{
	"id": "2f8d2968-c2dd-4aaa-b1c4-16fa79e81848",
	"created_at": "2026-04-06T00:17:21.097361Z",
	"updated_at": "2026-04-10T03:33:15.974838Z",
	"deleted_at": null,
	"sha1_hash": "eb002a1358fbf509e042cb44b589d26785598393",
	"title": "Bumblebee Malware from TransferXL URLs - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3691528,
	"plain_text": "Bumblebee Malware from TransferXL URLs - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 20:39:37 UTC\r\nIntroduction\r\nLast month, Google's Threat Analysis Group (TAG) reported on EXOTIC LILY using file transfer services like\r\nTransferNow, TransferXL, WeTransfer, or OneDrive to distribute malware (link).  Threat researchers like @k3dg3\r\noccasionally report malware samples from this activity.  Based on @k3dg3's recent tweet, I searched through\r\nVirusTotal and found a handful of active TransferXL URLs delivering ISO files for Bumblebee malware.\r\nToday's diary reviews an infection generated from this activity on Wednesday 2022-05-18.\r\nShown above:  Flow chart for infection discussed in this diary.\r\nTransferXL URLs\r\nTransferXL is a legitimate file sharing service.  However, like other services with a cost-free tier, TransferXL has\r\nbeen abused by criminals as a way to distribute malicious files.  However, with TransferXL, we have the benefit\r\nof seeing an email address used to share the malicious file.  The image below shows a malicious TransferXL URL\r\nrecently submitted to VirusTotal.  Viewed in a web browser, it sends a malicious file.  The associated email\r\naddress is jhurris@wolsleyindustrialgroup.com.\r\nhttps://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664\r\nPage 1 of 7\n\nShown above:  Malicious TransferXL URL delivering malware.\r\nThe downloaded zip archive contains an ISO disk image.  When double-clicked, this file is mounted as a DVD\r\ndrive.  The ISO file contains a visible Windows shortcut and a hidden malware DLL for Bumblebee.  Double-clicking the Windows shortcut will run the hidden malware DLL on a vulnerable Windows host.\r\nhttps://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664\r\nPage 2 of 7\n\nShown above:  Downloaded ISO file mounted as a disk image containing Windows shortcut and hidden malware\r\nDLL.\r\nTraffic from an infection\r\nAfter downloading malware from the malicious TransferXL URL, the infected host generated Bumblebee C2\r\ntraffic to 194.135.33[.]144 over TCP port 443.\r\nhttps://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664\r\nPage 3 of 7\n\nShown above:  Initial infection activity with Bumblebee C2 traffic filtered in Wireshark.\r\nApproximately 15 minutes after the Bumblebee C2 traffic first appeared, the infected Windows host generated\r\nHTTPS traffic to ec2-3-144-143-232-us-east-2.compute.amazonaws[.]com on 3.144.143[.]242 over TCP port\r\n443.  The infected host sent approximately 5.5 MB of data out and received approximately 4.0 MB of data back\r\nfrom that server.\r\nShown above:  Encrypted (HTTPS) traffic to an amazonAWS server.\r\nhttps://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664\r\nPage 4 of 7\n\nApproximately 14 minutes after HTTPS traffic to the amazonAWS server, HTTPS Cobalt Strike traffic appeared\r\non 23.106.215[.]123 over TCP port 443 using xenilik[.]com as the domain.  It lasted approximately 3 minutes.\r\nShown above:  Traffic from the infection showing Cobalt Strike activity.\r\nIndicators of Compromise (IOCs)\r\nTransferXL URLs associated with the above email returning zip archives containing malicious ISO files.\r\nhxxps://www.transferxl[.]com/download/00ZNPDZqZwZ9m\r\nhxxps://www.transferxl[.]com/download/00jwbtRXtsSsZX\r\nhxxps://www.transferxl[.]com/download/00vJV4K6QVXSq6\r\nhxxps://www.transferxl[.]com/download/00y12VGg75h7K\r\nhxxps://www.transferxl[.]com/download/08j8ZRjHFkVxxc\r\nNOTE: The above URLs usually have ?utm_source=downloadmail\u0026utm_medium=e-mail appended to them.\r\nEmail addresses associated with malicious TransferXL URLs:\r\nandresbolivar@southerncompanygas[.]co\r\njhurris@wolsleyindustrialgroup[.]com\r\nm.jones@wolsleyindustrialgroup[.]com\r\nmjones@wolsleyindustrialgroup[.]co\r\nDomains from the above emails:\r\nsoutherncompanygas[.]co - registered 2022-04-27\r\nwolsleyindustrialgroup[.]com - registered 2022-04-29\r\nhttps://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664\r\nPage 5 of 7\n\nwolsleyindustrialgroup[.]co - not registered\r\nMalware from an infected Windows host:\r\nSHA256 hash: 1ec8c7e21090fb4c667f40c8720388a89789c569169fe0e41ec81567df499aac\r\nFile size: 669,897 bytes\r\nFile name: TransferXL-00jdMwft3vVZ7Q.zip\r\nFile description: Zip archive retrieved from TransferXL URL\r\nSHA256 hash: 24aa82e1a085412686af5d178810fc0d056c5b8167ae5b88973b33071aa14569\r\nFile size: 1,052,672 bytes\r\nFile name: documents-2205210.iso\r\nFile description: ISO file extracted from downloaded zip archive\r\nSHA256 hash: ade875616534b755f33f6012ea263da808dd7eb50bc903fc97722f37fac7c164\r\nFile size: 1,191 bytes\r\nFile name: New Folder.lnk\r\nFile description: Windows shortcut contained in ISO file\r\nShortcut: C:\\Windows\\System32\\rundll32.exe spc.dll,JQhnMKwhpA\r\nSHA256 hash: 88c07354f1d7b0485452d5c39dc1a6d73884e163bc5489c40adc6662602b4d76\r\nFile size: 997,888 bytes\r\nFile name: spc.dll\r\nFile description: 64-bit DLL (hidden flag set) for Bumblebee malware\r\nRun method: rundll32.exe [filename],JQhnMKwhpA\r\nTraffic from the infected Windows host:\r\n194.135.33[.]144 port 443 - Bumblebee C2 HTTPS traffic\r\n3.144.143[.]242 port 443 - ec2-3-144-143-242.us-east-2.compute.amazonaws[.]com - HTTPS traffic\r\n23.106.215[.]123 port 443 - xenilik[.]com - Cobalt Strike HTTPS traffic\r\nFinal words\r\nAs the Google TAG blog post notes, EXOTIC LILY is using this method to push Bumblebee malware, and\r\nBumblebee leads to further malware like Cobalt Strike.  And Cobalt Strike has been documented by different\r\nsources as leading to ransomware.\r\nToday's diary reviewed a Bumblebee malware infection associated with EXOTIC LILY that led to Cobalt Strike\r\nactivity.\r\nPcap and malware samples associated with this infection are available here.\r\nhttps://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664\r\nPage 6 of 7\n\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664\r\nhttps://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664"
	],
	"report_names": [
		"28664"
	],
	"threat_actors": [
		{
			"id": "4594f985-865e-4862-8047-2e80226e246a",
			"created_at": "2022-10-27T08:27:12.984825Z",
			"updated_at": "2026-04-10T02:00:05.293575Z",
			"deleted_at": null,
			"main_name": "EXOTIC LILY",
			"aliases": [
				"EXOTIC LILY"
			],
			"source_name": "MITRE:EXOTIC LILY",
			"tools": [
				"Bazar"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "56384d06-abc2-4853-8440-db4d7b7d1b5f",
			"created_at": "2023-01-06T13:46:39.367122Z",
			"updated_at": "2026-04-10T02:00:03.303733Z",
			"deleted_at": null,
			"main_name": "EXOTIC LILY",
			"aliases": [
				"DEV-0413"
			],
			"source_name": "MISPGALAXY:EXOTIC LILY",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434641,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb002a1358fbf509e042cb44b589d26785598393.pdf",
		"text": "https://archive.orkl.eu/eb002a1358fbf509e042cb44b589d26785598393.txt",
		"img": "https://archive.orkl.eu/eb002a1358fbf509e042cb44b589d26785598393.jpg"
	}
}