{ "id": "a8764bd3-8d94-4184-89f8-1967b5ad20e3", "created_at": "2026-04-06T00:17:03.36279Z", "updated_at": "2026-04-10T03:37:26.655366Z", "deleted_at": null, "sha1_hash": "e8fd95b64cf80a5bdd2fce8aa078ab5ca8a47198", "title": "Bumblebee Malware Attack Analysis: Why It’s Back | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 544681, "plain_text": "Bumblebee Malware Attack Analysis: Why It’s Back | Proofpoint\r\nUS\r\nBy Axel F, Selena Larson and the Proofpoint Threat Research Team\r\nPublished: 2024-02-12 · Archived: 2026-04-05 15:17:33 UTC\r\nWhat happened \r\nProofpoint researchers identified the return of Bumblebee malware to the cybercriminal threat landscape on 8\r\nFebruary 2024 after a four-month absence from Proofpoint threat data. Bumblebee is a sophisticated downloader\r\nused by multiple cybercriminal threat actors and was a favored payload from its first appearance in March 2022\r\nthrough October 2023 before disappearing.  \r\nIn the February campaign, Proofpoint observed several thousand emails targeting organizations in the United\r\nStates with the subject \"Voicemail February\" from the sender \"info@quarlesaa[.]com\" that contained OneDrive\r\nURLs. The URLs led to a Word file with names such as \"ReleaseEvans#96.docm\" (the digits before the file\r\nextension varied). The Word document spoofed the consumer electronics company Humane.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black\r\nPage 1 of 6\n\nScreenshot of the voicemail-themed email lure.  \r\nScreenshot of the malicious Word document. \r\nThe document used macros to create a script in the Windows temporary directory, for example\r\n\"%TEMP%/radD7A21.tmp\", using the contents of CustomDocumentProperties SpecialProps, SpecialProps1,\r\nSpecialProps2 and SpecialProps3. The macro then executed the dropped file using \"wscript\".  \r\nInside the dropped temporary file was a PowerShell command that downloads and executes the next stage from a\r\nremote server, stored in file “update_ver”: \r\nThe next stage was another PowerShell command which in turn downloaded and ran the Bumblebee DLL. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black\r\nPage 2 of 6\n\nThe Bumblebee configuration included: \r\n        Campaign ID: dcc3 \r\n        RC4 Key: NEW_BLACK \r\nIt is notable that the actor is using VBA macro-enabled documents in the attack chain, as most cybercriminal\r\nthreat actors have nearly stopped using them, especially those delivering payloads that can act as initial access\r\nfacilitators for follow-on ransomware activity. In 2022, Microsoft began blocking macros by default, causing a\r\nmassive shift in the landscape to attack chains that began using more unusual filetypes, vulnerability exploitation,\r\ncombining URLs and attachments, chaining scripting files, and much more.  \r\nAnother noteworthy feature of this campaign is that the attack chain is significantly different from previously\r\nobserved Bumblebee campaigns. Examples used in prior campaigns that distributed Bumblebee with the\r\n“NEW_BLACK” configuration included: \r\nEmails that contained URLs leading to the download of a DLL which, if executed, started Bumblebee. \r\nEmails with HTML attachments that leveraged HTML smuggling to drop a RAR file. If executed, it\r\nexploited the WinRAR vulnerability CVE-2023-38831 to install Bumblebee. \r\nEmails with zipped, password-protected VBS attachments which, if executed, used PowerShell to\r\ndownload and execute Bumblebee. \r\nEmails that contained zipped LNK files to download an executable file. If executed, the .exe started\r\nBumblebee. \r\nOut of the nearly 230 Bumblebee campaigns identified since March 2022, only five used any macro-laden\r\ncontent; four campaigns used XL4 macros, and one used VBA macros.  \r\nAttribution \r\nAt this time Proofpoint does not attribute the activity to a tracked threat actor. The voicemail lure theme, use of\r\nOneDrive URLs, and sender address appear to align with previous TA579 activities. Proofpoint will continue to\r\ninvestigate and may attribute this activity to a known threat actor in the future.  \r\nProofpoint assesses with high confidence Bumblebee loader can be used as an initial access facilitator to deliver\r\nfollow-on payloads such as ransomware. \r\nWhy it matters \r\nBumblebee’s return to the threat landscape aligns with a surge of cybercriminal threat activity after a notable\r\nabsence of many threat actors and malware.  \r\nRecently, two threat actors—tax-themed actor TA576 and the sophisticated TA866—appeared once again in email\r\ncampaign data after months-long gaps in activity. Post-exploitation operator TA582 and aviation and aerospace\r\ntargeting ecrime actor TA2541 both reappeared in the threat landscape in late January after being absent since the\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black\r\nPage 3 of 6\n\nend of November. Additionally, DarkGate malware reappeared in email campaigns delivered by TA571 with a\r\nnew malware update (and a new version “6.1.6”) after being absent in the landscape since November. Finally,\r\nmajor ecrime actors TA577, TA544, and TA558 all returned to the landscape at the end of January after nearly a\r\nmonth-long absence from mid-December. Notably, TA577 returned to deliver Qbot malware, which the actor had\r\nnot used since the botnet’s disruption in August. Analysis of the reappearance of other malware to email threat\r\ndata after notable breaks including Pikabot and Latrodectus is ongoing.  \r\n2024 has started off with a bang for cybercriminal threat actors, with activity returning to very high levels after a\r\ntemporary winter lull. Proofpoint researchers continue to observe new, creative attack chains, attempts to bypass\r\ndetections, and updated malware from many threat actors and unattributed threat clusters. Researchers are\r\nexpecting this high operational tempo to continue until the anticipated summer threat actor breaks.  \r\nExample Emerging Threats signatures \r\n2047946 - ET MALWARE Win32/Bumblebee Loader Checkin Activity \r\nIndicators of compromise \r\nIndicator   Description \r\nFirst\r\nObserved \r\nhxxps[:]//1drv[.]ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy \r\nExample URL\r\nin email \r\n2024-02-\r\n08 \r\nhxxps[:]//1drv[.]ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW \r\nExample URL\r\nin email \r\n2024-02-\r\n08 \r\n0cef17ba672793d8e32216240706cf46e3a2894d0e558906a1782405a8f4decf \r\nSHA256 of\r\nexample Word\r\ndocument\r\ndownloaded\r\nfrom\r\nOneDrive \r\n2024-02-\r\n08 \r\n86a7da7c7ed5b915080ad5eaa0fdb810f7e91aa3e86034cbab13c59d3c581c0e  SHA256 of\r\nexample Word\r\ndocument\r\ndownloaded\r\n2024-02-\r\n08 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black\r\nPage 4 of 6\n\nfrom\r\nOneDrive \r\n2bc95ede5c16f9be01d91e0d7b0231d3c75384c37bfd970d57caca1e2bbe730f \r\nSHA256 of\r\ndopped script\r\n(by Word\r\nmacro) in\r\n%TEMP%\r\nfolder \r\n2024-02-\r\n08 \r\nhxxp[:]//213[.]139.205.131/update_ver \r\nURL used by\r\nscript in\r\n%TEMP%\r\nfolder to\r\ndownload next\r\nstage \r\n2024-02-\r\n08 \r\nhxxp[:]//213[.]139.205.131/w_ver.dat \r\nURL used by\r\nsecond stage\r\nPowerShell to\r\ndownload\r\nBumblebee\r\nDLL \r\n2024-02-\r\n08 \r\nc34e5d36bd3a9a6fca92e900ab015aa50bb20d2cd6c0b6e03d070efe09ee689a \r\nSHA256 of\r\nfile\r\n“w_ver.dll”\r\n(Bumblebee) \r\n2024-02-\r\n08 \r\nq905hr35[.]life \r\nActive\r\nBumblebee C2\r\ndomain on\r\nFeb 8 \r\n2024-02-\r\n08 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black\r\nPage 5 of 6\n\n49.13.76[.]144:443 \r\nActive\r\nBumblebee C2\r\nIP on Feb 8 \r\n2024-02-\r\n08 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black" ], "report_names": [ "bumblebee-buzzes-back-black" ], "threat_actors": [ { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "99468ac6-ccfd-4cd8-b726-791600e61431", "created_at": "2023-11-01T02:01:06.647272Z", "updated_at": "2026-04-10T02:00:05.313262Z", "deleted_at": null, "main_name": "TA2541", "aliases": [ "TA2541" ], "source_name": "MITRE:TA2541", "tools": [ "Snip3", "Revenge RAT", "jRAT", "WarzoneRAT", "Imminent Monitor", "AsyncRAT", "NETWIRE", "Agent Tesla", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "97dc332f-2241-4755-ae33-54e5eff3990a", "created_at": "2023-01-06T13:46:39.307201Z", "updated_at": "2026-04-10T02:00:03.282272Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "MISPGALAXY:TA2541", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "1f87ac52-682a-4bc7-b7ce-fac8d79815fa", "created_at": "2023-01-06T13:46:39.373008Z", "updated_at": "2026-04-10T02:00:03.305899Z", "deleted_at": null, "main_name": "TA579", "aliases": [], "source_name": "MISPGALAXY:TA579", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7183913d-9a43-4362-96e1-9af522b6ab84", "created_at": "2024-06-19T02:00:04.377344Z", "updated_at": "2026-04-10T02:00:03.653777Z", "deleted_at": null, "main_name": "TA571", "aliases": [], "source_name": "MISPGALAXY:TA571", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "878ce40c-9fbc-4cff-a5c4-771086979fa7", "created_at": "2022-10-25T16:07:24.264056Z", "updated_at": "2026-04-10T02:00:04.915395Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "ETDA:TA2541", "tools": [ "AVE_MARIA", "AgenTesla", "Agent Tesla", "AgentTesla", "AsyncRAT", "Ave Maria", "AveMariaRAT", "DarkRAT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Imminent Monitor", "Imminent Monitor RAT", "Iniduoh", "Jenxcus", "Kognito", "Luminosity RAT", "LuminosityLink", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Njw0rm", "Origin Logger", "Parallax", "Parallax RAT", "ParallaxRAT", "Recam", "Revenge RAT", "RevengeRAT", "Revetrat", "WSHRAT", "ZPAQ", "avemaria", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null }, { "id": "59d91b6f-bccf-4ae4-a14c-028b198848b6", "created_at": "2023-03-10T02:01:52.119563Z", "updated_at": "2026-04-10T02:00:03.36177Z", "deleted_at": null, "main_name": "TA866", "aliases": [], "source_name": "MISPGALAXY:TA866", "tools": [ "Screenshotter", "AHK Bot", "WasabiSeed" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434623, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e8fd95b64cf80a5bdd2fce8aa078ab5ca8a47198.pdf", "text": "https://archive.orkl.eu/e8fd95b64cf80a5bdd2fce8aa078ab5ca8a47198.txt", "img": "https://archive.orkl.eu/e8fd95b64cf80a5bdd2fce8aa078ab5ca8a47198.jpg" } }