{
	"id": "5fbf9323-5407-404e-aeee-5189463beb84",
	"created_at": "2026-04-06T00:19:35.854484Z",
	"updated_at": "2026-04-10T03:20:15.868438Z",
	"deleted_at": null,
	"sha1_hash": "da4d7253fdb0734966a75f161f1bcf0fadf36f2d",
	"title": "A Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign - CYJAX",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3113855,
	"plain_text": "A Sting on Bing: Bumblebee delivered through Bing SEO\r\npoisoning campaign - CYJAX\r\nBy Joe Wrieden\r\nPublished: 2025-05-19 · Archived: 2026-04-05 21:57:15 UTC\r\nTable of contents\r\nOriginally posted on - 19.05.2025\r\nTactics Techniques and Procedures\r\nIntroduction\r\nBumblebee is a downloader malware which has become known for its sophistication and effectiveness. The\r\nmalware was first discovered in 2022 and was believed to be a tool for ransomware groups due to the developer’s\r\nclose ties with Conti. Since then, it has been used in various attacks and has been delivered through multiple\r\nmethods, including phishing emails, malicious documents, and SEO poisoning.\r\nCyjax has identified one such campaign which used a series of fake download sites to target users of the Bing web\r\nbrowser. This report will explore how the campaign operates and the developments of this specific attack.\r\nUpdate – 27.05.2025 \r\nAdditional samples of the Bumblebee loader have been identified targeting software packages. As with the\r\npreviously identified campaign, generic template sites were used when users directly visited the pages. The sole\r\npurpose of the pages appears to be generating SEO. However, when users visit these sites via a Bing referrer link,\r\ncloned download sites delivering the Trojanised MSI files are loaded.  \r\nTwo new template sites have been identified, one of which is titled “Arcanetvoa”. The second template site\r\nappears to be entirely built from bootstrap style elements. Both can be viewed in Figure U1 and Figure U2.\r\nhttps://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nPage 1 of 10\n\nFigure U1 – Arcanetvoa template site.  \r\nFigure U2 – Second template site\r\nhttps://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nPage 2 of 10\n\nThe site shown in Figure U2 has been linked to three targeted software packages, namely Sonicwall,\r\nHanwhavision, and PulseSecure. Other identified phishing sites include downloads for Wireless Network Watcher,\r\nZenMap, and Netcrunch. Each of these use a similar process to the previously identified campaign, leveraging a\r\nthird-party site to deliver the malicious MSI file.  \r\nThrough wider investigation, Cyjax has identified two new download sites named hub28[.]shop and\r\nvpncorporate[.]online. Both of these are hosted on the Hostinger IP address 157.173.208[.]204, the same server\r\nthe previously identified download site was hosted on. From analysing publicly available DNS records, a number\r\nof other ‘.shop’ and ‘.online’ domains resolve to this IP. However, Cyjax has not directly linked these to\r\nBumblebee campaigns.  \r\nCloser analysis of the infection chain showed that when downloading the Wisenet_Device_Manager.msi file\r\nhosted on the fake Hanwhavision site, it followed the exact execution pattern as WinMTR. The only difference is\r\nthe use of a new version.dll file, which has the filename “Periwinkled electrohemostasis”. As with the previous\r\nexample, random words were used for the file information. \r\nThese sites highlight the targeting of a wider range of software packages to deliver Bumblebee. This is further\r\nevidenced by the sophistication of the attack, with an additional six software packages identified as targets.\r\nConsequently, this Bumblebee campaign is significantly wider reaching than initially thought. It is also clear that\r\nby targeting Sonicwall and Pulsesecure, the responsible threat actor is looking to target corporate software\r\nalongside lesser-known technical tools. As such, it is vital that those using the Bing web browser remain vigilant\r\nand ensure that all software download sites are verified through a third-party browser or source.  \r\nUpdate – Indicators of Compromise\r\nPhishing Sites: \r\nhanwhavision[.]org \r\npulsesecure[.]pro \r\nsonicwall[.]pro \r\nnir-soft[.]org \r\nnetcrunch[.]org \r\nzenmap[.]pro \r\nDownload Sites: \r\nhub28[.]shop \r\nvpncorporate[.]online \r\nBumblebee C2 Domains: \r\n7oo4hxt5haih5[.]life \r\nhttps://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nPage 3 of 10\n\n9vgvnzk51j1sy[.]life \r\nkks80hyrpbmuz[.]life \r\nwi88w99xo9zlt[.]life \r\nzom3rkt078g1k[.]life \r\nNew version.dll \r\n18689fd0311a64a712a313d58fccbbfe \r\nc135d29186faa04602d90e96d17aaf58fe16b8f7 \r\na09923899b318848d44dc706ccc1d3489a383b9af0921351134d14a152a7925b \r\nWisenet_Device_Manager.msi \r\n0a3439178f1cde7c5cfbeccee1a98a4a \r\n7cdebee42a01b30f83e7770ca5154de4515d8245 \r\n5a847ecc862ee74dd532fefe3a1e01c9f637631692fe74024b7ba15176cd9d13  \r\nOriginally posted on - 19.05.2025\r\nTechnical Analysis\r\nWithin this newly identified campaign, Bumblebee has been delivered through a series of fake download websites\r\nfor software packages. Currently, two packages called WinMTR and Milestone XProtect have been identified as\r\ntargets of the attack. WinMTR is an open-source tool which provides a visual interface to a version of Matt’s\r\ntraceroute. This is a program which combines the functions of traceroute and ping. Milestone XProtect is a video\r\nmanagement software which allows centralised control of video surveillance systems. In both cases, the threat\r\nactor created legitimate appearing sites to host the malicious downloader and registered domains which were\r\nsimilar to the original one. This can be seen in the table in Figure 1.\r\nLegitimate DomainMalicious\r\nDomainwww.milestonesys[.]comwww.milestonesys[.]orgwww.winmtr[.]netwww.winmtr[.]org\r\nFigure 1 – Domain typosquatting examples.\r\nThis specific campaign appears to target users of the Bing search engine, relying on SEO poisoning techniques to\r\nget malicious sites to the top of the search results. As can be seen in Figure 2 and Figure 3, searches for\r\n“WinMTR download” and “Milestone XProtect download” show that the malicious sites appear as the top result\r\nbelow the panel generated by Bing.\r\nhttps://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nPage 4 of 10\n\nFigure 2 – “WinMTR download” search.\r\nFigure 3 – “Milestone XProtect download” search.\r\nBoth sites are hosted on the same server owned by Truehost Cloud in Nairobi. Going directly to both sites load\r\nwhat appears to be a template website, with a number of assets and links still redirecting to the service “LDAP\r\nAdministrator”. \r\nhttps://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nPage 5 of 10\n\nFigure 4 – Page contents of winmtr[.]org.\r\nAs seen in Figure 4, it is likely that this template site is being used to generate SEO for the tool and as a vague\r\ncover, so the site does not become suspicious to visitors. When visiting the site through the link provided in the\r\nBing search engine, the legitimate WinMTR download site is shown, as highlighted in Figure 5.\r\nFigure 5 – Page contents of winmtr[.]org after visiting via Bing refer link.\r\nhttps://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nPage 6 of 10\n\nThe page is an exact copy, and the only change is that an MSI file is used for the latest version instead of a ZIP.\r\nThis MSI file is the Trojanised installer which delivers the Bumblebee malware to victims once executed.\r\nThe file itself is not hosted locally on the same page. Instead, both sites reference an external domain called\r\n“software-server[.]online”, which hosts the malicious MSI files. A request is made to a page titled “Get” during\r\ndownload, with a parameter to specify which Trojanised software package to deliver. Currently, the two observed\r\nexamples include WinMTR and Milestone_XProtect. However, this does suggest that there may be more\r\navailable.\r\nThe installer is then installed using msiexec.exe, which delivers both the legitimate winmtr.exe executable,\r\nicardagt.exe, and a malicious DLL titled version.dll. Both the second executable and malicious DLL are\r\nresponsible for delivering the malware, with icardagt.exe being used to load the malicious library. The executable\r\nappears to be a legitimate Windows binary; however, it is important to note that the certificate used to sign the\r\nexecutable expired on 22 January 2010. The breakdown of the execution flow can be seen below in Figure 6.\r\nFigure 6 – Bumblebee execution flow.\r\nAfter the malware is executed, it begins to connect to a number of known Bumblebee C2 domains. A series of C2\r\nURLs have been identified, each taking the form of a 13-character string followed by the ‘.life’ top-level domain\r\n(TLD). \r\nThese C2 domains have been linked to a shared Bumblebee sample, in which a similar MSI file was delivered\r\nunder the name RVTools.msi. This sample was also delivered through a similar delivery domain called “soft-server[.]online”, which is hosted on the same US-based server. This suggests that the threat actor responsible for\r\nthis campaign has likely pivoted and further developed it to target more software packages through SEO\r\npoisoning. \r\nConclusions\r\nOverall, this campaign highlights a clear targeting of software packages through a sophisticated and highly\r\neffective Bing SEO poisoning campaign. From analysing the software both across this and previous campaign,\r\nthere is a common targeting of lesser-known tools used within technical development environments. This presents\r\nhttps://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nPage 7 of 10\n\na unique target and because of Bumblebee’s ability to deliver additional malware, it is likely that these kind of\r\nprivileged developer environments present an ideal environment for further attacks or information theft. \r\nWhen comparing this to a previous Bumblebee SEO poisoning campaign in 2023, the malware was delivered\r\nthrough Trojanised Zoom, Cisco AnyConnect, and ChatGPT installers. This new campaign highlights a significant\r\nshift in tactics, as the threat actor has pivoted to target more obscure software installation packages which victims\r\nmay not easily be able to verify the legitimacy of. \r\nThe effectiveness of the SEO poisoning on Bing’s search results highlights the importance of validating files\r\nbefore installing them. With both malicious packages appearing at the top, users cannot solely rely on search\r\nresults ranking to provide legitimate software packages. It is because of this that users should regularly check\r\nother browsers or find a reputable third-party source to cross reference the legitimacy of the source. \r\nTactics Techniques and Procedures\r\nTacticTechniqueIDResource DevelopmentAcquire Infrastructure: DomainsT1583.001~Stage Capabilities: SEO\r\nPoisoningT1608.006~Stage Capabilities: Upload MalwareT1608.001Initial AccessDrive-by\r\nCompromiseT1189ExecutionUser ExecutionT1204~User Execution: Malicious FileT1204.002Defence\r\nEvasionMasqueradingT1036~Masquerading: Match Legitimate Name or LocationT1036.005~System Binary\r\nProxy: MsiexecT1218.007~DLL Side-LoadingT1574.001\r\nIndicators of Compromise\r\nPhishing Sites:\r\nwinmtr[.]org\r\nmilestonesys[.]org\r\nDownload Site:\r\nsoftware-server[.]online\r\nBumblebee C2 Domains:\r\n19ak90ckxyjxc[.]life\r\no2u1xbm9xoq4p[.]life\r\n9b10t4vyvx6b5[.]life\r\n9nl2a1qma4swd[.]life\r\ngc9fctjq62t2e[.]life\r\napsgw881ol7rs[.]life\r\nrmqa3jodwcmgd[.]life\r\n85ur7zivhczam[.]life\r\nevzftxl2qjfj4[.]life\r\ncp2br7osw928r[.]life\r\nlhunevjdxw5kz[.]life\r\njbrprj8im7aia[.]life\r\nhttps://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nPage 8 of 10\n\nrdg0u5n7237r5[.]life\r\nxwn7sukhzhbqv[.]life\r\nj34duklow92k3[.]life\r\nu8karkeeu2qtj[.]life\r\n8vh7uizstjhnb[.]life\r\ninkja7hekgcuv[.]life\r\n8sg769rvpe1lp[.]life\r\nr4a4n001s7uhi[.]life\r\nr976ptnxbh52l[.]life\r\ntv9jc206cpnyd[.]life\r\nxf30997j6tp8z[.]life\r\nnl2jkkuqs8efp[.]life\r\n5395dg0j4h79n[.]life\r\noknzqkp6ph302[.]life\r\nv30ty639krk3p[.]life\r\ney9n44bwtmjaw[.]life\r\nrlq13ng659buz[.]life\r\n9vgvnzk51j1sy[.]life\r\ntrtiqjiry7k05[.]life\r\nwi88w99xo9zlt[.]life\r\n7oo4hxt5haih5[.]life\r\nhoieva2gl9tzx[.]life\r\ney8axyn00x8sf[.]life\r\nkks80hyrpbmuz[.]life\r\nzom3rkt078g1k[.]life\r\nversion.dll \r\na67fa1a060c07934c3de8612aaa0ebc2\r\nd1c5b38d3d91f925b16d616c1c9d3e05542f025d\r\n96480ef5ccfa8fcb0646538c440103d97ab741ed83f4c2bcb7b4717569f88770\r\nWinMTR.msi:\r\n28c0caed1c9c242f60c8e0884ccbf976\r\n0e6abeb79a84fc3e7683c5439607c8a17ef6ae77\r\n31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32\r\nMilestone_XProtect.msi\r\nea966dbfdd3f777727c827719e668f94\r\n3437f8372c7d455085d24460147f27f6e2c009f5\r\nc6d5d2fff2cc422aca6dd5538f8351b8f2107a07a0df1f3ad8d69b050951ca1e\r\nReceive our latest cyber intelligence insights delivered directly to your inbox\r\nhttps://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nPage 9 of 10\n\nSimply complete the form to subscribe to our newsletter, ensuring you stay informed about the latest cyber\r\nintelligence insights and news.\r\nThank you! Your submission has been received!\r\nOops! Something went wrong while submitting the form.\r\nSource: https://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nhttps://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/"
	],
	"report_names": [
		"a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434775,
	"ts_updated_at": 1775791215,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/da4d7253fdb0734966a75f161f1bcf0fadf36f2d.pdf",
		"text": "https://archive.orkl.eu/da4d7253fdb0734966a75f161f1bcf0fadf36f2d.txt",
		"img": "https://archive.orkl.eu/da4d7253fdb0734966a75f161f1bcf0fadf36f2d.jpg"
	}
}