Bumblebee is a sophisticated malware loader first observed in March 2022, primarily used to deliver ransomware, steal credentials, and establish persistent access in corporate networks. Initially linked to the Conti ransomware group, it has become a tool for multiple threat actors, including EXOTIC LILY and Quantum operators.
Overview:
• Type: Multifunctional loader/RAT (Remote Access Trojan)
• Targets: Windows systems, focusing on government agencies, corporations, and NGOs
Evasion Techniques:
• Custom packers and memory-only execution to avoid disk detection
• Anti-virtualization checks to bypass sandbox analysis
• Process hollowing (injects code into legitimate processes like wabmig.exe)
Key Functions:
1. Credential Harvesting:
• Extracts LSASS process memory
• Dumps SAM/SYSTEM/SECURITY registry hives via reg.exe
2. Reconnaissance: • Uses nltest, ping, netview, and AdFind for network mapping
3. Deploys Cobalt Strike (58% of cases), Sliver, or Meterpreter