- Your password manager is under attack, and this new threat makes it worse: How to defend yourself
- EcoFlow's new backyard solar energy system starts at $599 - no installation crews or permits needed
- “현업에 스며들기, 생성형 AI로 가능했다” 지멘스 모빌리티의 IT 혁신 사례
- 휴먼컨설팅그룹, HR 솔루션 '휴넬' 업그레이드 발표
- Epicor expands AI offerings, launches new green initiative
Bumblebee malware emerges as replacement to Conti gang’s BazalLoader

Researchers on Thursday reported that a new downloader called Bumblebee traced to the Conti ransomware gang with reportedly strong ties to Russia has replaced BazalLoader.
In a blog post, Proofpoint researchers said they had not detected BazalLoader in their threat research since February 2022. The researchers said Bumblebee acts as a sophisticated downloader that contains anti-virtualization checks and a unique implementation of common downloader capabilities despite it being so early in the malware’s development.
The researchers said they observed Bumblebee dropping Cobalt Strike, shellcode, Sliver and Meterpreter. The malware name comes from the unique user-agent “bumblebee” used in early campaigns. Proofpoint said Bumblebee’s aims to download and execute additional ransomware payloads.
The Conti Leaks pulled the curtains back and exposed the Conti ransomware syndicate’s library of techniques, tactics, and procedures, which likely included information about their use of the BazaLoader malware, said Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows. Hoffman said It’s no surprise to see a new tool — in this case the BumbleBee loader — emerging to take its place.
“Due to Conti Leaks, we may continue to see new techniques and potentially more tools surface in the cyber threat landscape,” Hoffman said. “This is significant because even after an intrusive leak, Conti operations have continued, and the group remains one of the most active and pernicious ransomware groups.”
Jason Hicks, Field CISO and executive advisor at Coalfire, said the use of an APC injection versus DLL injection would potentially make this malware somewhat harder to detect from an anti-malware/EDR prospective. Hicks said to detect something like this, the tools are using some combination of machine learning, and in some cases, artificial intelligence.
“If most of the models are trained to detect DLL injection and not APC injection, it may decrease the detection accuracy rate,” Hicks said. “As this becomes more prevalent, I’d expect the tools to start detecting both of these methods with equal frequency. Relying on traditional signature based AV would not be a good way to protect your firm from these kinds of attacks.”
Saryu Nayyar, founder and CEO and of Gurucul, said Proofpoint’s research shows how threat actors use multiple techniques, but also vary their techniques to not only compromise organizations, but also evade most SIEM and XDR platforms.
“While most SIEM and XDR solutions already lack the necessary analytics across numerous data sources, the real issue is that they rely on rule-based machine learning models that are fixed and unable to adapt to threat actor’s varying techniques and tools,” Nayyar said. “This allows attackers to easily deliver malicious payloads once they have gained initial entry into the network, most often via a phishing attack.”