Threat actors that have previously been observed delivering BazaLoader and IcedID have recently transitioned to a new loader called Bumblebee. Bumblebee is a highly sophisticated loader that is still under development and is believed to be a direct replacement for BazaLoader.
Current campaigns distributing Bumblebee have used DocuSign-branded email phishing lures incorporating malicious links or HTML attachments as the first stage of the infection. Upon accessing these HTML files or links, a compressed ISO file is downloaded from Microsoft OneDrive or a Google storage host. This ISO file contains an LNK file and either a DLL or DAT file; upon execution of the LNK file, system information is collected and then the associated DLL or DAT file is executed. This DLL or DAT file contains the code for the Bumblebee loader. The Bumblebee code contains various anti-virtualization checks and is used to download and execute next-stage payloads. Next-stage payloads observed so far have included Cobalt Strike, Sliver, Meterpreter, and custom shellcode.
Threat actors observed using Bumblebee have been linked to follow-on ransomware campaigns, including Conti and Diavol. This likely means that the threat actors behind Bumblebee may be initial access facilitators, who infiltrate major targets and then sell access to ransomware actors.