\r\nby Palo Altoopen on a new tab in 2015. They share the following features:\r\n1. Both are self-extracted files and abuse legitimate executables to load self-made malware.\r\n2. Both use the same registry value as RC4 encryption key to encrypt their payload.\r\n3. Both use modular architecture in the conception of the backdoor.\r\n4. Both appeared in Southeast Asia, targeting local government-related organizations (similar victimology).\r\n5. Both use RC4 and LZO algorithms in C\u0026C communications (similar network protocol).\r\nWe think BumbleBee is likely to be the refactored BookWorm backdoor. They have similar tactics, techniques,\r\nand procedures (TTPs), unique encryption approach, and similar target sectors. According to the language\r\n(Simplified Chinese) shown in server application, we suspect that the origins and developers of BumbleBee may\r\nbe in China and of Chinese descent.\r\nConclusion\r\nSince BumbleBee and Bookworm share the same features, BumbleBee is likely a refactored form of the latter.\r\nFocusing on Asian local government targets, all signs point to a suspect linked to a Chinese hacker group.\r\nhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nPage 8 of 10\n\nBumbleBee, being a modular framework, is not only flexible but sophisticated as it will require analysts to\r\ninvestigate its structure and behavior. Another aspect of having a modular framework is that they can just keep\r\ndeveloping additional modules since it can easily be integrated with the current version of said malware.  \r\nWith its modular capabilities, the threat may deploy additional modules that may prove dangerous. Thus, an\r\nadvanced layer of protection and quick detection is needed to prevent the backdoor from taking root in the system.\r\nTrend Micro Vision One™products offers both within different entry points of a backdoor.\r\nIOCs\r\nTrojan.Win32.MULTICOM.ZTIC\r\nf8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475 slaver.exe\r\nTrojan.Win32.REGLOAD.ZTI\r\nea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0 XecureIO_v20.dll\r\n3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810 XecureIO_v20.dll\r\nBackdoor.Win32.BUMBLEB.ZTIC\r\neeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0 ore\r\n6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e bin\r\n4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee bin\r\n8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05 bin\r\n515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3 ore\r\n8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d bin\r\nC\u0026C:\r\n·       http[:]//www[.]synolo[.]ns01[.]biz:80/update\r\n·       http[:]//118[.]163[.]105[.]130:80/update\r\nMITRE\r\nTactics Techniques\r\nDefense Evasion T1574.002 - Hijack Execution Flow: DLL Side-Loading\r\nhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nPage 9 of 10\n\nT1070.004 - Indicator Removal on Host: File Deletion\r\nT1055 - Process Injection\r\nT1480.001 - Execution Guardrails: Environmental Keying\r\nPersistence\r\nT1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup\r\nFolder\r\nT1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)\r\nT1548.003 - Create or Modify System Process: Windows Service\r\nPrivilege Escalation T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control\r\nCollection T1056.001 - Input Capture: Keylogging\r\nReconnaissance T1592 - Gather Victim Host Information\r\nCommand and Control\r\nT1071.001 - Application Layer Protocol: Web Protocols\r\nT1090 - Proxy\r\nT1573.001 - Encrypted Channel: Symmetric Cryptography\r\nT1132.001 - Data Encoding: Standard Encoding\r\nResource\r\nDevelopment\r\nT1587.001 - Develop Capabilities: Malware\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html" ], "report_names": [ "buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html" ], "threat_actors": [ { "id": "8386d4af-5cca-40bb-91d7-aca5d1a0ec99", "created_at": "2022-10-25T16:07:23.414558Z", "updated_at": "2026-04-10T02:00:04.588816Z", "deleted_at": null, "main_name": "Bookworm", "aliases": [], "source_name": "ETDA:Bookworm", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Scieron", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434025, "ts_updated_at": 1775792167, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc03fef25c55746eaf1c85272e13c32db845559a.pdf", "text": "https://archive.orkl.eu/bc03fef25c55746eaf1c85272e13c32db845559a.txt", "img": "https://archive.orkl.eu/bc03fef25c55746eaf1c85272e13c32db845559a.jpg" } }