New Bumblebee Loader Infection Chain Signals Possible Resurgence

Netskope Threat Labs analyzed a Bumblebee downloader campaign that begins with phishing-delivered ZIP/LNK files which invoke PowerShell to fetch an MSI; the MSI uses the SelfReg table to load a malicious DLL into msiexec and execute DllRegisterServer, unpacking the Bumblebee payload entirely in memory. This technique avoids writing the payload to disk and reduces noisy process creation, and the campaign is notable as a potential resurgence of Bumblebee delivering Cobalt Strike beacons and ransomware; IOCs and detections are provided by Netskope.