Bumblebee Malware Buzzes Back with New Infection Chain
The malicious loader Bumblebee has re-emerged in the wild more than four months after its activities were halted by Europol’s international operation, codenamed “Endgame,” in May of this year.
Bumblebee, according to experts, was developed by the creators of TrickBot and first surfaced in 2022 as a replacement for BazarLoader. This loader grants ransomware groups access to victims’ networks.
The primary methods of Bumblebee’s distribution are phishing, malvertising, and SEO poisoning. It has promoted applications such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Typical malicious payloads distributed by Bumblebee include Cobalt Strike beacons, data-stealing programs, and various ransomware strains.
In May, during the “Endgame” operation, law enforcement seized over 100 servers supporting the operations of multiple malware loaders, including IcedID, Pikabot, TrickBot, Bumblebee, Smokeloader, and SystemBC. Since then, Bumblebee had remained largely inactive. However, researchers at Netskope recently detected a new wave of attacks involving Bumblebee, indicating its possible resurgence.
The attack chain begins with a phishing email offering to download a ZIP archive. Inside the archive is a shortcut file (.LNK) named “Report-41952.lnk,” which uses PowerShell to download a malicious MSI file, disguised as an NVIDIA driver installer or Midjourney program.
The MSI file is executed silently using the “msiexec.exe” utility (with the /qn option), eliminating user interaction. To conceal its actions, the malware uses the SelfReg table, loading a DLL directly into the “msiexec.exe” process and activating its functions.
Upon deployment, Bumblebee loads its payload into memory and initiates the unpacking process. Researchers noted that the new version of the malware uses the string “NEW_BLACK” to decrypt its configuration, and employs two campaign identifiers: “msi” and “lnk001.”
Although Netskope has not provided details on the scale of the campaign or the types of payloads delivered, the research highlights early signs of Bumblebee’s potential resurgence. A full list of indicators of compromise is available on GitHub.
The return of Bumblebee serves as a reminder that even after successful operations against cyber threats, vigilance must not wane—new malicious activity can always emerge from the shadows, changing its form but not its intent.
