Skip to Content

Bumblebee malware loader service

Updated on 2022-11-15: Bumblebee IR report

For blue-teamers and IR aficionados, the DFIR Report team has put out another stellar report on an infection with the Bumblebee malware. Read more: BumbleBee Zeros in on Meterpreter

“The intrusion started with a contact form on a website. The contact form gets filled out by the threat actor with a Copyright notice, purporting a violation of the Digital Millennium Copyright Act (DMCA). It then encourages the recipient to download a file showing the purported violation.”

Updated on 2022-10-05

Since this spring, Bumblebee has been one of the most active malware strains, and several security firms have covered it in reports (IBM X-Force, Fox-IT, Proofpoint, Sekoia, Cybereason, Symantec, OALABS, Check Point). Read more:

Updated on September 2022

The DFIR Report team has an update on the operations of the Bumblebee malware loader service, which they first covered in a report last month.



Cyber-security firm Sekoia has published its own report on the new Bumblebee malware. The company said it noted a rise from only five C&C servers at the start of April to over 130 at the start of June, making Bumblebee one of the major threats today and being often used for initial access by multiple cybercrime groups.

Number of active BumbleBee C2 servers by date.

    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on