S1039: Bumblebee
Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[1][2][3]
Analyst context for executives and security teams
Bumblebee matters because ATT&CK describes it as a Windows C++ loader used to download and execute additional payloads, with links in reporting to ransomware operations and possible initial access broker activity. For leaders, the practical issue is not the loader name itself, but whether the organization can quickly prove which Windows hosts executed suspicious loaders, what follow-on payloads were fetched, what data may have been collected or exfiltrated, and whether ransomware-prevention controls would interrupt the chain.
Executive priority
Treat this as a validation case for ransomware readiness and incident triage on Windows endpoints. Ask whether SOC and IR teams can correlate endpoint execution, persistence, process injection, PowerShell/cmd/WMI use, scheduled tasks, registry queries, outbound web/C2 traffic, downloaded tools, file deletion, and potential data exfiltration into a single investigation timeline. This supports business continuity planning, audit evidence for endpoint monitoring, and prioritization of controls that reduce loader-to-ransomware escalation risk.
Technical view
ATT&CK provides no dedicated detection text for Bumblebee, so defenders should build coverage from the related behaviors: execution via PowerShell, Windows Command Shell, Visual Basic, WMI, Native API, and shared modules; persistence/execution through Scheduled Task; evasion through obfuscation, masquerading, process injection, DLL injection, APC injection, and file deletion; discovery through registry, process, user, and system information queries; and command-and-control through fallback channels, web services, ingress tool transfer, standard encoding, and exfiltration over C2. Because the malware object is Windows-scoped, prioritize Windows endpoint, identity, and network telemetry while avoiding assumptions about guaranteed detection from any single signal.
Likely telemetry
- Windows endpoint process creation and command-line logs
- PowerShell script block/module/transcription logs where enabled
- WMI activity and remote/local execution telemetry
- Scheduled task creation, modification, and execution events
- Windows Registry query and modification telemetry
Detection direction
- Validate correlation across loader-like execution followed by discovery, persistence, C2, tool transfer, and file deletion rather than relying on a single Bumblebee indicator.
- Tune detections for suspicious use of PowerShell, cmd, WMI, scheduled tasks, and registry queries in user workstations where administrative or automation activity is uncommon.
- Review process injection, DLL injection, APC injection, and unusual module-loading alerts with parent/child process context to reduce false positives from legitimate security and management tools.
- Inspect outbound web service usage, fallback-channel behavior, encoded traffic, and downloads from Windows hosts, accounting for high noise from normal web and cloud-service traffic.
- Ensure IR playbooks preserve volatile endpoint and network evidence because file deletion and obfuscation can reduce post-incident visibility.
Mitigation priorities
- Prioritize endpoint hardening and monitoring on Windows systems, especially script interpreters, WMI, scheduled tasks, and unauthorized module execution.
- Restrict and monitor administrative scripting and remote management paths with least privilege and strong identity controls.
- Apply application control or allow-listing where operationally feasible to reduce unauthorized loaders, scripts, and shared-module execution.
- Improve egress governance with proxy/DNS logging and policy controls so unusual web-service C2, fallback channels, and tool downloads are reviewable and containable.
- Maintain ransomware-oriented IR readiness: rapid host isolation, payload scoping, credential review, backup validation, and evidence preservation.
Analyst notes and limits
The most useful defensive framing is loader behavior leading to follow-on payload execution. ATT&CK links Bumblebee to multiple techniques across execution, discovery, evasion, command-and-control, collection, and exfiltration, and notes reporting associations with ransomware operations and possible initial access broker use. Those relationships justify prioritizing it for ransomware-readiness validation, but local telemetry is required to determine exposure or incident impact.
Official ATT&CK detection guidance is not provided for this object, tactics are not specified on the malware object itself, and no aliases or labels are supplied. Platform support for the malware object is Windows; some related techniques list broader platforms, but that should not be treated as Bumblebee platform coverage. The supplied data does not prove current activity, attribution, exploitation against any organization, or guaranteed detection by any control.
Bumblebee
Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | Bumblebee can enumerate the OS version and domain on a targeted system.CitationGoogle EXOTIC LILY March 2022CitationProofpoint Bumblebee April 2022CitationSymantec Bumblebee June 2022 |
| Enterprise | T1033 | System Owner/User Discovery | Bumblebee has the ability to identify the user name.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | Bumblebee can use WMI to gather system information and to spawn processes for code injection.CitationGoogle EXOTIC LILY March 2022CitationProofpoint Bumblebee April 2022CitationCybereason Bumblebee August 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Bumblebee can send collected data in JSON format to C2.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Bumblebee can use `cmd.exe` to drop and run files.CitationGoogle EXOTIC LILY March 2022CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1497.001 | System Checks Sub-technique | Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts.CitationProofpoint Bumblebee April 2022CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | The Bumblebee loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes.CitationProofpoint Bumblebee April 2022CitationSymantec Bumblebee June 2022 |
| Enterprise | T1560 | Archive Collected Data | Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration.CitationCybereason Bumblebee August 2022 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Bumblebee has the ability to set a hardcoded and randomized sleep interval.CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1218.008 | Odbcconf Sub-technique | Bumblebee can use `odbcconf.exe` to run DLLs on targeted hosts.CitationCybereason Bumblebee August 2022 |
| Enterprise | T1005 | Data from Local System | Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies.CitationCybereason Bumblebee August 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Bumblebee can identify specific analytical tools based on running processes.CitationProofpoint Bumblebee April 2022CitationSymantec Bumblebee June 2022CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2.CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Bumblebee can create a Visual Basic script to enable persistence.CitationProofpoint Bumblebee April 2022CitationSymantec Bumblebee June 2022 |
| Enterprise | T1102 | Web Service | Bumblebee has been downloaded to victim's machines from OneDrive.CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Bumblebee has the ability to perform anti-virtualization checks.CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Bumblebee can download and execute additional payloads including through the use of a `Dex` command.CitationGoogle EXOTIC LILY March 2022CitationProofpoint Bumblebee April 2022CitationSymantec Bumblebee June 2022 |
| Enterprise | T1008 | Fallback Channels | Bumblebee can use backup C2 servers if the primary server fails.CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Bumblebee has been spread through e-mail campaigns with malicious links.CitationProofpoint Bumblebee April 2022CitationCybereason Bumblebee August 2022 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Bumblebee has the ability to base64 encode C2 server responses.CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Bumblebee has used `rundll32` for execution of the loader component.CitationProofpoint Bumblebee April 2022CitationSymantec Bumblebee June 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1055 | Process Injection | Bumblebee can inject code into multiple processes on infected endpoints.CitationCybereason Bumblebee August 2022 |
| Enterprise | T1106 | Native API | Bumblebee can use multiple Native APIs.CitationProofpoint Bumblebee April 2022CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.CitationProofpoint Bumblebee April 2022CitationCybereason Bumblebee August 2022CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1129 | Shared Modules | Bumblebee can use `LoadLibrary` to attempt to execute GdiPlus.dll.CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1012 | Query Registry | Bumblebee can check the Registry for specific keys.CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Bumblebee can encrypt C2 requests and responses with RC4CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.CitationCybereason Bumblebee August 2022 |
| Enterprise | T1057 | Process Discovery | Bumblebee can identify processes associated with analytical tools.CitationProofpoint Bumblebee April 2022CitationSymantec Bumblebee June 2022CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Bumblebee has relied upon a user downloading a file from a OneDrive link for execution.CitationProofpoint Bumblebee April 2022CitationCybereason Bumblebee August 2022 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Bumblebee has gained execution through luring users into opening malicious attachments.CitationProofpoint Bumblebee April 2022CitationSymantec Bumblebee June 2022CitationCybereason Bumblebee August 2022CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Bumblebee can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.CitationProofpoint Bumblebee April 2022CitationSymantec Bumblebee June 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs.CitationProofpoint Bumblebee April 2022CitationSymantec Bumblebee June 2022CitationCybereason Bumblebee August 2022CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Bumblebee can use PowerShell for execution.CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | Bumblebee can use a COM object to execute queries to gather system information.CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1622 | Debugger Evasion | Bumblebee can search for tools used in static analysis.CitationMedium Ali Salem Bumblebee April 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Bumblebee can uninstall its loader through the use of a `Sdl` command.CitationProofpoint Bumblebee April 2022 |
Groups, software, and campaigns
G1038: TA578
G1011: EXOTIC LILY
EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9abedb58ac1d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google EXOTIC LILY March 2022
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
Open source URL -
[2]
Proofpoint Bumblebee April 2022
Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
Open source URL -
[3]
Symantec Bumblebee June 2022
Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
Open source URL -
[4]
mitre-attack S1039Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.