Security Experts:

Connect with us

Hi, what are you looking for?



New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups

Cybersecurity companies have analyzed “Bumblebee,” a relatively new custom malware downloader that appears to have been used by several cybercrime groups.

Cybersecurity companies have analyzed “Bumblebee,” a relatively new custom malware downloader that appears to have been used by several cybercrime groups.

Written in C++, Bumblebee is mostly condensed in a single function responsible for initialization, handling of responses, and sending requests. At the moment, the downloader’s configuration is stored in plaintext, but its developers may start employing obfuscation in the future.

Once executed on a victim machine, the threat collects information about the system and then starts communicating with the command and control (C&C) server. Based on the amount of time it takes for Bumblebee to receive jobs to execute, payloads are likely manually deployed.

Bumblebee also packs anti-VM and anti-sandbox checks, and, in the latest version, a randomized sleep interval was added, along with an encryption layer to the network communications.

In a report on Friday, the NCC group noted that the threat’s backend is written in Golang, and that the malware’s operators “did not implement a command to update the loader’s binary, resulting the loss of existing infections.”

In a March 2022 report, Google mentioned the use of the Bumblebee custom downloader in some attacks associated with Exotic Lily, an initial access broker involved in data exfiltration operations that typically led to the deployment of ransomware families such as Conti and Diavol.

On Thursday, Proofpoint published a technical report on the malware downloader, reiterating Google’s findings and also saying that Bumblebee has been used to deploy malware such as Cobalt Strike and Meterpreter, along with Sliver and other payloads.

However, the cybersecurity firm also pointed out that at least three different threat actors appear to have been using Bumblebee in campaigns, and that they have employed different techniques for delivery, including emails carrying ISO or HTML files as attachments or emails generated by contact forms.

In April, Proofpoint observed a thread-hijacking campaign in which Bumblebee was deployed via emails that appeared to be replies to legitimate messages, and which carried zipped ISO attachments.

At least one of the observed campaigns, Proofpoint says, can be attributed to TA578, a threat actor that was previously seen distributing malware such as BazaLoader, Buer Loader, Cobalt Strike, IcedID, KPOT Stealer, and Ursnif.

“Proofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial access facilitators, that is, independent cybercriminal groups that infiltrate major targets and then sell access to follow-on ransomware actors,” the cybersecurity firm notes.

Related: North Korean Group Kimsuky Targets Government Agencies With New Malware

Related: Hamas-Linked Hackers Using Sexy ‘Catfish’ Lures, New Malware

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...