Friday, May 2, 2025
HomeCyber Security NewsBumblebee Malware Abuses WebDAV Protocol to Attack Organizations

Bumblebee Malware Abuses WebDAV Protocol to Attack Organizations

Published on

SIEM as a Service

Follow Us on Google News

In recent cybersecurity news, the notorious Bumblebee loader has made a resurgence in a new campaign, posing a significant threat to organizations’ digital security. 

This loader, often used as a stepping stone for ransomware attacks, had taken a pause but reemerged with upgraded techniques.

Intel 471 Malware Intelligence reported that Bumblebee’s operators have returned with updated tactics. 

- Advertisement - Google News

The malware now employs a Domain Generation Algorithm (DGA) instead of relying on hard-coded command and control servers, making it more resilient.

On September 7, 2023, a fresh campaign utilizing Web Distributed Authoring and Versioning (WebDAV) servers was observed. 

Threat actors used malicious spam emails containing Windows shortcut (.LNK) and compressed archive (.ZIP) files as delivery methods for Bumblebee. Once activated, these files executed commands that downloaded the malware from WebDAV servers.

Bumblebee gained prominence as a loader in September 2021, becoming the preferred choice for threat actors who had previously used BazarLoader. 

Notorious Bumblebee Campaign

It has since been linked to various ransomware payloads, including Cobalt Strike, Metasploit, and Sliver.

This loader’s association with threat actors connected to Conti and Trickbot operations highlights its potency. 

One threat actor aimed to use Bumblebee in a malicious advertising campaign to compromise U.S.-based corporate users, emphasizing its value to cybercriminals.

In this recent campaign, threat actors have leveraged 4shared WebDAV services to distribute the malware. 

The 4shared file-hosting service provides a platform for users to upload and download files via both a web interface and the WebDAV protocol. 

WebDAV enables users to manage and edit files on remote servers, making it a convenient tool.

While the use of WebDAV in malware distribution isn’t new, it played a role in distributing the IcedID (aka Bokbot) malware earlier in the year, as noted by the SANS Internet Storm Center. 

In the Bumblebee campaign, malicious actors sent out spam emails disguised as various documents such as scans, notifications, and invoices. 

These emails contained enticing attachments with filenames like “scan-document_2023(383).lnk” and “invoice-07september_2023(231).lnk.”

Most of the observed samples were distributed as .LNK files. When executed, these .LNK files initiated the Windows command processor, which carried out predefined commands. 

The first command involved mounting a network drive to a WebDAV folder located at “https://webdav.4shared[dot]com” using specific authentication credentials.

Detailed analysis revealed variations in command sets among different samples. After mounting the network drive, subsequent commands differed depending on the specific sample. 

For instance, some used “expand” for file extraction, while others employed “replace.exe” as an alternative method. The approaches to executing these files also varied, utilizing processes like “wmic.exe,” “conhost.exe,” and “schtasks.”

On September 1, 2023, a new version of the Bumblebee loader was detected, featuring significant changes to its architecture. 

It shifted from using the WebSocket protocol to a custom Transmission Control Protocol (TCP) for communication. 

A Domain Generation Algorithm (DGA) was also introduced, replacing the previous hard-coded list of command and control servers. The DGA generated 100 new domains with a “.life” top-level domain (TLD), adding complexity and reducing reliance on static C2 servers.

In the observed WebDAV campaign, four domains were listed, and the fourth domain was successfully resolved and contacted:

  • 3v1n35i5kwx[dot]life
  • cmid1s1zeiu[dot]life
  • Itszko2ot5u[dot]life
  • newdnq1xnl9[dot]life

This evolving Bumblebee loader highlights a coordinated effort by threat actors to enhance evasion tactics and resilience against network scrutiny. The use of 4shared’s WebDAV services as a distribution method represents a novel attack vector. 

Detailed analysis of the .LNK files used in this campaign shows calculated steps to evade detection, including mounting network drives and employing varied command sequences and execution methods.

Intel 471 recommends blocking known malicious domains associated with this campaign and closely monitoring command line event logs for suspicious activity.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series...

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers...

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...

NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series...

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers...

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...