Security Experts:

Connect with us

Hi, what are you looking for?



New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups

Cybersecurity companies have analyzed “Bumblebee,” a relatively new custom malware downloader that appears to have been used by several cybercrime groups.

Cybersecurity companies have analyzed “Bumblebee,” a relatively new custom malware downloader that appears to have been used by several cybercrime groups.

Written in C++, Bumblebee is mostly condensed in a single function responsible for initialization, handling of responses, and sending requests. At the moment, the downloader’s configuration is stored in plaintext, but its developers may start employing obfuscation in the future.

Once executed on a victim machine, the threat collects information about the system and then starts communicating with the command and control (C&C) server. Based on the amount of time it takes for Bumblebee to receive jobs to execute, payloads are likely manually deployed.

Bumblebee also packs anti-VM and anti-sandbox checks, and, in the latest version, a randomized sleep interval was added, along with an encryption layer to the network communications.

In a report on Friday, the NCC group noted that the threat’s backend is written in Golang, and that the malware’s operators “did not implement a command to update the loader’s binary, resulting the loss of existing infections.”

In a March 2022 report, Google mentioned the use of the Bumblebee custom downloader in some attacks associated with Exotic Lily, an initial access broker involved in data exfiltration operations that typically led to the deployment of ransomware families such as Conti and Diavol.

On Thursday, Proofpoint published a technical report on the malware downloader, reiterating Google’s findings and also saying that Bumblebee has been used to deploy malware such as Cobalt Strike and Meterpreter, along with Sliver and other payloads.

However, the cybersecurity firm also pointed out that at least three different threat actors appear to have been using Bumblebee in campaigns, and that they have employed different techniques for delivery, including emails carrying ISO or HTML files as attachments or emails generated by contact forms.

In April, Proofpoint observed a thread-hijacking campaign in which Bumblebee was deployed via emails that appeared to be replies to legitimate messages, and which carried zipped ISO attachments.

At least one of the observed campaigns, Proofpoint says, can be attributed to TA578, a threat actor that was previously seen distributing malware such as BazaLoader, Buer Loader, Cobalt Strike, IcedID, KPOT Stealer, and Ursnif.

“Proofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial access facilitators, that is, independent cybercriminal groups that infiltrate major targets and then sell access to follow-on ransomware actors,” the cybersecurity firm notes.

Related: North Korean Group Kimsuky Targets Government Agencies With New Malware

Related: Hamas-Linked Hackers Using Sexy ‘Catfish’ Lures, New Malware

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.