Friday, March 1, 2024

New JavaScript-based Dropper Delivers Bumblebee and IcedID Malware

The latest research unveiled the JavaScript-based droppers, which deliver Bumblebee and IcedID malware instead of PowerShell-based droppers.

These two malware types are significantly related to ransomware attacks. 

Bumblebee is a modular loader, distributed primarily through phishing, used to deliver payloads commonly associated with ransomware deployments. 

IcedID is a modular banking trojan that targets user financial information and can act as a dropper for other malware. It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions. 

The significant change in Bumblebee and IcedId from a PowerShell-based loader to a javascript-based loader and from a banking trojan to a malware loader shows how the threat actors establish their TTPs to evade detection. 

PindOS JavaScript Technical Analysis

According to Deep Instinct’s Threat Research Lab report, the dropper contains comments in Russian. It employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia.  

The dropper consists of a single function, “exec,” which gets four parameters. 

  • “UserAgent”: The user-agent string to be used when downloading Bumblebee’s.DLL 
  • “URL1”: First address to download from 
  • “URL2”: Second address to download from 
  • “RunDLL”: Payload DLL-exported function to call 

When executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe.  

If this fails, the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32.exe. 

The downloaded payload is saved to %appdata%/Microsoft/Templates/<6-char-random-number>.dat  

When comparing the old Bumblebee DLL with the new variant, both have the same main function, “set path”.  

Additionally, it includes “legitimate-looking” strings taken from the FFmpeg open-source project’s “error.c” file and a few other files from the same project for distraction purposes.  

The new variant has four main export functions, unlike the older variant, which had two. 

The retrieved payloads are generated pseudo-randomly “on demand,” which results in a new sample hash each time a payload is fetched to reduce the risk of detection. 

As Bumblebee and IcedID are known to deliver ransomware, we recommend that security teams take note of these IOCs—updated IOCs from Deep Instinct’s GitHub page.


  • Bumblebee.JS dropper SHA256 
  • Bumblebee DLL payload: SHA256 
  • IcedID.JS dropper SHA256 
  • IcedID DLL payload: SHA256 

Manage and Secure Your Endpoints Efficiently – Free Download


Latest articles

Golden Corral restaurant chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...

Hackers Hijack Anycubic 3D Printers to Display Warning Messages

Anycubic 3D printer owners have been caught off guard by a series of unauthorized...

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

Stellar Cyber, the innovator of Open XDR, today announced that RSM US – the leading provider...

Biden Crack Down Sale of Americans’ Personal Data to China & Russia

To safeguard the privacy and security of American citizens, President Joe Biden has issued...

Kali Linux 2024.1 Released – What’s New

Kali Linux recently released version 2024.1, the first release of the year 2024, with...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles