Researchers discovered a new malware loader dubbed Bumblebee

Cybersecurity Malware Loader Bumblebee BazarLoader Backdoor Threat Actors Cyberthreat

A newly discovered malware loader, called Bumblebee, has been identified by cybersecurity researchers as being utilised by roughly three separate threat groups connected with ransomware operations.

Experts assumed that the Bumblebee was created by its operators to become a substitute for the BazarLoader backdoor. They also claimed that there is a high possibility that the Conti ransomware group developed it.

Coincidentally, the BazarLoader was not noticed or monitored by researchers for the past months, and the Bumblebee loader emerged. Others further proved this coincidence to be on purpose since most threat groups commonly use the BazarLoader Backdoor in their attacks have shifted to the Bumblebee loader.

Malicious threat groups are utilising several techniques to distribute the Bumblebee loader. However, their attacks use ISO files that consist of shortcut files and DLLs. However, their file naming, baits, and distribution methods are different.


Researchers shared some initial observations for the Bumblebee loader.


Based on the initial analysis, Bumblebee malware is an active development and contains complicated evasion techniques against security detections. It also uses an injection to start the shellcode once it gathers commands from its command-and-control server.

Furthermore, the sophisticated downloader includes anti-virtualisation checks and a novel execution of standard downloader features.

Researchers also noted that the new loader deploys Cobalt Strike, Meterpreter, Silver, and Shellcode.

The inclusion of Bumblebee in newly discovered loaders and its usage by multiple threat groups implies a sudden shift in the cybercriminal world. However, the researchers are extremely optimistic since they can analyse this new loader, which can discover some data of ransomware actors that utilise it.

Experts also noticed that the sudden leakage of Conti files had started the downfall of BazarLoader. Still, it appears to be rebranded into the Bumblebee since the files shown on its infrastructure are similar.

Last month, the latest version of the malware had significant updates. It now supports several command-and-control servers through a comma-delimited list. It also contained an encryption layer over network communications and sleep intervals with randomised values.

The sophisticated malware downloader, Bumblebee, is still being constantly tweaked and upgraded by its developers. It has quickly become a multifunctional tool utilised by numerous threat groups that previously used BazarLoader.

The appearance of this malware indicates the capability of threat actors to move from one threat landscape to another by adopting new threats.

About the author

Leave a Reply