SYMBOL | COMMON_NAME | aka. SYNONYMS |
Actor(s): EXOTIC LILY, GOLD CABIN, TA578, TA579
This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.
2024-10-18
⋅
Netskope
⋅
New Bumblebee Loader Infection Chain Signals Possible Resurgence BumbleBee |
2024-05-30
⋅
Europol
⋅
Largest ever operation against botnets hits dropper malware ecosystem BumbleBee IcedID SmokeLoader SystemBC TrickBot |
2024-02-13
⋅
Proofpoint
⋅
Bumblebee Buzzes Back in Black BumbleBee |
2023-10-04
⋅
Twitter (@Intrisec)
⋅
Tweet about new Bumblebee campaign leveraging CVE-2023-38831 BumbleBee |
2023-09-15
⋅
Johannes Bader's Blog
⋅
The DGA of BumbleBee BumbleBee |
2023-09-11
⋅
Twitter (@Artilllerie)
⋅
Tweet on BumbleBee sample containing a DGA BumbleBee |
2023-09-07
⋅
Twitter (@Intrisec)
⋅
Tweets on Bumblebee campaign spreading via Html smuggling downloading RAR archive with European Central Bank PDF lure and folder containing Bumblebee EXE payload. BumbleBee |
2023-09-01
⋅
VMRay
⋅
Understanding BumbleBee: BumbleBee’s malware configuration and clusters BumbleBee |
2023-08-18
⋅
VMRay
⋅
Understanding BumbleBee: The malicious behavior of BumbleBee BumbleBee |
2023-08-09
⋅
VMRay
⋅
Understanding BumbleBee: The delivery of Bumblee BumbleBee |
2023-07-11
⋅
Spamhaus
⋅
Spamhaus Botnet Threat Update Q2 2023 Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee |
2023-06-22
⋅
DeepInstinct
⋅
PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID PindOS BumbleBee PhotoLoader |
2023-06-08
⋅
VMRay
⋅
Busy Bees - The Transformation of BumbleBee BumbleBee Cobalt Strike Conti Meterpreter Sliver |
2023-04-20
⋅
Secureworks
⋅
Bumblebee Malware Distributed Via Trojanized Installer Downloads BumbleBee Cobalt Strike |
2023-04-18
⋅
Twitter (@threatinsight)
⋅
Tweet on TA581 using Keitaro TDS URL to download a .MSI file to deliver BumbleBee malware BumbleBee |
2023-04-16
⋅
YouTube (botconf eu)
⋅
Tracking Bumblebee’s Development BumbleBee |
2023-04-16
⋅
Botconf
⋅
Tracking Bumblebee’s Development BumbleBee |
2023-04-12
⋅
Spamhaus
⋅
Spamhaus Botnet Threat Update Q1 2023 FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar |
2023-04-11
⋅
SEC Consult
⋅
BumbleBee hunting with a Velociraptor BumbleBee |
2023-03-29
⋅
Krakz
⋅
BumbleBee notes BumbleBee |
2023-03-28
⋅
Cerbero
⋅
Reversing Complex PowerShell Malware BumbleBee |
2023-03-04
⋅
0xToxin Labs
⋅
Bumblebee DocuSign Campaign BumbleBee |
2023-02-03
⋅
Mandiant
⋅
Float Like a Butterfly Sting Like a Bee BazarBackdoor BumbleBee Cobalt Strike |
2023-01-19
⋅
Cisco
⋅
Following the LNK metadata trail BumbleBee PhotoLoader QakBot |
2023-01-09
⋅
Intrinsec
⋅
Emotet returns and deploys loaders BumbleBee Emotet IcedID PHOTOLITE |
2022-11-16
⋅
Proofpoint
⋅
A Comprehensive Look at Emotet Virus’ Fall 2022 Return BumbleBee Emotet PHOTOLITE |
2022-11-10
⋅
Intezer
⋅
How LNK Files Are Abused by Threat Actors BumbleBee Emotet Mount Locker QakBot |
2022-10-27
⋅
Microsoft
⋅
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity FAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence DEV-0950 Mustard Tempest |
2022-10-27
⋅
Microsoft
⋅
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak |
2022-10-13
⋅
Spamhaus
⋅
Spamhaus Botnet Threat Update Q3 2022 FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm |
2022-10-06
⋅
Twitter (@ESETresearch)
⋅
Tweet on Bumblebee being modularized like trickbot BumbleBee |
2022-10-03
⋅
Check Point
⋅
Bumblebee: increasing its capacity and evolving its TTPs BumbleBee Cobalt Strike Meterpreter Sliver Vidar |
2022-09-26
⋅
The DFIR Report
⋅
BumbleBee: Round Two BumbleBee Cobalt Strike Meterpreter |
2022-09-07
⋅
cyble
⋅
Bumblebee Returns With New Infection Technique BumbleBee Cobalt Strike |
2022-09-05
⋅
Infinitum IT
⋅
Bumblebee Loader Malware Analysis BumbleBee |
2022-08-24
⋅
Deep instinct
⋅
The Dark Side of Bumblebee Malware Loader BumbleBee |
2022-08-24
⋅
Microsoft
⋅
Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks BumbleBee Sliver |
2022-08-18
⋅
IBM
⋅
From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers BumbleBee Karius Ramnit TrickBot Vawtrak |
2022-08-17
⋅
Cybereason
⋅
Bumblebee Loader – The High Road to Enterprise Domain Control BumbleBee Cobalt Strike |
2022-08-10
⋅
⋅
Weixin
⋅
Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe BumbleBee Cobalt Strike |
2022-08-08
⋅
The DFIR Report
⋅
BumbleBee Roasts Its Way to Domain Admin BumbleBee Cobalt Strike |
2022-08-04
⋅
Cloudsek
⋅
Technical Analysis of Bumblebee Malware Loader BumbleBee |
2022-08-03
⋅
Palo Alto Networks Unit 42
⋅
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware BazarBackdoor BumbleBee Cobalt Strike Conti |
2022-07-17
⋅
Resecurity
⋅
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise AsyncRAT BumbleBee Emotet IcedID QakBot |
2022-07-07
⋅
IBM
⋅
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter |
2022-07-07
⋅
Fortinet
⋅
Notable Droppers Emerge in Recent Threat Campaigns BumbleBee Emotet PhotoLoader QakBot |
2022-06-28
⋅
Symantec
⋅
Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem BumbleBee |
2022-06-14
⋅
RiskIQ
⋅
RiskIQ: Identifying BumbleBee Command and Control Servers BumbleBee |
2022-06-13
⋅
Sekoia
⋅
BumbleBee: a new trendy loader for Initial Access Brokers BumbleBee |
2022-06-07
⋅
cyble
⋅
Bumblebee Loader on The Rise BumbleBee Cobalt Strike |
2022-05-25
⋅
Team Cymru
⋅
Bablosoft; Lowering the Barrier of Entry for Malicious Actors BlackGuard BumbleBee RedLine Stealer |
2022-05-25
⋅
Logpoint
⋅
Buzz of the Bumblebee – A new malicious loader BumbleBee |
2022-05-19
⋅
InfoSec Handlers Diary Blog
⋅
Bumblebee Malware from TransferXL URLs BumbleBee Cobalt Strike |
2022-05-19
⋅
InfoSec Handlers Diary Blog
⋅
Bumblebee Malware from TransferXL URLs BumbleBee Cobalt Strike |
2022-05-12
⋅
OALabs
⋅
Taking a look at Bumblebee loader BumbleBee |
2022-05-12
⋅
Intel 471
⋅
What malware to look for if you want to prevent a ransomware attack Conti BumbleBee Cobalt Strike IcedID Sliver |
2022-05-11
⋅
InfoSec Handlers Diary Blog
⋅
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware BumbleBee Cobalt Strike IcedID PhotoLoader |
2022-05-11
⋅
SANS ISC
⋅
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware BumbleBee |
2022-05-08
⋅
Threat hunting with hints of incident response
⋅
Bzz.. Bzz.. Bumblebee loader BumbleBee |
2022-04-29
⋅
NCC Group
⋅
Adventures in the land of BumbleBee – a new malicious loader BazarBackdoor BumbleBee Conti |
2022-04-28
⋅
Proofpoint
⋅
This isn't Optimus Prime's Bumblebee but it's Still Transforming BumbleBee TA578 TA579 |
2022-04-28
⋅
Bleeping Computer
⋅
New Bumblebee malware replaces Conti's BazarLoader in cyberattacks BumbleBee |
2022-04-27
⋅
Medium elis531989
⋅
The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection BumbleBee TrickBot |
2022-04-14
⋅
Cynet
⋅
Orion Threat Alert: Flight of the BumbleBee BumbleBee Cobalt Strike |
2022-03-17
⋅
Google
⋅
Exposing initial access broker with ties to Conti BazarBackdoor BumbleBee Cobalt Strike Conti |
2022-03-17
⋅
Google
⋅
Exposing initial access broker with ties to Conti BazarBackdoor BumbleBee Conti EXOTIC LILY |
2022-01-01
⋅
aspirets
⋅
Bumblebee Malware Loader: Threat Analysis BumbleBee |
2021-09-10
⋅
Gigamon
⋅
Rendering Threats: A Network Perspective BumbleBee Cobalt Strike |
2021-09-09
⋅
Trend Micro
⋅
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs BumbleBee Cobalt Strike |