Skip to content

S1039 Bumblebee

Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of “bumblebee” in the user-agent.321

Item Value
ID S1039
Associated Names
Version 1.0
Created 19 August 2022
Last Modified 21 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.5
enterprise T1560 Archive Collected Data Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration.5
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Bumblebee can use PowerShell for execution.4
enterprise T1059.003 Windows Command Shell Bumblebee can use cmd.exe to drop and run files.32
enterprise T1059.005 Visual Basic Bumblebee can create a Visual Basic script to enable persistence.21
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Bumblebee has the ability to base64 encode C2 server responses.2
enterprise T1005 Data from Local System Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies.5
enterprise T1622 Debugger Evasion Bumblebee can search for tools used in static analysis.4
enterprise T1140 Deobfuscate/Decode Files or Information Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts.24
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Bumblebee can encrypt C2 requests and responses with RC42
enterprise T1041 Exfiltration Over C2 Channel Bumblebee can send collected data in JSON format to C2.3
enterprise T1008 Fallback Channels Bumblebee can use backup C2 servers if the primary server fails.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Bumblebee can uninstall its loader through the use of a Sdl command.2
enterprise T1105 Ingress Tool Transfer Bumblebee can download and execute additional payloads including through the use of a Dex command.321
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model Bumblebee can use a COM object to execute queries to gather system information.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Bumblebee has named component DLLs “RapportGP.dll” to match those used by the security company Trusteer.4
enterprise T1106 Native API Bumblebee can use multiple Native APIs.24
enterprise T1027 Obfuscated Files or Information Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.254
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Bumblebee has gained execution through luring users into opening malicious attachments.2154
enterprise T1566.002 Spearphishing Link Bumblebee has been spread through e-mail campaigns with malicious links.25
enterprise T1057 Process Discovery Bumblebee can identify processes associated with analytical tools.214
enterprise T1055 Process Injection Bumblebee can inject code into multiple processes on infected endpoints.5
enterprise T1055.001 Dynamic-link Library Injection The Bumblebee loader can support the Dij command which gives it the ability to inject DLLs into the memory of other processes.21
enterprise T1055.004 Asynchronous Procedure Call Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2.2
enterprise T1012 Query Registry Bumblebee can check the Registry for specific keys.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Bumblebee can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.21
enterprise T1129 Shared Modules Bumblebee can use LoadLibrary to attempt to execute GdiPlus.dll.4
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Bumblebee can identify specific analytical tools based on running processes.214
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.008 Odbcconf Bumblebee can use odbcconf.exe to run DLLs on targeted hosts.5
enterprise T1218.011 Rundll32 Bumblebee has used rundll32 for execution of the loader component.21
enterprise T1082 System Information Discovery Bumblebee can enumerate the OS version and domain on a targeted system.321
enterprise T1033 System Owner/User Discovery Bumblebee has the ability to identify the user name.3
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Bumblebee has relied upon a user downloading a file from a OneDrive link for execution.25
enterprise T1204.002 Malicious File Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs.2154
enterprise T1497 Virtualization/Sandbox Evasion Bumblebee has the ability to perform anti-virtualization checks.2
enterprise T1497.001 System Checks Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.4
enterprise T1497.003 Time Based Evasion Bumblebee has the ability to set a hardcoded and randomized sleep interval.2
enterprise T1102 Web Service Bumblebee has been downloaded to victim’s machines from OneDrive.2
enterprise T1047 Windows Management Instrumentation Bumblebee can use WMI to gather system information and to spawn processes for code injection.325

Groups That Use This Software

ID Name References