{
	"id": "3967c225-d0e0-4668-8fbf-3604a652a3ac",
	"created_at": "2026-04-06T00:10:08.294934Z",
	"updated_at": "2026-04-10T13:13:07.117053Z",
	"deleted_at": null,
	"sha1_hash": "d39a056226d66dc8386c1a16f91d3543bf9ec69e",
	"title": "Bumblebee Loader Resurfaces in New Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64712,
	"plain_text": "Bumblebee Loader Resurfaces in New Campaign\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 13:59:22 UTC\r\nThe deployment of file-encrypting ransomware by organized cybercriminal gangs is one of the largest\r\ncybersecurity risks facing organizations. A network breach that culminates with a ransomware infection often\r\nstarts with an infection with a type of malware called a loader. This malware acts as a foothold into an\r\norganization’s network and is subsequently used to install other payloads such as malware or tools. Bumblebee is\r\na type of a loader that has increasingly been used by threat actors affiliated with ransomware, including the now-defunct Conti strain and a relative newcomer, Akira. Written in the C++ programming language, Bumblebee is\r\nused by multiple threat actors to secure initial footholds in high-value enterprise environments.\r\nBumblebee recently went on hiatus for two months, which often occurs as threat actors take a summer break. But\r\nat the end of August 2023, Bumblebee’s operators resumed activity. Intel 471 Malware Intelligence systems have\r\nuncovered threat actors who are operating Bumblebee using new techniques to distribute it. They’ve also updated\r\nthe malware to make it more difficult to disrupt. The update reduces Bumblebee’s dependency on hard-coded\r\ncommand and control (C2) servers and instead uses a Domain Generation Algorithm (DGA) for creating new C2\r\ntouch points.\r\nOn Sept. 7, 2023, a new campaign was observed that leveraged Web Distributed Authoring and Versioning\r\n(WebDAV) servers to disseminate Bumblebee payloads. In this effort, threat actors utilized malicious spam emails\r\nto distribute Windows shortcut (.LNK) and compressed archive (.ZIP) files containing .LNK files. When activated\r\nby the user, these LNK files execute a predetermined set of commands designed to download Bumblebee malware\r\nhosted on WebDAV servers.\r\nIn this blog post, we will describe Bumblebee’s recent activity and a threat actor currently using it. We will also\r\ndiscuss in more detail some of the malware’s observed techniques, key updates to its code and mitigations that\r\ndefenders can use to prevent infections.\r\nBazarLoader’s Replacement\r\nThe Bumblebee malware loader appeared in September 2021 and surged in popularity in late March 2022. This\r\nuptick came after threat actors who previously distributed a loader known as BazarLoader shifted their focus to\r\nBumblebee (a compilation of vendor reports and resources related to Bumblebee can be found on Malpedia).\r\nThis shift coincided with the public release of the Conti ransomware gang's infrastructure chat logs and\r\nBazarLoader source code. Also released was control panel data that indicated victims of BazarLoader. This\r\ncumulative disclosure of information apparently put some threat actors off from further using it.\r\nSince Bumblebee started operations, it has proved to be a relentless source of payloads from the Cobalt Strike,\r\nMetasploit and Sliver post-exploitation tools.\r\nhttps://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign\r\nPage 1 of 6\n\nIn addition to technical data, Intel 471 has collected intelligence related to how adversaries are employing\r\nBumblebee in their operations. Bumblebee has links to threat actors who were formerly associated with the Conti\r\nand Trickbot operations. The usage of Bumblebee by skilled threat actors with a history of other ransomware\r\nactivity means it should not be underestimated. One threat actor who has claimed to use Bumblebee sought a\r\npartner to run a malicious advertising (malvertising) campaign that would distribute Bumblebee and result in a\r\nvictim pool that would include U.S.-based corporate users. The goal of the campaign appeared to be to gain access\r\nto those corporate users and then sell that access to ransomware affiliates and groups, a common scheme known as\r\ninitial access brokering.\r\nDistributing Bumblebee\r\nOn Sept. 7, 2023, the Intel 471 Malware Analysis team identified a new campaign that leveraged 4shared\r\nWebDAV services to distribute the Bumblebee malware loader. The 4shared aka 4shared.com file-hosting service\r\nallows users to upload and download files through both a web interface and the WebDAV protocol. WebDAV lets\r\nusers manage and edit files on remote servers. Most operating systems support WebDAV, letting users treat a\r\n4shared folder as a local network drive.\r\n[Image: Fig 1 - This image depicts a screenshot highlighting the features of 4shared's WebDAV server Sept. 7,\r\n2023.]\r\nUsing WebDAV isn’t a new technique. The SANS Internet Storm Center noted in a blog post Feb. 24, 2023, that\r\nWebDAV played a role in the distribution of the IcedID aka Bokbot malware. In this Bumblebee campaign, threat\r\nactors used malicious spam emails disguised as scans, notifications, invoices or numbered documents to lure\r\nvictims into downloading attachments. Some examples of the file names used as lures in these attachments\r\ninclude:\r\nscan-document_2023(383).lnk\r\nnotify-september_2023(309).lnk\r\ndocument-07september_2023(341).lnk\r\ninvoice-07september_2023(231).lnk\r\ninvoice-07september_2023 (262).zip\r\n[2-3 digit numbers].lnk\r\n[Image: Figure 2 - This image depicts a screenshot of an email used in the Bumblebee campaign Sept. 7, 2023.]\r\nWhile the majority of the observed samples were distributed as .LNK files, we noticed a subset was disseminated\r\nas .ZIP with .LNK files contained. Upon execution, the attached .LNK file initiates the Windows command\r\nprocessor, which then executes a preconfigured set of commands. The first command mounts a network drive to a\r\nWebDAV folder at https://webdav.4shared[dot]com, utilizing a specific username and password for\r\nauthentication.\r\n[Image: Figure 3 - This image depicts a screenshot of a 4shared panel hosting malware payloads connected to the\r\nWebDAV campaign Sept. 7, 2023, by X user @V3n0mStrike.]\r\nOur analysis revealed variations in the specific command sets employed across different samples. Upon mounting\r\nthe disk to the victim's device, subsequent commands varied depending on the particular sample analyzed. For\r\nhttps://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign\r\nPage 2 of 6\n\ninstance, in file manipulation, the first two commands employ “expand” to extract and copy files from the\r\nmounted drive, while the third employs “replace.exe” as an alternative method. Similarly, the approaches for\r\nexecuting these files also differ. The first example leverages the WMIC file “wmic.exe” to create a new process,\r\nthe second utilizes “conhost.exe” and the third schedules a recurring task via “schtasks” for file execution.\r\nBumblebee payload\r\nOn Sept. 1, 2023, our monitoring system detected a new version of the Bumblebee loader featuring several\r\nalterations to its underlying architecture. Notably, the loader transitioned from utilizing the WebSocket protocol to\r\nemploying a custom Transmission Control Protocol (TCP) for its communication mechanisms. The update also\r\nintroduced DGA, a departure from the hard-coded list of C2 servers in earlier versions. Using a 64-bit static seed\r\nvalue, the DGA generated 100 new domains with a \".life\" top-level domain (TLD). When the payload is executed,\r\nBumblebee will iterate until it resolves a DGA domain to an IP address and successfully checks in. The use of\r\nDGA adds another layer of complexity, reducing dependency on hard-coded C2 servers and thereby making it\r\nmore challenging to disrupt the malware’s operations.\r\nIn the observed WebDAV campaign, the following four domains were listed and the fourth domain was resolved\r\nsuccessfully and contacted:\r\n3v1n35i5kwx[dot]life\r\ncmid1s1zeiu[dot]life\r\nItszko2ot5u[dot]life\r\nnewdnq1xnl9[dot]life\r\nOn Sept. 7, 2023, our system detected a new sample labeled with the group name “lnk1,” potentially indicating\r\nthe utilization of .LNK files, which aligns with the observed tactics in the recent WebDAV campaign.\r\nAssessment\r\nThe Bumblebee loader received several key updates during its two-month pause in activity. These changes\r\ndemonstrate a coordinated effort to enhance evasion tactics and bolster resilience against network-level scrutiny\r\nand domain takedown. Additionally, the use of 4shared's WebDAV services for distribution is a new attack vector.\r\nAnalysis of the .LNK files shows calculated steps to evade detection. These include mounting a network drive to a\r\nWebDAV folder and utilizing varied command sequences and execution methods — from \"wmic.exe\" to\r\n\"conhost.exe\" and \"schtasks\" — all designed to bypass behavioral detection systems. The variation in these\r\ntechniques suggests that threat actors are not only innovating but may also be attempting to determine which\r\ntactics are most effective for evasion.\r\nAdditional advancements in both the malware and its associated distribution methods indicate a growing\r\nsophistication within the global malware landscape. This escalation in complexity often is observed after a post-summer hiatus, suggesting that threat actors may utilize this period of reduced activity to refine and advance their\r\noperations. As threat actors consistently integrate advanced evasion techniques and exploit legitimate services,\r\nconventional security measures are becoming increasingly ineffective. Therefore, organizations continuously must\r\nstay up to date with emerging threats to adapt their cybersecurity strategies effectively. The Intel 471 team will\r\nhttps://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign\r\nPage 3 of 6\n\ncontinue monitoring and reporting emerging threats to provide organizations with timely and actionable\r\nintelligence.\r\nRecommendations\r\nIntel 471 analysts recommend blocking the following known malicious domains associated with this campaign:\r\nIf the “webdav.4shared[dot]com” domain normally is not used in your organization, blocking this domain\r\nis recommended.\r\nAdditionally, organizations are advised to block other .life TLDs generated by the DGA.\r\nThe command line execution provides several threat hunting opportunities:\r\nAny command line event logs with “webdav.4shared[dot]com” likely are suspicious, unless this website is\r\nused by system administrators in your organization.\r\nLook for “replace.exe” in conjunction with “webdav.4shared[dot]com” in Windows command line event\r\nlogs.\r\nSearch for emails with attachments that match the following regular expressions (regex):\r\n[a-z]+-[0-9a-z]+_2023\\([0-9]{3}\\).lnk\r\nMITRE ATT\u0026CK techniques\r\nTECHNIQUE TITLE ID USE\r\nReconnaissance [TA0043]\r\nGather Victim Host\r\nInformation: Client\r\nConfigurations\r\nT1592.004\r\nMalware lists the compromised host configuration that may\r\ninclude operating system or version, virtualization,\r\narchitecture, language and/or time zone.\r\nResource Development\r\n[TA0042]\r\nDevelop Capabilities:\r\nMalware\r\nT1587.001\r\nAdversaries develop malware to support and enhance their\r\noperations.\r\nObtain Capabilities:\r\nMalware\r\nT1588.001\r\nAdversaries purchase malware from third parties to enhance\r\ntheir operations.\r\nObtain Capabilities: Tool T1588.002\r\nAdversaries purchase or acquire stolen licenses to legitimate\r\ntools, which are abused during their operations.\r\nStage Capabilities: Upload\r\nMalware\r\nT1608.001\r\nAdversaries upload malware to third-party or adversary-controlled infrastructure to leverage it during operations.\r\nhttps://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign\r\nPage 4 of 6\n\nStage Capabilities: Upload\r\nTool\r\nT1608.002\r\nAdversaries upload tools to third-party or adversary-controlled\r\ninfrastructure to leverage it during operations.\r\nInitial Access [TA0001]\r\nPhishing T1566\r\nAdversaries conduct mass malware spam campaigns to infect\r\nend users and increase botnet size.\r\nExecution [TA0002]\r\nUser Execution: Malicious\r\nLink\r\nT1204.001\r\nSpam operations rely on a user clicking a malicious link to gain\r\nexecution.\r\nUser Execution: Malicious\r\nFile\r\nT1204.002\r\nSpam operations rely on a user opening a malicious file to gain\r\nexecution.\r\nScheduled Task/Job:\r\nScheduled Task\r\nT1053.005\r\nAdversaries use Windows Task Scheduler to execute programs\r\nat system startup or on a scheduled basis for persistence.\r\nPersistence [TA0003]\r\nScheduled Task/Job:\r\nScheduled Task\r\nT1053.005\r\nAdversaries use Windows Task Scheduler to execute programs\r\nat system startup or on a scheduled basis for persistence.\r\nCredential access [TA0006]\r\nCredentials from Password\r\nStores: Credentials from\r\nWeb Browsers\r\nT1555.003\r\nAdversaries acquire credentials from web browsers by reading\r\nfiles specific to the target browser. This is performed by the\r\nstealer plug-in.\r\nCollection [TA0009]\r\nData from Local System T1005\r\nAdversaries search local system sources, such as file systems\r\nand configuration files or local databases, to find files of\r\ninterest and sensitive data prior to exfiltration. This is\r\nperformed by the stealer plug-in.\r\nCommand and Control\r\n[TA0011]\r\nData Encoding T1132\r\nAdversaries encode data to make the content of C2 traffic more\r\ndifficult to detect.\r\nhttps://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign\r\nPage 5 of 6\n\nData Obfuscation T1001\r\nAdversaries obfuscate C2 traffic to make it more difficult to\r\ndetect.\r\nDynamic Resolution:\r\nDomain Generation\r\nAlgorithms\r\nT1568.002\r\nAdversaries leverage DGAs to identify a destination domain\r\nfor C2 traffic dynamically rather than relying on a list of static\r\nIP addresses or domains.\r\nNon-Standard Port T1571\r\nMalware uses raw sockets and communicates over TCP on port\r\n443, a commonly used port for Hypertext Transfer Protocol\r\nSecure (HTTPS) traffic.\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nT1573.001\r\nAdversaries employ a known symmetric encryption algorithm\r\nto conceal C2 traffic.\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nT1573.002\r\nAdversaries employ a known asymmetric encryption algorithm\r\nto conceal C2 traffic.\r\nExfiltration [TA0010]\r\nAutomated Exfiltration T1020\r\nAdversaries exfiltrate data, such as sensitive documents,\r\nthrough the use of automated processing after being gathered\r\nduring collection. This is performed by the stealer plug-in.\r\nExfiltration Over C2\r\nChannel\r\nT1041\r\nAdversaries steal data by exfiltrating it over an existing C2\r\nchannel. Stolen data is encoded into the normal\r\ncommunications channel using the same protocol as C2\r\ncommunications.\r\nSource: https://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign\r\nhttps://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign"
	],
	"report_names": [
		"bumblebee-loader-resurfaces-in-new-campaign"
	],
	"threat_actors": [
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434208,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d39a056226d66dc8386c1a16f91d3543bf9ec69e.pdf",
		"text": "https://archive.orkl.eu/d39a056226d66dc8386c1a16f91d3543bf9ec69e.txt",
		"img": "https://archive.orkl.eu/d39a056226d66dc8386c1a16f91d3543bf9ec69e.jpg"
	}
}