| SYMBOL | COMMON_NAME | aka. SYNONYMS |
EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.
| 2024-10-18
⋅
Netskope
⋅
New Bumblebee Loader Infection Chain Signals Possible Resurgence BumbleBee |
| 2024-05-30
⋅
Europol
⋅
Largest ever operation against botnets hits dropper malware ecosystem BumbleBee IcedID SmokeLoader SystemBC TrickBot |
| 2024-02-13
⋅
Proofpoint
⋅
Bumblebee Buzzes Back in Black BumbleBee |
| 2023-10-04
⋅
Twitter (@Intrisec)
⋅
Tweet about new Bumblebee campaign leveraging CVE-2023-38831 BumbleBee |
| 2023-09-15
⋅
Johannes Bader's Blog
⋅
The DGA of BumbleBee BumbleBee |
| 2023-09-11
⋅
Twitter (@Artilllerie)
⋅
Tweet on BumbleBee sample containing a DGA BumbleBee |
| 2023-09-07
⋅
Twitter (@Intrisec)
⋅
Tweets on Bumblebee campaign spreading via Html smuggling downloading RAR archive with European Central Bank PDF lure and folder containing Bumblebee EXE payload. BumbleBee |
| 2023-09-01
⋅
VMRay
⋅
Understanding BumbleBee: BumbleBee’s malware configuration and clusters BumbleBee |
| 2023-08-18
⋅
VMRay
⋅
Understanding BumbleBee: The malicious behavior of BumbleBee BumbleBee |
| 2023-08-09
⋅
VMRay
⋅
Understanding BumbleBee: The delivery of Bumblee BumbleBee |
| 2023-07-11
⋅
Spamhaus
⋅
Spamhaus Botnet Threat Update Q2 2023 Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee |
| 2023-06-22
⋅
DeepInstinct
⋅
PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID PindOS BumbleBee PhotoLoader |
| 2023-06-08
⋅
VMRay
⋅
Busy Bees - The Transformation of BumbleBee BumbleBee Cobalt Strike Conti Meterpreter Sliver |
| 2023-04-20
⋅
Secureworks
⋅
Bumblebee Malware Distributed Via Trojanized Installer Downloads BumbleBee Cobalt Strike |
| 2023-04-18
⋅
Twitter (@threatinsight)
⋅
Tweet on TA581 using Keitaro TDS URL to download a .MSI file to deliver BumbleBee malware BumbleBee |
| 2023-04-16
⋅
Botconf
⋅
Tracking Bumblebee’s Development BumbleBee |
| 2023-04-16
⋅
YouTube (botconf eu)
⋅
Tracking Bumblebee’s Development BumbleBee |
| 2023-04-12
⋅
Spamhaus
⋅
Spamhaus Botnet Threat Update Q1 2023 FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar |
| 2023-04-11
⋅
SEC Consult
⋅
BumbleBee hunting with a Velociraptor BumbleBee |
| 2023-03-29
⋅
Krakz
⋅
BumbleBee notes BumbleBee |
| 2023-03-28
⋅
Cerbero
⋅
Reversing Complex PowerShell Malware BumbleBee |
| 2023-03-04
⋅
0xToxin Labs
⋅
Bumblebee DocuSign Campaign BumbleBee |
| 2023-02-03
⋅
Mandiant
⋅
Float Like a Butterfly Sting Like a Bee BazarBackdoor BumbleBee Cobalt Strike |
| 2023-01-19
⋅
Cisco
⋅
Following the LNK metadata trail BumbleBee PhotoLoader QakBot |
| 2023-01-09
⋅
Intrinsec
⋅
Emotet returns and deploys loaders BumbleBee Emotet IcedID PHOTOLITE |
| 2022-11-16
⋅
Proofpoint
⋅
A Comprehensive Look at Emotet Virus’ Fall 2022 Return BumbleBee Emotet PHOTOLITE |
| 2022-11-10
⋅
Intezer
⋅
How LNK Files Are Abused by Threat Actors BumbleBee Emotet Mount Locker QakBot |
| 2022-10-27
⋅
Microsoft
⋅
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity FAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence DEV-0950 Mustard Tempest |
| 2022-10-27
⋅
Microsoft
⋅
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak |
| 2022-10-13
⋅
Spamhaus
⋅
Spamhaus Botnet Threat Update Q3 2022 FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm |
| 2022-10-06
⋅
Twitter (@ESETresearch)
⋅
Tweet on Bumblebee being modularized like trickbot BumbleBee |
| 2022-10-03
⋅
Check Point
⋅
Bumblebee: increasing its capacity and evolving its TTPs BumbleBee Cobalt Strike Meterpreter Sliver Vidar |
| 2022-09-26
⋅
The DFIR Report
⋅
BumbleBee: Round Two BumbleBee Cobalt Strike Meterpreter |
| 2022-09-07
⋅
cyble
⋅
Bumblebee Returns With New Infection Technique BumbleBee Cobalt Strike |
| 2022-09-05
⋅
Infinitum IT
⋅
Bumblebee Loader Malware Analysis BumbleBee |
| 2022-08-24
⋅
Microsoft
⋅
Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks BumbleBee Sliver |
| 2022-08-24
⋅
Deep instinct
⋅
The Dark Side of Bumblebee Malware Loader BumbleBee |
| 2022-08-18
⋅
IBM
⋅
From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers BumbleBee Karius Ramnit TrickBot Vawtrak |
| 2022-08-17
⋅
Cybereason
⋅
Bumblebee Loader – The High Road to Enterprise Domain Control BumbleBee Cobalt Strike |
| 2022-08-10
⋅
⋅
Weixin
⋅
Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe BumbleBee Cobalt Strike |
| 2022-08-08
⋅
The DFIR Report
⋅
BumbleBee Roasts Its Way to Domain Admin BumbleBee Cobalt Strike |
| 2022-08-04
⋅
Cloudsek
⋅
Technical Analysis of Bumblebee Malware Loader BumbleBee |
| 2022-08-03
⋅
Palo Alto Networks Unit 42
⋅
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware BazarBackdoor BumbleBee Cobalt Strike Conti |
| 2022-07-17
⋅
Resecurity
⋅
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise AsyncRAT BumbleBee Emotet IcedID QakBot |
| 2022-07-07
⋅
IBM
⋅
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter |
| 2022-07-07
⋅
Fortinet
⋅
Notable Droppers Emerge in Recent Threat Campaigns BumbleBee Emotet PhotoLoader QakBot |
| 2022-06-28
⋅
Symantec
⋅
Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem BumbleBee |
| 2022-06-14
⋅
RiskIQ
⋅
RiskIQ: Identifying BumbleBee Command and Control Servers BumbleBee |
| 2022-06-13
⋅
Sekoia
⋅
BumbleBee: a new trendy loader for Initial Access Brokers BumbleBee |
| 2022-06-07
⋅
cyble
⋅
Bumblebee Loader on The Rise BumbleBee Cobalt Strike |
| 2022-05-25
⋅
Logpoint
⋅
Buzz of the Bumblebee – A new malicious loader BumbleBee |
| 2022-05-25
⋅
Team Cymru
⋅
Bablosoft; Lowering the Barrier of Entry for Malicious Actors BlackGuard BumbleBee RedLine Stealer |
| 2022-05-19
⋅
InfoSec Handlers Diary Blog
⋅
Bumblebee Malware from TransferXL URLs BumbleBee Cobalt Strike |
| 2022-05-19
⋅
InfoSec Handlers Diary Blog
⋅
Bumblebee Malware from TransferXL URLs BumbleBee Cobalt Strike |
| 2022-05-12
⋅
OALabs
⋅
Taking a look at Bumblebee loader BumbleBee |
| 2022-05-12
⋅
Intel 471
⋅
What malware to look for if you want to prevent a ransomware attack Conti BumbleBee Cobalt Strike IcedID Sliver |
| 2022-05-11
⋅
SANS ISC
⋅
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware BumbleBee |
| 2022-05-11
⋅
InfoSec Handlers Diary Blog
⋅
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware BumbleBee Cobalt Strike IcedID PhotoLoader |
| 2022-05-08
⋅
Threat hunting with hints of incident response
⋅
Bzz.. Bzz.. Bumblebee loader BumbleBee |
| 2022-04-29
⋅
NCC Group
⋅
Adventures in the land of BumbleBee – a new malicious loader BazarBackdoor BumbleBee Conti |
| 2022-04-28
⋅
Proofpoint
⋅
This isn't Optimus Prime's Bumblebee but it's Still Transforming BumbleBee TA578 TA579 |
| 2022-04-28
⋅
Bleeping Computer
⋅
New Bumblebee malware replaces Conti's BazarLoader in cyberattacks BumbleBee |
| 2022-04-27
⋅
Medium elis531989
⋅
The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection BumbleBee TrickBot |
| 2022-04-14
⋅
Cynet
⋅
Orion Threat Alert: Flight of the BumbleBee BumbleBee Cobalt Strike |
| 2022-03-17
⋅
Google
⋅
Exposing initial access broker with ties to Conti BazarBackdoor BumbleBee Conti EXOTIC LILY |
| 2022-03-17
⋅
Google
⋅
Exposing initial access broker with ties to Conti BazarBackdoor BumbleBee Cobalt Strike Conti |
| 2022-01-01
⋅
aspirets
⋅
Bumblebee Malware Loader: Threat Analysis BumbleBee |
| 2021-09-15
⋅
Microsoft
⋅
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability EXOTIC LILY |
| 2021-09-10
⋅
Gigamon
⋅
Rendering Threats: A Network Perspective BumbleBee Cobalt Strike |
| 2021-09-09
⋅
Trend Micro
⋅
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs BumbleBee Cobalt Strike |