{
	"id": "24abc6ff-7a43-4ef7-911d-3b438d557e7a",
	"created_at": "2026-04-06T00:15:55.530139Z",
	"updated_at": "2026-04-10T03:33:15.988508Z",
	"deleted_at": null,
	"sha1_hash": "bc08a226efbcb0764756a8a59c6ac6e143585bbb",
	"title": "BumbleBee notes ??????",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9734383,
	"plain_text": "BumbleBee notes 🐝\r\nBy pbo\r\nPublished: 2023-03-28 · Archived: 2026-04-05 13:32:33 UTC\r\nBumbleBee is categorized as a Loader, the malware is used by Initial Access Brokers to gain access in targeted\r\ncompanies. This article aims to summarizing the different TTPs observed in campaigns distributing BumbleBee\r\nand provides a script to extract its configuration.\r\nTL;DR BumbleBee #\r\nThe loader delivers diverse payloads (e.g: Cobalt Strike, ransomware, etc), the operators of BumbleBee have been\r\nnamed EXOTIC LILY by the TAG in a report published in March 2022.  Google TAG article mentionned BumbleBee\r\nLoader (e.g: The user-agent set to bumblebee, hence dubbed BUMBLEBEE. https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/ Moreover, similarities with other loaders in terms of operation have been noticed notably\r\nwith IcedID and Emotet. Code similarty (hook installation) with Trickbot have been observed and explained in the\r\npost The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. The malware is well\r\ndocumented by now (March 2023) as evidenced by the number of reports on malpedia.\r\nBumbleBee capabilities #\r\nThe malware has a custom unpacking mechanism, it manipulates hooks to setup its execution chain, the loader\r\nuses multiple environment detection techniques because of the complete integration of the project al-khaser  al-khaser is a PoC “malware” application with good intentions that aims to stress your anti-malware system. It performs a bunch of common\r\nmalware tricks with the goal of seeing if you stay under the radar. . It communicates with its command and control over\r\nHTTP. Since August 2022 the malware embeds a list of IP addresses in its configuration, some of them are\r\nlegitimate IP addresses, this technique is also used by other malware such as Emotet and Trickbot.\r\nBumbleBee command and control IP addresses, port and the bot (or botnet) identifier are stored in the .data\r\nsection, obfuscated with the RC4 encryption algorithm. A script to extract and deobfuscate them is provided at the\r\nend of this post.\r\nCampaigns file format #\r\nhttps://blog.krakz.fr/articles/bumblebee/\r\nPage 1 of 6\n\nFirst malspam campaign which delivered BumbleBee contains a web link to a protected ZIP archive.\r\n1. The archive contains an ISO file;\r\n2. The ISO contains a LNK file and a DLL file;\r\n3. The LNK executes rundll32.exe to invoke the embedded DLL;\r\nFigure 1: BumbleBee infection chain with ISO file\r\nThis model of campaign was used for months. During the summer of 2022, actors updated the disk image format\r\nfrom ISO to VHD. Content of disk image (VHD) changed too, the DLL is no more stored as a file, but it is embed\r\nobfuscated in a PowerShell script. The script is executed by the LNK with the execution policy set to bypass. The\r\nBumbleBee’s DLL is stored in the PowerShell script in obfuscated strings (e.g:\r\n$elem30=$elem30.$casda.Invoke(0,\"H\") ). After strings replacement, the base64 encoded variable is decoded,\r\ndecrompressed ( ungzip ) and invoked (e.g: scriptPath | iex ).\r\nFigure 2: BumbleBee infection chain with VHD file\r\nhttps://blog.krakz.fr/articles/bumblebee/\r\nPage 2 of 6\n\nNB: File sharing service used to deliver BumbleBee change regulary e.g.: WeTransfer, Onedrive, Smash, etc.\r\nDetails of a campaign using onedrive file sharing website are written in the article: Bumblebee DocuSign\r\nCampaign.\r\nExamples IOCs:\r\nISO: SHA-256: 8695f4936f2942d322e2936106f78144f91602c7acace080e48c97e97b888377\r\nVHD: SHA-256: e9a1ce3417838013412f81425ef74a37608754586722e00cacb333ba88eb9aa7\r\nAs introduced above, the configuration is stored encrypted with the RC4 algorithm.  RC4: Rivest Cipher 4, also known\r\nas ARC4: https://en.wikipedia.org/wiki/RC4 The key is in cleartext in the binary and its length is repeatedly (for\r\nBumbleBee case) fixed to 10 characters.\r\nHere is the two functions that implement RC4 algorithm in BumbleBee:\r\nFigure 3: BumbleBee implemenation of PRGA of RC4 algorithm\r\nhttps://blog.krakz.fr/articles/bumblebee/\r\nPage 3 of 6\n\nFigure 4: BumbleBee implementation of KSA of RC4 algorithm\r\nThe key is stored at the end of the blob of data containing the encrypted list of IP addresses. After analysing few\r\nsamples of BumbleBee, it appears that the blob of data containing the IP addresses is always 4105 bytes long\r\n(plus one null byte) which is a pattern to look for in the DLL for a C2 extractor.\r\nFigure 5: Location of the blob and the RC4 key\r\nThe script below attempts to loop over data until a blob matches the blob size, then it extracts the RC4 key (the\r\nlast 10 bytes of the blob) to finally decrypt the data.\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n from cryptography.hazmat.primitives.ciphers import Cipher\r\n from cryptography.hazmat.primitives.ciphers.algorithms import ARC4\r\n def decrypt_rc4(key: bytes, ciphertext: bytes) -\u003e bytes:\r\nhttps://blog.krakz.fr/articles/bumblebee/\r\nPage 4 of 6\n\n6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n \"\"\"Decrypt RC4 encrypt data, `pip install cryptography`\"\"\"\r\n algorithm = ARC4(key)\r\n cipher = Cipher(algorithm, mode=None)\r\n decryptor = cipher.decryptor()\r\n cleartext = decryptor.update(ciphertext)\r\n return cleartext\r\n def get_bumblebee_c2(data: bytes) -\u003e bytes:\r\n \"\"\"\r\n Command and Control are stored at the end of the .data section,\r\n the configuration of the obfuscated C2 and its associated RC4\r\n are stored in the same blob with a fixed lenght of\r\n 4105 plus one null byte (4106).\r\n !\\xac\\xd2\\xfe=;\\x87\\x94\\xebP\\x8e@\\x08}\\x00/^I\\xd4\\x86\\xaf\\xd2\\x14-\r\n \\x16\\x89A\\xa9uT\\x00\\xbduC\\xb7\\x9e~\\x19\\xac\\x9f\\xb4\\x0f\\xae\u003e\\xcc\r\n \\x96S]\\xb56\\x93C\\x9d*p\\xed\\xc9\\x04:Oew\\xc3*X`:a\\xe0T\\x8e\\x93\u003e\\xf9\r\n \\xf8\\xe2\\x17Q\\x15b,8\\xa8[\\xf5N\\x93\\xffMM]\\x8d\\xec\\xde\\x13\\x95z\\xc3\r\n ...\r\n ...\r\n ... \u003credatacted\u003e ...\r\n \\xd4\\x00\\xa1xZ:\\x1e\\x90\\x00X\\xea\\xca\\x0c\\'\\xee\\xffOR5tw\\xc0I\\x86R\"!\r\n \\xf8\\xa3\\x87\\xc8\\x16Mo_5\\x82_\\x81\\x9f\u003cRC4 key composed by 10 bytes\u003e\r\n \"\"\"\r\n c2 = b\"\"\r\n for blob in map(lambda x: x.strip(b\"\\x00\"), data.split(b\"\\x00\" * 4)):\r\n if len(blob) == 4106:\r\n key = blob[-10:]\r\n ciphertext = blob[:-10]\r\n c2 = decrypt_rc4(key, ciphertext)\r\n c2 = c2.replace(b\"\\x00\", b\"\")\r\n print(f\"BumbleBee Command and Control IoCs: {c2}\")\r\n return c2\r\n if __name__ == \"__main__\":\r\n import sys\r\n with open(sys.argv[1], \"rb\") as f:\r\n get_bumblebee_c2(f.read())\r\nhttps://blog.krakz.fr/articles/bumblebee/\r\nPage 5 of 6\n\nCode Snippet 1: BumbleBee C2 extractor\r\nPS: Tested with the package cryptography with the version: 3.4.8 .\r\nGo head and re-use, adapt the script for your needs!\r\nResources #\r\nhttps://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\r\nhttps://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/bumblebee-docusign-campaign\r\nSource: https://blog.krakz.fr/articles/bumblebee/\r\nhttps://blog.krakz.fr/articles/bumblebee/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.krakz.fr/articles/bumblebee/"
	],
	"report_names": [
		"bumblebee"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4594f985-865e-4862-8047-2e80226e246a",
			"created_at": "2022-10-27T08:27:12.984825Z",
			"updated_at": "2026-04-10T02:00:05.293575Z",
			"deleted_at": null,
			"main_name": "EXOTIC LILY",
			"aliases": [
				"EXOTIC LILY"
			],
			"source_name": "MITRE:EXOTIC LILY",
			"tools": [
				"Bazar"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "56384d06-abc2-4853-8440-db4d7b7d1b5f",
			"created_at": "2023-01-06T13:46:39.367122Z",
			"updated_at": "2026-04-10T02:00:03.303733Z",
			"deleted_at": null,
			"main_name": "EXOTIC LILY",
			"aliases": [
				"DEV-0413"
			],
			"source_name": "MISPGALAXY:EXOTIC LILY",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434555,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc08a226efbcb0764756a8a59c6ac6e143585bbb.pdf",
		"text": "https://archive.orkl.eu/bc08a226efbcb0764756a8a59c6ac6e143585bbb.txt",
		"img": "https://archive.orkl.eu/bc08a226efbcb0764756a8a59c6ac6e143585bbb.jpg"
	}
}