Bumblebee

In April 2022, Proofpoint observed a thread-hijacking campaign delivering emails that appeared to be replies to existing benign email conversations with malicious zipped ISO attachments.

Typically, threat actors distributing macro-enabled documents rely on social engineering to convince a recipient the content is important, and enabling macros is necessary to view it.

In April 2022, Proofpoint observed a thread-hijacking campaign delivering emails that appeared to be replies to existing benign email conversations with malicious zipped ISO attachments.

In March 2022, Proofpoint observed a DocuSign-branded email campaign with two alternate paths designed to lead the recipient to the download of a malicious ISO file. The first path began with the recipient clicking on the "REVIEW THE DOCUMENT" hyperlink in the body of the email.

In the last months BUMBLEBEE, would use three different distribution methods: ... Email thread hijacking with password protected ZIPs

The Ins command enables persistence by copying the Bumblebee DLL to a subdirectory of %APPDATA% folder and creating a Visual Basic Script that will load the DLL. A scheduled task is created that invokes the Visual Basic Script via wscript.exe.

Next, BUMBLEBEE copies itself to its new directory and creates a new VBS file with the following content: Set objShell = CreateObject(“Wscript.Shell”) objShell.Run “rundll32.exe my_application_path, IternalJob”

Bumblebee’s injection module ( dij command for DLL Injection) dynamically resolves NtQueueApcThread at runtime and uses it to inject a payload DLL... While the static import of NtQueueApcThread is flagged by multiple scanners, a runtime GetProcAddress lookup on ntdll.dll is invisible to import-table analysis.

The most notable shift in campaign data is the emergence of LNK files; at least 10 tracked threat actors have begun using LNK files since February 2022. | When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute... When opened, container files may contain additional content such as LNKs, DLLs, or executable (.exe) files that lead to the installation of a malicious payload.

From gathering the file hashes and reviewing OSINT, we can hypothesize that the payload delivery technique uses a DLL sideloading technique known as DLL search order hijacking. This technique abuses the way that the windows OS loads DLLs by placing a malicious DLL with the same name as a legitimate DLL in the same folder as the application that’s vulnerable to the hijacking technique.

The Ins command enables persistence by copying the Bumblebee DLL to a subdirectory of %APPDATA% folder and creating a Visual Basic Script that will load the DLL. A scheduled task is created that invokes the Visual Basic Script via wscript.exe.

I also identified the sample creating a registry key under: ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S****\Products\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1–5–18\Products\CBE574DD169D4FA4BBA8EB19AF497275’

ins Adds persistence to the compromised host... For the persistence mechanism, BUMBLEBEE creates a new directory in the Windows AppData folder... copies itself to its new directory... creates a new VBS file... Lastly, it creates a scheduled task

The Ins command enables persistence by copying the Bumblebee DLL to a subdirectory of %APPDATA% folder and creating a Visual Basic Script that will load the DLL. A scheduled task is created that invokes the Visual Basic Script via wscript.exe.

Process injection sits at the top of the MITRE ATT&CK heap for the second year running. Picus Labs’ Red Report 2025 found T1055 in roughly 31% of the million-plus malware samples they examined.

Bumblebee’s injection module ( dij command for DLL Injection) dynamically resolves NtQueueApcThread at runtime and uses it to inject a payload DLL into a hardcoded list of target process

Attackers spawn a process suspended, queue an APC into its main thread before the AV/EDR’s user-mode hooks have loaded, then resume. The payload runs before the security product begins. | Hence APC injection was formed as a technique, they’d find a process with a thread in an alertable wait and get a handle to it, call VirtualAllocEx and WriteProcessMemory to plant shellcode and then call QueueUserAPC pointed at the shellcode, the thread would eventually wake up and execute the shellcode.

ins Adds persistence to the compromised host... For the persistence mechanism, BUMBLEBEE creates a new directory in the Windows AppData folder... copies itself to its new directory... creates a new VBS file... Lastly, it creates a scheduled task

The more I iterated through this function, the more I thought this may just be junk code, used to distract analysts.

Its probably worth noting at this point that the Dll is in fact packed and has ASLR enabled, so we want to make sure to disable that before going any further.

While looking through the IAT of our sample I noticed something unusual, calls to certain APIs had an extremely high count, for example ‘AddAtomA’.

From this we confirmed a few things that I previously hypothesized, for example — at runtime, the Dll ‘File_InstallMeDll’ is renamed to version.dll.

Process injection sits at the top of the MITRE ATT&CK heap for the second year running. Picus Labs’ Red Report 2025 found T1055 in roughly 31% of the million-plus malware samples they examined.

Bumblebee’s injection module ( dij command for DLL Injection) dynamically resolves NtQueueApcThread at runtime and uses it to inject a payload DLL into a hardcoded list of target process

Attackers spawn a process suspended, queue an APC into its main thread before the AV/EDR’s user-mode hooks have loaded, then resume. The payload runs before the security product begins. | Hence APC injection was formed as a technique, they’d find a process with a thread in an alertable wait and get a handle to it, call VirtualAllocEx and WriteProcessMemory to plant shellcode and then call QueueUserAPC pointed at the shellcode, the thread would eventually wake up and execute the shellcode.

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

rundll32.exe "C:\Windows\System32\rundll32.exe" Attachments.dat,IternalJob

Proofpoint researchers noticed that within a month of campaigns, Bumblebee developers added new features to the malware. Specifically, the inclusion of anti-VM and anti-sandbox checks.

We then came across several calls to MultiByteToWideChar, after a number of hits on this breakpoint we observed the string ‘Select * From Win32_ComputerSystemProduct’ — this command line will gather all the information about the current system, and is another possible VM detection/anti analysis technique embedded in the program.

From gathering the file hashes and reviewing OSINT, we can hypothesize that the payload delivery technique uses a DLL sideloading technique known as DLL search order hijacking. This technique abuses the way that the windows OS loads DLLs by placing a malicious DLL with the same name as a legitimate DLL in the same folder as the application that’s vulnerable to the hijacking technique.

While single stepping we noted the file call APIs that are frequently used for timing checks, however with the help of ScyllaHide we can bypass the majority of these.

I also identified the sample creating a registry key under: ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S****\Products\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1–5–18\Products\CBE574DD169D4FA4BBA8EB19AF497275’

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

At this point, a single instance of Bumblebee is confirmed to be running, and the malware begins gathering system information.

Proofpoint researchers noticed that within a month of campaigns, Bumblebee developers added new features to the malware. Specifically, the inclusion of anti-VM and anti-sandbox checks.

We then came across several calls to MultiByteToWideChar, after a number of hits on this breakpoint we observed the string ‘Select * From Win32_ComputerSystemProduct’ — this command line will gather all the information about the current system, and is another possible VM detection/anti analysis technique embedded in the program.

While single stepping we noted the file call APIs that are frequently used for timing checks, however with the help of ScyllaHide we can bypass the majority of these.

Threat actors can use container file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) files to send macro-enabled documents... Additionally, threat actors can use container files to distribute payloads directly.

The random number generator is finally used to generate the domain names ... In total, 100 domains are generated.

As SocGholish, StealC, and Amadey are typically used as droppers or loaders during attacks, they are used to establish access as part of a link in a larger attack chain.

In this case, the seed is using the current unix timestamp as the seed, likely creating domains that are unpredictable to the attackers and any feasible sinkholing attempts.

The following Tweet by @Artilllerie caught my attention because it mentions a “Possible DGA on .life domains” ... The DGA picks 11 characters based on the generated pseudo random numbers, then tacks on the TLD .life . In total, 100 domains are generated.

The most significant change to the malware has been the addition of an encryption layer to the network communications. The developers added RC4 via a hardcoded key to the sample which is used to encrypt the requests and decrypt the responses.