The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Bumblebee Loader

Aug 25, 2022 1:48:41 PM / by PolySwarm Tech Team


Related Families: BazarLoader, BazaLoader, Conti, BazarBackdoor, Trickbot, Diavol, Sliver, Bokbot, Meterpreter, Cobalt Strike

Verticals Targeted: Multiple

Executive Summary

Earlier this month, Palo Alto’s Unit 42 reported on recent activity leveraging Bumblebee. Unit 42 observed activity by multiple threat actors, including Projector Libra.

Key Takeaways

  • Bumblebee emerged in early 2022 as a replacement for BazarLoader and is used by multiple threat actors.
  • Recently observed infection vectors for Bumblebee use ISO images.
  • Bumblebee includes mechanisms for anti-analysis checks and maintaining persistence.
  • Bumblebee is used to drop multiple follow-up payloads, including ransomware and Cobalt Strike.
What is Bumblebee?

Earlier this month, Palo Alto’s Unit 42 reported on recent activity leveraging Bumblebee, a replacement for BazarLoader that targets Windows machines. Unit 42 observed multiple threat actors leveraging Bumblebee, including the financially motivated initial access broker Projector Libra, also known as Exotic Lily.

BazarLoader Replacement

Bumblebee’s predecessor BazarLoader was observed in the wild as early as April 2020. BazarLoader was used by multiple threat actors, including  TA551, TA578, and the threat actors responsible for the BazarCall campaign. Around February or March 2022, Bumblebee emerged as a replacement for BazarLoader. Bumblebee’s name was derived from its use of “bumblebee” in the user-agent string generated during post-infection HTTPS traffic.

Infection Vector

In the incident Unit 42 investigated, Projector Libra threat actors sent an email to a potential victim. If the victim responded, the threat actors sent a follow-up email telling the victim to expect an email from a file sharing service with a file relevant to the email discussion. One of the legitimate file-sharing services leveraged by the threat actors is TransferXL. The file-sharing email, of course, contains a link to malware masquerading as the file of interest.

Most of the files are ISO images containing a Windows shortcut and the Bumblebee loader. The threat actors used multiple methods to hide the loader. In some cases, the ISO image leverages a .LNK file that runs a hidden DLL. In other cases, the ISO image uses a password-protected .7Z archive file containing the Bumblebee DLL, and the LNK file runs a hidden copy of 7-Zip to extract Bumblebee. According to malware researcher Eli Salem, Bumblebee uses a unique unpacking mechanism.

C2 Communication

NCC Group reported on Bumblebee earlier this year. NCC Group analyzed samples from as early as September 2021. They noted Bumblebee’s backend is written in Golang. The Bumblebee samples analyzed by NCC Group used an export function with the name ‘SetPath.’ Bumblebee performs a series of anti-analysis checks, leveraging the open-source Al-Khasar project. Bumblebee then initiates communication to the C2.

According to NCC Group, Bumblebee receives commands from the C2 and executes one of the following tasks:
  • shi - injects a task’s data into a new process, where the process images paths are embedded in the binary and randomly selected
  • dij - injects a task’s data into a new process, where the process images paths are embedded in the binary and randomly selected, and the injection method differs from the method used in task dij
  • dex - writes a task’s data to a file named wab.exe in the Windows App Data folder
  • sdl - deletes the loader’s binary from the disk
  • ins - creates persistence on the victim machine

To maintain persistence, Bumblebee creates a new directory in the Windows AppData folder with a name generated based on the client_id MD5 value. It then copies itself to a new directory and creates a VBS file with the following content:

Set objShell = CreateObject(“Wscript.Shell”)

objShell.Run “rundll32.exe my_application_path, IternalJob”

Bumblebee then creates a scheduled task with the path %WINDIR%\\System32\\wscript.exe VBS_Filepath.


In an Active Directory environment, Bumblebee loads Cobalt Strike, which threat actors can use to map the target’s environment. Bumblebee is also used to drop, Sliver, shellcode, or Meterpreter.

If the threat actors deem the target to be high value, they may follow up by dropping ransomware. Ransomware families dropped have included Conti and Diavol.


PolySwarm has multiple samples of Bumblebee. Below is a selection of hashes from our most recent Bumblebee samples.

First Seen










Other Hashes

















We currently have over 700 Bumblebee samples in our portal.

You can use the following CLI command to search for all Bumblebee samples in our portal:

$ polyswarm link list -f BumbleBee

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Loader, BazarLoader, BazarBackdoor, Bumblebee, BazaLoader

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts