{ "id": "e4385153-7d5f-499c-86db-e5174660f180", "created_at": "2026-04-06T00:19:29.375804Z", "updated_at": "2026-04-10T13:12:11.097493Z", "deleted_at": null, "sha1_hash": "e1e2f4719a3edbd7f8f6b5599f05a435b98b1d28", "title": "Bumblebee Malware Loader Threat Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2356169, "plain_text": "Bumblebee Malware Loader Threat Analysis\r\nBy Michael Lamb\r\nPublished: 2022-09-16 · Archived: 2026-04-05 17:42:32 UTC\r\nExecutive summary\r\nThis year Google’s TAG (Threat Analysis Group) published an article referring to a new Threat Actor Group\r\ncalled “EXOTIC LILY”. This group is believed to be an Initial Access Broker with strong links to the Wizard\r\nSpider group which operates the Conti ransomware variant.\r\nIn an interesting analysis, Google TAG noted a new delivery method abusing file transfer sites like TransferXL\r\nand WeTransfer, which lured users to download a .zip file. Inside the .zip file was an .iso which, when clicked\r\nwould auto-mount to a Windows system containing a .lnk shortcut file and .dll file.\r\nFurther analysis revealed that the .dll file is a new variant of loader which is executed by the command embedded\r\ninto the .lnk file.\r\nAspire’s SOC team undertook further analysis of the campaign by retrieving a copy of the network packet capture\r\nfrom the SANS Internet Storm Center. We uncovered evidence of cobalt strike activity, suspicious C2 connections\r\ndisplaying evidence of defence evasion and suspicious connections to AWS Virtual Machine Infrastructure.\r\nBumblebee delivery \u0026 execution mechanism overview\r\nBumblebee breakdown\r\nThe bumblebee loader is delivered as a zip file, downloaded via an e-mail lure from TransferXL:\r\nhttps://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/\r\nPage 1 of 8\n\nUpon opening the zip file you will find an .iso file which mounts when double clicked:\r\nInside the mounted .iso you will find a shortcut file and a .dll file (spc.dll)\r\nInspecting the shortcut reveals an execution tactic utilising rundll32.exe\r\nRundll32.exe takes the .dll and the entry point as two arguments to execute the DLL.\r\nTraffic analysis with Brim\r\nBrim is a desktop application providing a SIEM-like interface to take in PCAP files and convert them to Zeek\r\nlogs, as well as running the file through the Suricata NIDS engine to produce alert events for suspicious activity.\r\nBrim can be used to pivot from zeek data points, open Wireshark for deeper analysis, enrich with VirusTotal and\r\nvisualise data in charts and graphs.\r\nhttps://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/\r\nPage 2 of 8\n\nHost identification\r\nThere was only one host and username on the PCAP, which made scoping the potentially infected host easier.\r\nHostname: DESKTOP-D8FSF3\r\nDomain: STUDIOPLUS.COMPANY\r\nUsername: Jacob.macnuttey\r\nhttps://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/\r\nPage 3 of 8\n\nHTTPS traffic\r\nA quick filter on the SSL traffic shows us communications with the TransferXL domain (transferxl[.]com)\r\ninitially. By ordering the traffic by time (Earliest to Latest) we can then start to spot suspicious domains that we\r\nmight want to investigate more by pivoting into other Zeek logs.\r\nAnother perspective of the SSL traffic is to sort by count of destination host, this shows the majority of the traffic\r\nin this packet capture was to xenilik[.]com. What’s more interesting at this point of our analysis, is that there are\r\nmore connections directly to 194[.]135[.]33[.]144 over Port 443… This could be our Command and Control (C2)\r\nconnections.\r\nhttps://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/\r\nPage 4 of 8\n\nSuricata alerts\r\nWhen you load a packet capture into Brim, the file will be analysed by the integrated Zeek and Suricata engines\r\nwhich in turn generates the Zeek log files as well as any Suricata (NIDS) alerts to assist in generating leads to\r\ninvestigate.\r\nIn the case of this packet capture, there were only 3 alert categories, which didn’t generate any immediate leads\r\nwith regards to command and control, file download of exfiltration.\r\nConclusions\r\nWith the traffic filtered down to interesting traffic i.e. not CDN, not googletagmanager etc. we get a clear view of\r\nthe timeline.\r\nThe first section of traffic shows the download from TransferXL, the second section of traffic shows C2 traffic\r\nrelated to bumblebee loader, utilising a self-signed certificate.\r\nhttps://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/\r\nPage 5 of 8\n\nTransferXL download \u0026 C2 traffic\r\nC2 JA3 hash (The pitfall of JA3 hashes)\r\nJA3 hashes can be really useful, as they aid in identifying the client application that made the SSL connection.\r\nWith that said, some C2 frameworks will rely on underlying default libraries (Python) or an operating system\r\nsocket, which means the hash cannot be used as a reliable IOC.\r\nWhen analysing the JA3 hash of the SSL handshake, Aspire uncovered that this is being reported as an IoC in\r\nmany sources and historical articles related to other threat actors. The JA3 hash in this case actually identifies that\r\nthe C2 used a Windows 10 socket, which means that the hash cannot be used to uniquely identify the handshake as\r\nan indicator of malicious traffic. This could in theory by a method of evasion.\r\nA full list of default hashes can be found below:\r\nWin10-socket: c12f54a3f91dc7bafd92cb59fe009a35\r\nWin10-socket-SNI: 3b5074b1b5d032e5620f69f9f700ff0e\r\nWin10-powershell: fc54e0d16d9764783542f0146a98b300\r\nWin10-powershell-SNI: 54328bd36c14bd82ddaa0c04b25ed9ad\r\nWin10-iexplore: be6155e945a3e59a1dd0841b86f6c945\r\nWin10-iexplore-SNI: 10ee8d30a5d01c042afd7b2b205facc4\r\nWin2016-socket: 043c543b63b895881d9abfbc320cb863\r\nWin2016-socket-SNI: 7c410ce832e848a3321432c9a82e972b\r\nWin2016-powershell: 17b69de9188f4c205a00fe5ae9c1151f\r\nWin2016-powershell-SNI: 235a856727c14dba889ddee0a38dd2f2\r\nWin2016-iexplore: 4f2e9c50db9bd107439136bd24740c0d\r\nWin2016-iexplore-SNI: f88610704d61a237aa9e5e0849573998\r\nhttps://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/\r\nPage 6 of 8\n\nThe above list should be used to baseline your environment. Credit to Jeff Atkinson who shared this list in the Bro\r\nWorkshop 2019 at Geneva.\r\nSuspicious AWS EC2 connections\r\nAs highlighted by MTA’s analysis, we also noted the suspicious connections to an AWS EC2 Virtual Machine.\r\nWhilst Brim offers a powerful capability to see the raw packets in Wireshark at a click of a button to inspect the\r\ndata in more detail, the traffic is SSL and thus cannot be inspected in this case.\r\nWhat we can do is calculate the total bytes sent and received (Approx. 7.7MB), this traffic could be related to the\r\nthreat actor in some way, so should be deemed an IOC of low confidence.\r\nCobalt Strike traffic\r\nWe re-visited the high amount of connections to xenilik[.]com (23[.]106[.]215[.]123), when cross-referencing the\r\nJA3 hash, this hash is a high confidence IOC for cobalt strike.\r\nhttps://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/\r\nPage 7 of 8\n\nEnrichment\r\nOne final feature of Brim we leveraged, was the ability to enrich the data with VirusTotal by right clicking\r\nelements like IP Addresses and domain names to perform a VT lookup. One key takeaway was that the detection\r\nrate was very low, with no key context around what the entities were related to i.e. Cobalt Strike or C2 or malware\r\netc.\r\nSource: https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/\r\nhttps://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/" ], "report_names": [ "bumblebee-malware-loader-threat-analysis" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434769, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e1e2f4719a3edbd7f8f6b5599f05a435b98b1d28.pdf", "text": "https://archive.orkl.eu/e1e2f4719a3edbd7f8f6b5599f05a435b98b1d28.txt", "img": "https://archive.orkl.eu/e1e2f4719a3edbd7f8f6b5599f05a435b98b1d28.jpg" } }