Bumblebee malware returns to target hundreds of firms

News
By published

Researchers spot new phishing campaign distributing Bumblebee malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Hackers have once again started using the Bumblebee malware in their campaigns to target victims across the globe, researchers have confirmed.

In a new report, cybersecurity pros Proofpoint said that after a four-month period of inactivity, they spotted threat actors deploying this malware variant in new campaigns.

The researchers began observing a campaign in which “several thousand emails” were being sent to different organizations in the United States. The emails were part of a phishing campaign whose goal was to get the victims to download and run a Word file hosted in a OneDrive folder.

Macros in Office documents

Although benign on the surface (it impersonated the Humane company that is developing and selling a smart wearable device), the Word file was weaponized through a malicious macro. The macro, after a few steps, downloaded and executed Bumblebee, a malicious loader that’s used to drop additional payloads on the compromised endpoints.

While Proofpoint wasn’t able to confidently attribute the campaign to any particular threat actor, it did say that it somewhat aligns with previous activities from the TA579 group. It also said that two other groups, TA576 and TA866, both recently emerged after “months-long gaps in activity”, hinting that they, too, might be behind this campaign.

Whoever the perpetrator is, one thing is certain - Bumblebee can be used to deploy ransomware.

Proofpoint also notices that the attackers opted for a macro-themed attack, which is somewhat unusual given that Microsoft effectively killed off the method two years ago. 

Back in 2022, Microsoft started blocking macros in files downloaded from the internet by default, forcing the majority of threat actors to pivot to different techniques. One of the methods that emerged since then is the use of shortcut files instead of Word documents. One of their greatest advantages is the ability to change the icon’s appearance, which the hackers used to trick people into thinking they were running a .PDF file.

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Red padlock open on electric circuits network dark red background
Aviation firms hit by devious new polyglot malware
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Image of laptop infected with malware threat
This devious new macOS malware disguises itself as Chrome, Zoom installers
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Hornet swings their weapon in mid air

Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
See more latest
Most Popular
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
Data leak
A major Keenetic router data leak could put a million households at risk
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Quordle on a smartphone held in a hand
Quordle hints and answers for Wednesday, March 26 (game #1157)