Update: Emotet botnet and Bumblebee Malware


Cybersecurity researchers at Proofpoint have this week published new research on Emotet – one of the most prolific cybercriminal threats before its disruption by global law enforcement in January 2021, and Bumblebee – a new sophisticated downloader that executes malware payloads. 

The Emotet botnet was revealed to be using brand new distribution tactics, indicating that the cybercriminal group (TA542) is testing new attack techniques on a small scale before adopting them for larger volume campaigns. 

Additionally, Bumblebee has become the new malware on the block, with multiple crimeware threat actors using it to replace previously-used BazaLoader and IcedID malware in their campaigns. 


 In recent activity from April 2022, the TA542 group displayed a number of unusual tactics:

  • The low-volume nature of the activity –Typically Emotet distributes high-volume email campaigns to many targets globally
  • The use of OneDrive URLs – Typically Emotet delivers Microsoft Office attachments or URLs (hosted on compromised sites) linking to Office files. 
  • The use of XLL files – Typically, Emotet uses Microsoft Excel or Word documents containing VBA or XL4 macros


  • Multiple crimeware threat actors previously observed delivering BazaLoader and IcedID are now switching to Bumblebee
    • In fact, BazaLoader has not been seen in Proofpoint data since February 2022
  • Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualisation. Unlike most other malware that uses process hollowing or DLL injection, this loader utilises an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2)
  • Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns