SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bumblebee (Back to overview)

BumbleBee

aka: COLDTRAIN, SHELLSTING, Shindig

Actor(s): EXOTIC LILY, GOLD CABIN, TA578, TA579

VTCollection    

This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.

References
2025-05-19cyjaxJoe Wrieden
A Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign
BumbleBee
2024-10-18NetskopeLeandro Froes
New Bumblebee Loader Infection Chain Signals Possible Resurgence
BumbleBee
2024-05-30EuropolEuropol
Largest ever operation against botnets hits dropper malware ecosystem
BumbleBee IcedID SmokeLoader SystemBC TrickBot
2024-02-13ProofpointAxel F, Selena Larson
Bumblebee Buzzes Back in Black
BumbleBee
2023-10-04Twitter (@Intrisec)CTI Intrinsec
Tweet about new Bumblebee campaign leveraging CVE-2023-38831
BumbleBee
2023-09-15Johannes Bader's BlogJohannes Bader
The DGA of BumbleBee
BumbleBee
2023-09-11Twitter (@Artilllerie)@Artilllerie
Tweet on BumbleBee sample containing a DGA
BumbleBee
2023-09-07Twitter (@Intrisec)CTI Intrinsec
Tweets on Bumblebee campaign spreading via Html smuggling downloading RAR archive with European Central Bank PDF lure and folder containing Bumblebee EXE payload.
BumbleBee
2023-09-01VMRayEmre Güler
Understanding BumbleBee: BumbleBee’s malware configuration and clusters
BumbleBee
2023-08-18VMRayEmre Güler
Understanding BumbleBee: The malicious behavior of BumbleBee
BumbleBee
2023-08-09VMRayEmre Güler
Understanding BumbleBee: The delivery of Bumblee
BumbleBee
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-06-22DeepInstinctDeep Instinct Threat Lab, Mark Vaitzman, Shaul Vilkomir-Preisman
PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID
PindOS BumbleBee PhotoLoader
2023-06-08VMRayPatrick Staubmann
Busy Bees - The Transformation of BumbleBee
BumbleBee Cobalt Strike Conti Meterpreter Sliver
2023-04-20SecureworksCounter Threat Unit ResearchTeam
Bumblebee Malware Distributed Via Trojanized Installer Downloads
BumbleBee Cobalt Strike
2023-04-18Twitter (@threatinsight)Threat Insight
Tweet on TA581 using Keitaro TDS URL to download a .MSI file to deliver BumbleBee malware
BumbleBee
2023-04-16BotconfSuweera De Souza
Tracking Bumblebee’s Development
BumbleBee
2023-04-16YouTube (botconf eu)Crowdstrike Technical Analysis Cell (TAC), Suweera De Souza
Tracking Bumblebee’s Development
BumbleBee
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-11SEC ConsultAngelo Violetti
BumbleBee hunting with a Velociraptor
BumbleBee
2023-03-29KrakzPierre Le Bourhis
BumbleBee notes
BumbleBee
2023-03-28CerberoErik Pistelli
Reversing Complex PowerShell Malware
BumbleBee
2023-03-040xToxin Labs@0xToxin
Bumblebee DocuSign Campaign
BumbleBee
2023-02-03MandiantGenevieve Stark, Kimberly Goody
Float Like a Butterfly Sting Like a Bee
BazarBackdoor BumbleBee Cobalt Strike
2023-01-19CiscoGuilherme Venere
Following the LNK metadata trail
BumbleBee PhotoLoader QakBot
2023-01-09IntrinsecCTI Intrinsec, Intrinsec
Emotet returns and deploys loaders
BumbleBee Emotet IcedID PHOTOLITE
2022-11-16ProofpointAxel F, Pim Trouerbach
A Comprehensive Look at Emotet Virus’ Fall 2022 Return
BumbleBee Emotet PHOTOLITE
2022-11-10IntezerNicole Fishbein
How LNK Files Are Abused by Threat Actors
BumbleBee Emotet Mount Locker QakBot
2022-10-27MicrosoftMicrosoft Threat Intelligence
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence DEV-0950 Mustard Tempest
2022-10-27MicrosoftMicrosoft Security Threat Intelligence
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-10-06Twitter (@ESETresearch)ESET Research
Tweet on Bumblebee being modularized like trickbot
BumbleBee
2022-10-03Check PointMarc Salinas Fernandez
Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-09-26The DFIR ReportThe DFIR Report
BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter
2022-09-07cybleCyble
Bumblebee Returns With New Infection Technique
BumbleBee Cobalt Strike
2022-09-05Infinitum ITArda Büyükkaya
Bumblebee Loader Malware Analysis
BumbleBee
2022-08-24MicrosoftMicrosoft Security Experts
Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
BumbleBee Sliver
2022-08-24Deep instinctDeep Instinct Threat Lab
The Dark Side of Bumblebee Malware Loader
BumbleBee
2022-08-18IBMCharlotte Hammond, Ole Villadsen
From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak
2022-08-17CybereasonCybereason Global SOC Team
Bumblebee Loader – The High Road to Enterprise Domain Control
BumbleBee Cobalt Strike
2022-08-10WeixinRed Raindrop Team
Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe
BumbleBee Cobalt Strike
2022-08-08The DFIR ReportThe DFIR Report
BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike
2022-08-04CloudsekAastha Mittal, Anandeshwar Unnikrishnan
Technical Analysis of Bumblebee Malware Loader
BumbleBee
2022-08-03Palo Alto Networks Unit 42Brad Duncan
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-07-17ResecurityResecurity
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot
2022-07-07IBMCharlotte Hammond, Kat Weinberger, Ole Villadsen
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter
2022-07-07FortinetErin Lin
Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-06-28SymantecThreat Hunter Team, Vishal Kamble
Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem
BumbleBee
2022-06-14RiskIQJordan Herman
RiskIQ: Identifying BumbleBee Command and Control Servers
BumbleBee
2022-06-13SekoiaPierre Le Bourhis, Quentin Bourgue, Threat & Detection Research Team
BumbleBee: a new trendy loader for Initial Access Brokers
BumbleBee
2022-06-07cybleCyble
Bumblebee Loader on The Rise
BumbleBee Cobalt Strike
2022-05-25LogpointLogpoint
Buzz of the Bumblebee – A new malicious loader
BumbleBee
2022-05-25Team CymruS2 Research Team
Bablosoft; Lowering the Barrier of Entry for Malicious Actors
BlackGuard BumbleBee RedLine Stealer
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-12Intel 471Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-12OALabsSergei Frankoff
Taking a look at Bumblebee loader
BumbleBee
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-11SANS ISCBrad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee
2022-05-08Threat hunting with hints of incident responseJouni Mikkola
Bzz.. Bzz.. Bumblebee loader
BumbleBee
2022-04-29NCC GroupMike Stokkel, Nikolaos Pantazopoulos, Nikolaos Totosis
Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti
2022-04-28ProofpointKelsey Merriman, Pim Trouerbach
This isn't Optimus Prime's Bumblebee but it's Still Transforming
BumbleBee TA578 TA579
2022-04-28Bleeping ComputerIonut Ilascu
New Bumblebee malware replaces Conti's BazarLoader in cyberattacks
BumbleBee
2022-04-27Medium elis531989Eli Salem
The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection
BumbleBee TrickBot
2022-04-14CynetMax Malyutin
Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike
2022-03-17GoogleBenoit Sevens, Vladislav Stolyarov
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Conti EXOTIC LILY
2022-03-17GoogleBenoit Sevens, Google Threat Analysis Group, Vladislav Stolyarov
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-01-01aspiretsMichael Lamb
Bumblebee Malware Loader: Threat Analysis
BumbleBee
2021-09-10GigamonJoe Slowik
Rendering Threats: A Network Perspective
BumbleBee Cobalt Strike
2021-09-09Trend MicroTrend Micro
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
BumbleBee Cobalt Strike
Yara Rules
[TLP:WHITE] win_bumblebee_auto (20241030 | Detects win.bumblebee.)
rule win_bumblebee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.bumblebee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f849b010000 be80030000 488d4c2470 448bc6 }
            // n = 4, score = 3100
            //   0f849b010000         | dec                 eax
            //   be80030000           | cmp                 ecx, 1
            //   488d4c2470           | dec                 eax
            //   448bc6               | mov                 ecx, dword ptr [edx]

        $sequence_1 = { 488b4108 488bd9 4183c9ff 4889442428 }
            // n = 4, score = 3100
            //   488b4108             | lea                 ecx, [0xdfc60]
            //   488bd9               | dec                 eax
            //   4183c9ff             | cmp                 eax, 0x1c
            //   4889442428           | ja                  0x28a

        $sequence_2 = { ff15???????? 90 33c0 488b5c2448 }
            // n = 4, score = 3100
            //   ff15????????         |                     
            //   90                   | lea                 eax, [edx - 0x37]
            //   33c0                 | mov                 dword ptr [esp + 0x20], 0x78
            //   488b5c2448           | dec                 esp

        $sequence_3 = { 4881ec20040000 488b05???????? 4833c4 48898518030000 4c8bf1 }
            // n = 5, score = 3100
            //   4881ec20040000       | mov                 ebp, esp
            //   488b05????????       |                     
            //   4833c4               | dec                 ecx
            //   48898518030000       | add                 ebp, esi
            //   4c8bf1               | inc                 ecx

        $sequence_4 = { b8c0000000 4803fe ba64860000 66395304 8d4810 0f44c1 }
            // n = 6, score = 3100
            //   b8c0000000           | lea                 eax, [0x2280b]
            //   4803fe               | dec                 eax
            //   ba64860000           | mov                 dword ptr [esp + 0x28], eax
            //   66395304             | dec                 eax
            //   8d4810               | mov                 dword ptr [esp + 0x20], ebx
            //   0f44c1               | je                  0x225

        $sequence_5 = { 498bce ffd0 85c0 0f8895000000 8b7b28 b8c0000000 4803fe }
            // n = 7, score = 3100
            //   498bce               | dec                 eax
            //   ffd0                 | mov                 dword ptr [ebp + 0xb10], 0x16
            //   85c0                 | dec                 eax
            //   0f8895000000         | lea                 eax, [0x1a25f4]
            //   8b7b28               | dec                 eax
            //   b8c0000000           | mov                 dword ptr [ebp + 0xb18], eax
            //   4803fe               | dec                 eax

        $sequence_6 = { 488bd8 c744243802000000 488d442450 4889442430 4c8bc6 488d842498000000 488bd5 }
            // n = 7, score = 3100
            //   488bd8               | inc                 ebp
            //   c744243802000000     | xor                 eax, eax
            //   488d442450           | dec                 eax
            //   4889442430           | mov                 esi, edx
            //   4c8bc6               | dec                 esp
            //   488d842498000000     | mov                 esi, ecx
            //   488bd5               | dec                 esp

        $sequence_7 = { 4885d2 7411 4883c208 4883c108 }
            // n = 4, score = 3100
            //   4885d2               | dec                 ecx
            //   7411                 | shr                 ecx, 0x1a
            //   4883c208             | inc                 ebp
            //   4883c108             | mov                 edx, eax

        $sequence_8 = { 48833b00 480f453b 488bcb e8???????? 488bc7 488b8d18030000 4833cc }
            // n = 7, score = 3100
            //   48833b00             | inc                 edx
            //   480f453b             | dec                 eax
            //   488bcb               | sub                 eax, edx
            //   e8????????           |                     
            //   488bc7               | dec                 eax
            //   488b8d18030000       | cmp                 eax, 1
            //   4833cc               | jae                 0x164

        $sequence_9 = { 33db 4d8bf0 4c8bea 48895d48 8bf1 48895dc8 33d2 }
            // n = 7, score = 3100
            //   33db                 | dec                 eax
            //   4d8bf0               | mov                 ecx, edi
            //   4c8bea               | mov                 dword ptr [esp + 0x20], 0xb3
            //   48895d48             | inc                 esp
            //   8bf1                 | mov                 eax, edx
            //   48895dc8             | dec                 esp
            //   33d2                 | lea                 ecx, [0xff460]

    condition:
        7 of them and filesize < 4825088
}
[TLP:WHITE] win_bumblebee_w0   (20220330 | BumbleBee / win.bumblebee)
rule win_bumblebee_w0 {
    meta:
        author = "@AndreGironda"
        description = "BumbleBee / win.bumblebee"
        reference_md5 = "e6a046d1baa7cd2100bdf48102b8a144"
	    date = "March 29, 2022"
	    tlp = "White"

    malpedia_rule_date = "20220330"
    malpedia_hash = ""
	malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee"
	malpedia_version = "20220330"
	malpedia_license = "CC BY-NC-SA 4.0"
	malpedia_sharing = "TLP:WHITE"
    strings:
	$hex_140001d53 = { 48 8b 05 06 44 00 00 41 81 ea 06 28 00 00 49 31 80 48 02 00 00 49 8b 80 c8 00 00 00 48 05 28 01 00 00 48 01 41 08 49 8b }
	$hex_18000927a = { 48 8d 4c 24 50 e8 cc cc ff ff 90 4c 8d 45 b0 48 8d 54 24 50 48 8d 8d 00 01 00 00 e8 26 d3 ff ff 90 48 8b 44 24 68 48 83 f8 10 72 4a 48 ff c0 48 }
    condition:
        any of them
}
Download all Yara Rules