Skip to content

Hide Navigation Hide TOC

Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)

Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 1
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 1
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44) Malware Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2