--- title: "Bumblebee Malware Resurfaces with Latest Attacks Leveraging WebDAV Folders | DuoCircle" description: "Bumblebee malware makes a comeback with email attacks. Here’s a close look at the episode, the threat actors, and how to protect yourself from such threats." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-38-of-2023/" --- Quick Answer Bumblebee malware returned on September 7, 2023 after a two-month break, this time abusing 4shared WebDAV services to stage payloads. Phishing emails posing as document scans, invoices, and notifications carry .LNK files (or ZIPs containing them); when opened, the LNK mounts a 4shared WebDAV folder using hardcoded credentials and runs commands like 'expand,' 'replace.exe,' 'conhost.exe,' or 'schtasks' to fetch the loader. Bumblebee first appeared in September 2021 as the successor to BazarLoader after BazarLoader's source code leaked. Intel 471 ties Bumblebee to operators previously linked to Conti and Trickbot, and tracks plans to use it in malvertising campaigns against US corporate users for sale to ransomware affiliates. The new build replaces WebSocket C2 with a custom TCP protocol and uses a domain generation algorithm that creates 100 unique .life domains from a 64-bit static seed. Defenders should harden email filtering, train staff on .LNK and ZIP lures, restrict user privileges, and monitor for anomalous WebDAV traffic. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-38-of-2023%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Bumblebee%20Malware%20Resurfaces%20with%20Latest%20Attacks%20Leveraging%20WebDAV%20Folders&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-38-of-2023%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-38-of-2023%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-38-of-2023%2F&title=Bumblebee%20Malware%20Resurfaces%20with%20Latest%20Attacks%20Leveraging%20WebDAV%20Folders "Share on Reddit") [ ](mailto:?subject=Bumblebee%20Malware%20Resurfaces%20with%20Latest%20Attacks%20Leveraging%20WebDAV%20Folders&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-38-of-2023%2F "Share via Email") ![cybersecurity](https://media.mailhop.org/duocircle/images/2023/09/Office-365-migration-1.jpg) _**Bumblebee malware** makes a comeback with_ [_email attacks_](/email-security/microsoft-email-attacks-an-inside-look-at-the-outlook-breach/)_. Here’s a close look at the episode, the threat actors, and how to protect yourself from such threats._ The [cybersecurity](/) world is again shaken due to the Bumblebee malware, which emerged after a two-month hiatus. The Bumblebee malware is back again with a **new campaign** wherein threat actors exploit [Web Distributed Authoring and Versioning (WebDAV)](https://en.wikipedia.org/wiki/WebDAV) services to create a gateway into the target organization. This article shares the details of the attack, and the modus operandi, including how attack strategies involve giving shape to novel threats, and provides guidance on how to enhance your [malware protection](/resources/malware-and-its-defense-mechanism) and **stay safe from malware** like Bumblebee. ## How Bumblebee Malware Abused 4shared WebDAV Services On September 7, 2023, security experts detected a resurgence of the Bumblebee malware, notable for its novel utilization of **4shared** WebDAV services for disseminating [harmful payloads](https://cybersecuritynews.com/gootkit-loader-malware-using-vlc-player/). WebDAV, an extension of the HTTP (Hypertext Transfer Protocol) protocol, enables users to interact with remote web servers, presenting an enticing opportunity for threat actors. Within this campaign, malicious actors employed deceptive email scams camouflaged as document scans, invoices, and notifications. These fake emails carried **Windows shortcut (.LNK) files** or ZIP archives containing .LNK files. _When a user interacts with or opens them, these [LNK files](https://cybersecuritynews.com/hackers-use-weaponized-lnk-files/) initiate a sequence of instructions after establishing a connection to a WebDAV folder on a network drive, employing predefined credentials linked to a 4shared storage account._ Notably, diversifications in the commands used were identified, indicative of an **ongoing** endeavor by threat actors to refine their attack methods. Certain instances involved using the “expand” command to **extract and duplicate files** from the mounted drive, while others opted for “replace.exe.” File execution also used different files like “conhost.exe” and “schtasks.” ## The Threat Actors Behind Bumblebee Malware Initially detected in September 2021, Bumblebee gained popularity among malicious actors as it offered an **efficient entry point** into high-value enterprise environments. Notably, Bumblebee replaced the [BazarLoader malware](https://www.techrepublic.com/article/cybersecurity-attacker-uses-websites-contact-forms-to-spread-bazarloader-malware/) as the preferred loader for threat actors. The shift followed the **public release of source code** and control panel data related to BazarLoader, discouraging some malicious actors from its further use. [![malware](https://media.mailhop.org/duocircle/images/2023/09/office-365-migration-3.jpg)](https://media.mailhop.org/duocircle/images/2023/09/office-365-migration-3.jpg) Intel 471’s [research](https://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign) has revealed that Bumblebee is closely linked to adversaries previously associated with ransomware operations, including **Conti and Trickbot**. Given the threat actors ‘ history of ransomware activities, this connection underscores the gravity of Bumblebee’s resurgence. One alarming development is a threat actor’s intent to use Bumblebee for malicious advertising (malvertising) campaigns. The goal is to **compromise corporate users** in the United States and then sell access to ransomware affiliates, a tactic known as [initial access brokering](https://www.cisecurity.org/insights/blog/initial-access-brokers-how-theyre-changing-cybercrime). ## Evolving Bumblebee Malware: What You Need to Know In its return, Bumblebee’s latest version exhibits notable enhancements. _In the past, it heavily relied on the WebSocket protocol for its Command and Control (C2) server communications._ However, the updated version has **shifted its approach**, employing a tailored Transmission Control Protocol (TCP) mechanism. The strategic shift bolsters its ability to evade detection and significantly enhances its resilience against disruption. Moreover, Bumblebee has abandoned relying on fixed C2 server addresses. Instead, it has embraced a [Domain Generation Algorithm (DGA)](https://www.techtarget.com/searchsecurity/definition/domain-generation-algorithm-DGA#:~:text=What%20is%20a%20domain%20generation,order%20to%20evade%20security%20countermeasures.) strategy. The DGA generates a **hundred unique domains** within the “.life” top-level domain (TLD) upon execution, using a 64-bit static seed value. _Bumblebee, in turn, connects to these domains by systematically cycling through the list until it locates an active C2 server IP address._ Adopting the DGA by threat actors adds a layer of intricacy, rendering the task of [security teams](/email-security/how-ai-powered-email-solutions-can-level-up-security-teams/) to trace Bumblebee’s infrastructure, block its domains, and disrupt its activities a **notably challenging** endeavor. ## How to Protect Against Bumblebee Malware There is a lot that **organizations and individuals** can do to protect against the Bumblebee threat, including: ### Implementing Strong Email Security Employ robust [email security](/content/email-security-services/types-of-email-security) solutions to detect and block malicious spam emails. Train employees to **recognize phishing** attempts and avoid opening suspicious attachments while providing comprehensive [phishing awareness training](/phishing-awareness-training). ### Strengthening Endpoint Security Use advanced endpoint protection software that includes **behavior-based detection** to identify and block Bumblebee. _Restrict users’ privileges to limit the execution of suspicious files._ [![phishing awareness](https://media.mailhop.org/duocircle/images/2023/09/spf-record-check-7491-1.jpg)](https://media.mailhop.org/duocircle/images/2023/09/spf-record-check-7491-1.jpg) ### Enhancing Network Monitoring Consistently observe network traffic to **identify abnormal behavior** that could signal potential email attacks or malware activity. Employ [Intrusion Detection and Prevention Systems (IDPS)](https://www.blackberry.com/us/en/solutions/endpoint-security/zero-trust-network-access/network-intrusion-detection-prevention) for enhanced Bumblebee detection capabilities\_.\_ ## Final Words The return of Bumblebee malware highlights the **ever-evolving nature** of cyber threats organizations face. Using 4shared WebDAV and a Domain Generation Algorithm by malicious actors exacerbates cybersecurity challenges. _Bumblebee’s links to ransomware emphasize the need for continuous vigilance and adaptable defenses._ Traditional security measures falter against such [sophisticated threats](https://www.infosecurity-magazine.com/news/apt-clusters-target-southeast-asia/). Collaboration between security experts and organizations is vital to counter this resilient [malware](/data-privacy/new-zero-click-hack-with-stealthy-root-privilege-malware-targets-ios-users/). Staying ahead of threat actors requires ongoing vigilance and adaptation in cybersecurity. ## References 1. Intel471 (2023, September 15). Bumblebee loader resurfaces in the new campaign. 2. Toulas, B. (2023, September 18). Bumblebee malware returns in new attacks abusing WebDAV folders. BleepingComputer. ## Topics email securityNewsSecurityUpdates ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ News 7m Cybersecurity News Update, Week 10 of 2023 Mar 6, 2023 ](/blog/announcements/cyber-security-news-update-week-10-of-2023/)[ News 4m Cambodia Targets Cybercriminals, Traditional Security Insufficient, AI Against Phishing, Cybersecurity News \[March 09, 2026\] Mar 16, 2026 ](/blog/announcements/cyber-security-news-update-week-11-of-2026/)[ News 6m Lazarus Infects NPM, MassJacker Steals Crypto, CISA Alerts Ivanti, Cybersecurity News \[March 10, 2025\] Mar 17, 2025 ](/blog/announcements/cyber-security-news-update-week-12-of-2025/)[ News 6m RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks , Cybersecurity News \[March 24, 2025\] Apr 1, 2025 ](/blog/announcements/cyber-security-news-update-week-14-of-2025/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Bumblebee Malware Resurfaces with Latest Attacks Leveraging WebDAV Folders","description":"Bumblebee malware makes a comeback with email attacks. Here’s a close look at the episode, the threat actors, and how to protect yourself from such threats.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-38-of-2023/","datePublished":"2023-09-29T17:56:56.000Z","dateModified":"2025-05-16T11:30:23.000Z","dateCreated":"2023-09-29T17:56:56.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-38-of-2023/"},"articleSection":"announcements","keywords":"email security, News, Security, Updates","wordCount":813,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/09/Office-365-migration-1.jpg","caption":"cybersecurity","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Bumblebee Malware Resurfaces with Latest Attacks Leveraging WebDAV Folders","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-38-of-2023/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Bumblebee Malware Resurfaces with Latest Attacks Leveraging WebDAV Folders","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-38-of-2023/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Bumblebee Malware Resurfaces with Latest Attacks Leveraging WebDAV Folders","description":"Bumblebee malware makes a comeback with email attacks. Here’s a close look at the episode, the threat actors, and how to protect yourself from such threats.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-38-of-2023/","datePublished":"2023-09-29T17:56:56.000Z","dateModified":"2025-05-16T11:30:23.000Z","dateCreated":"2023-09-29T17:56:56.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-38-of-2023/"},"articleSection":"announcements","keywords":"email security, News, Security, Updates","wordCount":813,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/09/Office-365-migration-1.jpg","caption":"cybersecurity","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```