The notorious Bumblebee malware loader, originally disrupted by Europol in May during “Operation Endgame,” has resurfaced in fresh attack campaigns. More than four months after the international law enforcement effort seized hundreds of servers linked to various malware loaders like IcedID, TrickBot, and Bumblebee, cybersecurity researchers from Netskope have detected new Bumblebee activity.
Developed by TrickBot’s creators, Bumblebee first appeared in 2022 as a successor to the BazarLoader backdoor, providing ransomware operators with access to compromised networks. Known for leveraging phishing emails, malvertising, and SEO poisoning to promote fake software—such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace—the malware has previously delivered dangerous payloads like Cobalt Strike beacons, information-stealers, and ransomware.
In its latest observed attack chain, Bumblebee employs a phishing email to lure users into downloading a ZIP file. This compressed file contains a disguised .LNK shortcut named "Report-41952.lnk," which uses PowerShell to pull a malicious MSI file (y.msi) from a remote server, masquerading as an NVIDIA driver or Midjourney installer. Once downloaded, the MSI file executes silently using msiexec.exe with the /qn option, ensuring stealth. To avoid spawning noisy new processes, Bumblebee leverages the MSI’s SelfReg table to load the malicious DLL within msiexec.exe’s own memory, calling its DllRegisterServer function to execute.
Once loaded, Bumblebee’s unpacking process initiates, injecting the malware into memory and revealing familiar internal DLL structures and configuration extraction methods used in previous versions. In recent attacks, the RC4 decryption key “NEW_BLACK” was observed, alongside campaign IDs "msi" and "lnk001."
Although Netskope has yet to specify the latest payloads Bumblebee may be distributing or the scale of the campaign, these developments hint at a possible resurgence. A comprehensive list of Indicators of Compromise (IoCs) is available on the associated GitHub repository for those seeking further technical details.
