Keypoints
- Bumblebee is a downloader used to gain access to corporate networks and deliver follow-on payloads including Cobalt Strike and ransomware.
- The malware was first identified by the Google Threat Analysis Group in March 2022 and named for its User-Agent string.
- Recent Netskope analysis found a new infection chain that begins with phishing, delivering ZIP files that contain LNK shortcuts.
- LNK files execute PowerShell to fetch MSI installers (e.g., Midjourney.msi), which are then installed silently via msiexec.
- The MSI-based delivery uses the SelfReg table to invoke DllRegisterServer and map the final DLL into msiexec memory, avoiding new process creation and disk writes.
- Bumblebee decrypts its configuration with a hardcoded RC4 key (“NEW_BLACK”), with observed campaign IDs “msi” and “lnk001”; Netskope detections provide coverage for these variants.
MITRE Techniques
- [T1071.001] Initial Access – Phishing emails used to lure victims into downloading malicious files. (‘Phishing emails used to lure victims into downloading malicious files.’)
- [T1203] Execution – Execution of LNK files to initiate malware download and execution. (‘Execution of LNK files to initiate malware download and execution.’)
- [T1547.001] Persistence – Using MSI files for persistence through installation processes. (‘Using MSI files for persistence through installation processes.’)
- [T1027] Defense Evasion – Using stealthy techniques to avoid detection by not writing payloads to disk. (‘Using stealthy techniques to avoid detection by not writing payloads to disk.’)
- [T1003] Credential Access – Configuration extraction using hardcoded keys for decryption. (‘Configuration extraction using hardcoded keys for decryption.’)
Indicators of Compromise
- [IP address] Download host used in PowerShell command – 193.242.145.138
- [File names] Initial and installer files observed – Report-41952.lnk, Midjourney.msi (renamed to %appdata%y.msi)
- [Executables] Legitimate Windows tools abused in chain – powershell.exe, msiexec.exe
- [Archive/CAB] MSI payload container – disk1 (CAB file containing the malicious DLL)
- [Configuration strings] Hardcoded decryption key and campaign IDs – “NEW_BLACK” (RC4 key), campaign IDs “msi” and “lnk001”
Bumblebee is a sophisticated downloader that has been used to infiltrate corporate environments and stage follow-on payloads such as Cobalt Strike beacons and ransomware. Originally identified by the Google Threat Analysis Group in March 2022 and named after a User-Agent string, Bumblebee reappeared in Netskope Threat Labs’ telemetry with an infection chain that combines familiar and novel techniques to maximize stealth and effectiveness.
The recent campaigns begin with phishing emails that coax recipients into downloading ZIP archives. Those ZIPs contain LNK shortcut files — for example, a sample named “Report-41952.lnk” — which act as the initial trigger. When a user opens the LNK, it launches a PowerShell command that downloads an MSI installer from a remote host and saves it under a profile path (observed as “%appdata%y.msi”) before invoking msiexec to install it silently. One observed PowerShell download command pointed to 193.242.145.138 and fetched a file named Midjourney.msi; the MSI is executed with msiexec using the /qn option to suppress any user interaction, making the LNK click the only required user action in the chain.
Delivering payloads via MSI is not new, but Bumblebee’s current samples refine the technique to reduce detection opportunities. Many installers abuse MSI CustomAction entries or LOLBins such as rundll32.exe, regsvr32.exe, and powershell.exe to load malicious DLLs, which creates observable child processes and can raise alerts. The analyzed Bumblebee samples instead use the MSI SelfReg table to call the DllRegisterServer export of a DLL embedded in the MSI’s File table (the DLL lived inside a CAB entry named “disk1”). This approach allows the malicious DLL to be loaded into the address space of msiexec without spawning additional helper processes or writing the final payload to disk. Once loaded, the DLL unpacks and executes the Bumblebee payload directly in memory; researchers captured images showing the final payload mapped in msiexec process memory.
The unpacked Bumblebee payload retains familiar markers from prior variants, including internal DLL names and export structures. Configuration data is stored encrypted and decrypted by the malware using a clear-text RC4 key; in the analyzed samples the key string was “NEW_BLACK”, which decoded to configuration values including port 443 and campaign identifiers “msi” and “lnk001”. While this blog does not present a full deep-dive on the payload itself, these findings align with other researchers’ observations and indicate a trend toward more memory-resident, fileless techniques that complicate detection and response.
Netskope notes this is the first Bumblebee campaign observed since Europol’s Operation Endgame in May 2024, which disrupted several major botnets, and the reuse of this infection chain suggests Bumblebee may be resurfacing in the wild. Netskope Advanced Threat Protection provides proactive detections for related samples (e.g., Win32.Trojan.BumblebeeLNK and Win64.Trojan.BumbleBee), and full IOCs and analysis scripts are available in the team’s public repository. The Netskope Threat Labs team will continue monitoring Bumblebee activity and issue follow-ups as further analysis becomes available.
Read more: https://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence