Threat Watch

Cybercriminals Using New Malware Loader Bumblebee in the Wild

Threat actors that have previously been observed delivering BazaLoader and IcedID have recently transitioned to a new loader called Bumblebee. Bumblebee is a highly sophisticated loader that is still under development and is believed to be a direct replacement for BazaLoader.

Current campaigns distributing Bumblebee have used DocuSign-branded email phishing lures incorporating malicious links or HTML attachments as the first stage of the infection. Upon accessing these HTML files or links, a compressed ISO file is downloaded from Microsoft OneDrive or a Google storage host. This ISO file contains an LNK file and either a DLL or DAT file; upon execution of the LNK file, system information is collected and then the associated DLL or DAT file is executed. This DLL or DAT file contains the code for the Bumblebee loader. The Bumblebee code contains various anti-virtualization checks and is used to download and execute next-stage payloads. Next-stage payloads observed so far have included Cobalt Strike, Sliver, Meterpreter, and custom shellcode.

Threat actors observed using Bumblebee have been linked to follow-on ransomware campaigns, including Conti and Diavol. This likely means that the threat actors behind Bumblebee may be initial access facilitators, who infiltrate major targets and then sell access to ransomware actors.


Appropriate email security controls, such as sandboxing and URL analysis, and proper end-user training can help prevent malicious emails from being delivered or acted upon. This can help stop many different malware families from successfully executing on a system, as email is by far the most common delivery method used. Proper security endpoint controls and logging can help protect organizations if emails do get through and are accessed by end users. The Bumblebee malware exhibits behavior that many EDRs monitor for and prevent if discovered. In cases where an EDR does not stop this activity, detections can be created to monitor and alert upon the behavior. The malware exhibits many unusual behaviors that can be monitored for, including things like rundll32.exe executing DLL files with abnormal file extensions, cmd.exe executing rundll32.exe, and an LNK shortcut file executing an abnormal process like rundll32.exe. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.