{ "id": "abf7ac62-a03e-4883-b88d-dbdce0eca742", "created_at": "2026-04-06T00:06:13.278565Z", "updated_at": "2026-04-10T13:12:29.48977Z", "deleted_at": null, "sha1_hash": "e285d7aaecf93c218efe4623b4db5ed87eb9808d", "title": "This isn't Optimus Prime's Bumblebee but it's Still Transforming | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1603256, "plain_text": "This isn't Optimus Prime's Bumblebee but it's Still Transforming |\r\nProofpoint US\r\nBy April 28, 2022 Kelsey Merriman and Pim Trouerbach\r\nPublished: 2022-04-27 · Archived: 2026-04-05 15:28:16 UTC\r\nKey Findings\r\nProofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors\r\npreviously observed delivering BazaLoader and IcedID.\r\nSeveral threat actors that typically use BazaLoader in malware campaigns have transitioned to Bumblebee.\r\nBazaLoader has not been seen in Proofpoint data since February 2022.\r\nBumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization.\r\nUnlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous\r\nprocedure call (APC) injection to start the shellcode from the commands received from the command and\r\ncontrol (C2).\r\nProofpoint observed Bumblebee dropping Cobalt Strike, shellcode, Sliver, and Meterpreter.\r\nThreat actors using Bumblebee are associated with malware payloads that have been linked to follow-on\r\nransomware campaigns.\r\nOverview\r\nStarting in March 2022, Proofpoint observed campaigns delivering a new downloader called Bumblebee. At least\r\nthree clusters of activity including known threat actors currently distribute Bumblebee. Campaigns identified by\r\nProofpoint overlap with activity detailed in the Google Threat Analysis Group blog as leading to Conti and Diavol\r\nransomware.\r\nBumblebee is a sophisticated downloader containing anti-virtualization checks and a unique implementation of\r\ncommon downloader capabilities, despite it being so early in the malware's development. Bumblebee's objective is to\r\ndownload and execute additional payloads. Proofpoint researchers observed Bumblebee dropping Cobalt Strike,\r\nshellcode, Sliver and Meterpreter. The malware name comes from the unique User-Agent \"bumblebee\" used in early\r\ncampaigns.\r\nThe increase of Bumblebee in the threat landscape coincides with BazaLoader a popular payload that facilitates\r\nfollow-on compromises–disappearing recently from Proofpoint threat data.\r\nCampaign Details\r\nProofpoint researchers have observed Bumblebee being distributed in email campaigns by at least three tracked\r\nthreat actors. The threat actors have used multiple techniques to deliver Bumblebee. While lures, delivery techniques,\r\nand file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 1 of 22\n\nseveral commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a\r\ncommon DLL entry point used by multiple actors within the same week.\r\nURLs and HTML Attachments Leading to Bumblebee\r\nIn March 2022, Proofpoint observed a DocuSign-branded email campaign with two alternate paths designed to lead\r\nthe recipient to the download of a malicious ISO file. The first path began with the recipient clicking on the\r\n\"REVIEW THE DOCUMENT\" hyperlink in the body of the email. Once clicked, this would link the user to the\r\ndownload of a zipped ISO file, hosted on OneDrive.\r\nFigure 1: Email delivered March 2022 containing a URL and an HTML attachment\r\nAlternatively, the same email also contained an HTML attachment. The appearance of the opened HTML file\r\nmasqueraded to look like an email containing a link to an unpaid invoice. The embedded URL in the HTML\r\nattachment used a redirect service which Proofpoint refers to as Cookie Reloaded, a URL redirect service which uses\r\nPrometheus TDS to filter downloads based on the time zone and cookies of the potential victim. The redirector in\r\nturn directed the user to a zipped ISO file, also hosted on OneDrive.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 2 of 22\n\nFigure 2: HTML Attachment Containing Link to Cookie Reloaded URL Redirect\r\nThe ISO file contained files named \"ATTACHME.LNK\" and \"Attachments.dat\". If ran, the shortcut file\r\n\"ATTACHME.LNK\" executed \"Attachments.dat\" with the correct parameters to run the downloader, Bumblebee.\r\nFigure 3: Contents of the archive viewed in WinRAR\r\nFigure 4: Contents of ISO viewed in WinRAR\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 3 of 22\n\nProcess tree from the shortcut file:\r\ncmd.exe /c start /wait \"\" \"C:\\Users\\[removed]\\AppData\\Local\\Temp\\ATTACHME.LNK\"\r\nrundll32.exe \"C:\\Windows\\System32\\rundll32.exe\"\r\nAttachments.dat,IternalJob\r\nFigure 5: TA579 attack chain leading to Bumblebee\r\nProofpoint researchers attributed this campaign with high confidence to the cybercriminal group TA579. Proofpoint\r\nhas tracked TA579 since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.\r\nThread Hijacked, Zipped ISO Attachments Leading to Bumblebee\r\nIn April 2022, Proofpoint observed a thread-hijacking campaign delivering emails that appeared to be replies to\r\nexisting benign email conversations with malicious zipped ISO attachments. All the attachment names in this\r\ncampaign used the pattern \"doc_invoice_[number].zip\".\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 4 of 22\n\nFigure 6: Email sample of a hijacked thread containing a malicious zipped ISO attachment\r\nThe zipped ISO was password-protected and contained \"DOCUMENT.LNK\" and \"tar.dll\". The password was shared\r\nin the body of the email. The shortcut file \"DOCUMENT.LNK\", if ran, executed \"tar.dll\" with the correct parameters\r\nto start the Bumblebee downloader.\r\nFigure 7: Process Tree from the shortcut file\r\nFigure 8: Thread hijacking attack chain leading to Bumblebee\r\nContact Forms \"Stolen Images\" Leading to Bumblebee\r\nIn March 2022, Proofpoint observed a campaign delivering emails generated by submitting a message to a contact\r\nform on the target's website. Additionally, depending on how the website's \"contact us\" section was configured, the\r\nsubmission also left public comments regarding this topic on the target's site. The emails purported to be claims that\r\nstolen images existed on the website.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 5 of 22\n\nFigure 9: Email sample containing a link to a landing page\r\nThe \"complaint\" contained a link to a landing page which directed the user to the download of an ISO file containing\r\n\"DOCUMENT_STOLENIMAGES.LNK\" and \"neqw.dll\").\r\nFigure 10: Example Landing page\r\nThe shortcut file, if ran, executed \"neqw.dll\" with the correct parameters to start the Bumblebee downloader.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 6 of 22\n\nFigure 11: \"Contact Form\" attack chain leading to Bumblebee\r\nProofpoint attributed this campaign to TA578, a threat actor that Proofpoint researchers have been tracking since\r\nMay of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT\r\nStealer, Buer Loader, BazaLoader, and Cobalt Strike.\r\nRelationship to Other Malware\r\nThe use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and behaviors\r\ndescribed in this report can be considered a notable shift in the cybercriminal threat landscape. Additionally,\r\nProofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial access\r\nfacilitators, that is, independent cybercriminal groups that infiltrate major targets and then sell access to follow-on\r\nransomware actors.\r\nAt least three tracked threat actors that typically distribute BazaLoader malware have transitioned to Bumblebee\r\npayloads, with BazaLoader last appearing in Proofpoint data in February 2022.\r\nBazaLoader is a first stage downloader first identified in 2020 that has been associated with follow-on ransomware\r\ncampaigns including Conti. Proofpoint researchers initially observed BazaLoader being distributed in high volume\r\nby a threat actor that was primarily known to distribute the Trick banking trojan.\r\nFigure 12: Timeline of select campaigns from BazaLoader and Bumblebee\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 7 of 22\n\nBazaLoader's apparent disappearance from the cybercrime threat landscape coincides with the timing of Conti Leaks,\r\nwhen, at the end of February 2022, a Ukrainian researcher with access to Conti's internal operations began leaking\r\ndata from the cybercriminal organization. Infrastructure associated with BazaLoader was identified in the leaked\r\nfiles.\r\nProofpoint assesses with high confidence based on malware artifacts all the tracked threat actors using Bumblebee\r\nare receiving it from the same source.\r\nMalware Analysis\r\nBumblebee is a downloader written in C++. The initial Bumblebee DLL sample analyzed contains two exports. One\r\ndirectly starts the thread for the Bumblebee main function. The other eventually leads to the same main function, but\r\nadds checks to see if hooks have been placed within key dynamic link libraries (DLLs). The LNK loading this DLL\r\nskips the default DllMain function and instead calls the export that checks for function hooks.\r\nFigure 13: Screenshot of Bumblebee hook check\r\nThe majority of the Bumblebee loader is condensed into a single function unlike most malware where initialization,\r\nrequest sending, and response handling are broken out into different functions. The loader starts with copying over\r\nthe group ID which is effectively used as botnet identifier. Unlike most other malware, Bumblebee currently has its\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 8 of 22\n\nconfiguration stored in plaintext, but Proofpoint suspects that obfuscation may be added in the future. With the group\r\nID copied, the loader resolves addresses for various NTDLL functions that allow it to properly perform injection later\r\nin the loading process.\r\nFigure 14: Group ID copied and set\r\nOnce the functions are resolved a unique event is created that serves as a mutex to ensure only a single instance of\r\nthe loader is running.\r\nFigure 15: Event creation\r\nAt this point, a single instance of Bumblebee is confirmed to be running, and the malware begins gathering system\r\ninformation. The following WMI queries are executed via a COM object to gather details needed for communication:\r\nSELECT * FROM Win32_ComputerSystem\r\nSELECT * FROM Win32_ComputerSystemProduct\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 9 of 22\n\nThe hostname and UUID of the system are gathered and concatenated based on the query output. An MD5 hash of\r\nthis value is then generated and turned into a hex digest. The result becomes the unique client ID of the bot.\r\nFigure 16: Client ID creation\r\nAfter the client ID has been generated, the loader creates the system version string which includes the caption of a\r\nWMI query, the host's username, and the domain of the host if applicable.\r\nWith all this information gathered, the loader can start communication with the C2. The loader checks into the C2\r\nevery 25 seconds to retrieve commands. Unlike most malware that has a set of modules or payloads that are\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 10 of 22\n\nimmediately returned to the bot, it appears the actors behind this malware manually deploy payloads to Bumblebee\r\nas it can take multiple hours before it receives any jobs to execute. Each server response contains a variation of the\r\ndata shown in the figure below. If valid tasks are returned, the \"tasks\" value will be a list of dictionaries that contain\r\nall the task information.\r\nFigure 17: Bumblebee response\r\nBumblebee loader supports the following commands:\r\nShi: shellcode injection\r\nDij: DLL injection\r\nDex: Download executable\r\nSdl: uninstall loader\r\nIns: enable persistence on the bot\r\nIns Command\r\nThe Ins command enables persistence by copying the Bumblebee DLL to a subdirectory of %APPDATA% folder and\r\ncreating a Visual Basic Script that will load the DLL. A scheduled task is created that invokes the Visual Basic Script\r\nvia wscript.exe.\r\nFigure 18: VBS script loading the DLL\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 11 of 22\n\nFigure 19: Scheduled task created with the VBS file\r\nDex Command\r\nThe Dex command is the most rudimentary of the supported commands. It takes the base64 decoded content from the\r\nserver response, writes it to disk at a hardcoded path and executes it via a COM object\r\nFigure 20: Dex command output\r\nDij Command\r\nThe Dij command adds the ability to inject DLLs into the memory of other processes. For injection targets, the\r\nmalware picks one of three hardcoded options to inject the DLL into (ImagingDevices.exe, wab.exe, or wabmig.exe).\r\nFigure 21: Identifying executable files as injection targets\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 12 of 22\n\nWith a random executable picked, the loader starts the process in a suspended state (also via a COM object). This\r\nallows the malware to easily manipulate the process without causing issues. Next, it prepares the process for injection\r\nby enabling debug privileges so it can inject the shellcode necessary for execution.\r\nFigure 22: New process creation and enabling debug privileges\r\nWith proper permissions set, data can be manipulated, and the loader writes shellcode to the suspended process,\r\noverriding the initial entry point with a new one. This implementation writes 32 bytes of shellcode and replaces a\r\nplaceholder of with the resolved address of SleepEx.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 13 of 22\n\nFigure 23: SleepEx replacing the placeholder value\r\nFigure 24: Disassembled shellcode\r\nThe \"call RAX\" instruction in the shellcode assembly shown in above figure gets replaced with the address of the\r\nSleepEx as seen in the previous figure and the shellcode calls SleepEx with a value of 1000 milliseconds. With the\r\nshellcode now injected into the process, the process can be resumed and the loader can inject the malicious payload\r\ninto the executable via an APC routine.\r\nFigure 25: Process injection via APC\r\nTo properly inject, the loader creates two new sections within the injection target and copies the buffer from “dij”\r\ninto the new section then invokes the copied contents in the target executable via a dynamically resolved\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 14 of 22\n\nNtQueueApcThread.\r\nFigure 26: Creation of two new sections\r\nFigure 27: Calling the dynamically resolved NtQueueApcThread\r\nMalware Development\r\nProofpoint researchers noticed that within a month of campaigns, Bumblebee developers added new features to the\r\nmalware. Specifically, the inclusion of anti-VM and anti-sandbox checks. Below is the earlier sample:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 15 of 22\n\nFigure 28: Old Bumblebee sample\r\nAnd the more recent sample:\r\nFigure 29: Updated Bumblebee sample with addition of check_bad_artifacts\r\nResearching the new functionality revealed a neat surprise:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 16 of 22\n\nFigure 30: Decompilation of the malware's firmware check\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 17 of 22\n\nFigure 31: Open source code from Al Khaser showing the exact same check\r\nThe above figures are part of the Al Khaser suite which is a common tool used to check for VM artifacts. It appears\r\nthat the developers of the Bumblebee loader rely on open-source tooling, just like standard developers.\r\nSignificant Update\r\nProofpoint noted significant changes to Bumblebee functionality in the latest version of Bumblebee observed on\r\nApril 19, 2022. Support for multiple C2s via a comma delimited list is now supported.\r\nFigure 32: Multiple embedded C2s\r\nThe sleep interval in the older versions was previously hardcoded at 25 seconds but now that has been replaced with\r\na randomized value.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 18 of 22\n\nFigure 33: Addition of random sleep values\r\nThe most significant change to the malware has been the addition of an encryption layer to the network\r\ncommunications. The developers added RC4 via a hardcoded key to the sample which is used to encrypt the requests\r\nand decrypt the responses.\r\nFigure 34: encryption of the request\r\nFigure 35: decryption of the response\r\nAs another marker of this group demonstrating their fast development velocity, on April 22  Proofpoint observed this\r\ngroup adding a new thread to Bumblebee that checks current running processes against a hardcoded list of common\r\ntools used by malware analysts. This thread gets created at the beginning of the Bumblebee process.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 19 of 22\n\nFigure 36: The Bumblebee main function showing the start of the new thread.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 20 of 22\n\nFigure 37: The list of tools Bumblebee checks for.\r\nIf any of these processes are found, the function returns 1 which triggers the main Bumblebee thread to be\r\nterminated.\r\nConclusion\r\nBumblebee is a sophisticated malware loader that demonstrates evidence of ongoing development. It is used by\r\nmultiple cybercrime threat actors. Proofpoint assesses with high confidence Bumblebee loader can be used as an\r\ninitial access facilitator to deliver follow-on payloads such as ransomware. Based on the timing of its appearance in\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 21 of 22\n\nthe threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement\r\nfor BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware.\r\nIndicators of Compromise\r\nIndicator Type Description\r\nc6ef53740f2011825dd531fc65d6eba92f87d0ed1b30207a9694c0218c10d6e0 SHA256\r\n31 March–1\r\nApril 2022\r\nISO Sample\r\na72538ba00dc95190d6919756ffce74f0b3cf60db387c6c9281a0dc892ded802 SHA256\r\n31 March–1\r\nApril 2022\r\nBumblebee\r\nSample\r\n77f6cdf03ba70367c93ac194604175e2bd1239a29bc66da50b5754b7adbe8ae4 SHA256\r\n5 April\r\n2022 ISO\r\nSample\r\n0faa970001791cb0013416177cefebb25fbff543859bd81536a3096ee8e79127 SHA256\r\n5 April\r\n2022\r\nBumblebee\r\nSample\r\nFe7a64dad14fe240aa026e57615fc3a22a7f5ba1dd55d675b1d2072f6262a1 SHA256\r\n28 March–1\r\nApril 2022\r\nISO Sample\r\n08CD6983F183EF65EABD073C01F137A913282504E2502AC34A1BE3E599AC386B SHA256\r\n10 March\r\nunpacked\r\nBumblebee\r\nsample\r\nET Signatures\r\nET MALWARE Win32/BumbleBee Loader Activity\r\nET USER_AGENTS Observed Bumblebee Loader User-Agent (bumblebee)\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" ], "report_names": [ "bumblebee-is-still-transforming" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null }, { "id": "1f87ac52-682a-4bc7-b7ce-fac8d79815fa", "created_at": "2023-01-06T13:46:39.373008Z", "updated_at": "2026-04-10T02:00:03.305899Z", "deleted_at": null, "main_name": "TA579", "aliases": [], "source_name": "MISPGALAXY:TA579", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433973, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e285d7aaecf93c218efe4623b4db5ed87eb9808d.pdf", "text": "https://archive.orkl.eu/e285d7aaecf93c218efe4623b4db5ed87eb9808d.txt", "img": "https://archive.orkl.eu/e285d7aaecf93c218efe4623b4db5ed87eb9808d.jpg" } }