BumbleBee a New Modular Backdoor Evolved From BookWorm<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\"><br \/>\n<meta property=\"og:title\" content=\"BumbleBee a New Modular Backdoor Evolved From BookWorm\"><br \/>\n<meta property=\"og:description\" content=\"In March 2021, we investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. However, in our recent investigations, we have discovered a controller application that expands its capabilities. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-Like-BookWorm-641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"BumbleBee a New Modular Backdoor Evolved From BookWorm\"><br \/>\n<meta name=\"twitter:description\" content=\"In March 2021, we investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. However, in our recent investigations, we have discovered a controller application that expands its capabilities. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-Like-BookWorm-641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.611570853167\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1612841974\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.777027027027\">\n<div class=\"article-details\" role=\"heading\" readability=\"41.148648648649\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">In March 2021, we investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. However, in our recent investigations, we have discovered a controller application that expands its capabilities. <\/p>\n<p class=\"article-details__author-by\">By: Vickie Su, Ted Lee, Nick Dai <time class=\"article-details__date\">September 02, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p>In March 2021, we investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. Its type of modular framework has made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.<\/p>\n<p>Our analysis found that BumbleBee only had little malicious code in its payload, and what it does on the surface is track keys and clipboard content. However, further investigation revealed a controller application that expands the malware\u2019s capabilities.<\/p>\n<p>This type of backdoor is similar to another of its kind called BookWorm, in which it can be inferred that BumbleBee is a refactored version of BookWorm. At the time of writing, BumbleBee has only been deployed in Taiwan; together with its use of Simplified Chinese as the language for its user interface, this malware can be suspected to be deployed by malicious Chinese actors. This blog will tackle BumbleBee\u2019s capabilities and our analysis of this backdoor. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p>BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malware\u2019s jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.<\/p>\n<p><b><i>Layered deployment \u2013 client application<\/i><\/b><\/p>\n<p>We have encountered the client application in a security breach incident. Its unique \u201clayer-in-layer\u201d architecture caught our attention. The module has a self-extracted file that contains three main parts: a legitimate executable (<i>XcrSvr.exe<\/i>), side-loaded DLL (<i>XecureIO_v20.dll<\/i>) and the shellcode binary file (ore) in the file system to execute the legitimate executable.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/fig-1-Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-evolved-From-BookWorm.png\" alt=\"Figure 1. Architecture of BumbleBee\"><figcaption>Figure 1. Architecture of BumbleBee<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/fig-2-Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-Like-BookWorm.png\" alt=\"Figure 2. Metadata of XcrSvr.exe\"><figcaption>Figure 2. Metadata of XcrSvr.exe<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41\">\n<div class=\"responsive-table-wrap\" readability=\"27\">\n<p><i>XCrSvr.exe<\/i> is the executable in the XecureVistaCryptoSvr module developed by SoftForum. This file is exploited to launch the side-loaded DLL, <i>XecureIO_v20.dll<\/i>, which will work as the next-stage loader that executes the shellcode \u201core,\u201d which is the main component in this backdoor. This shellcode contains multiple modules of its own (shown in Table 1). Each module has corresponding 32-bit and 64-bit versions of binaries in the shellcode except for <i>launcher.dll<\/i>.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"9.5\">\n<tr>\n<td>Name<\/td>\n<td>Description<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td><i>launcher.dll<\/i><\/td>\n<td>The first-stage launcher that loads all the subsequent modules. It decrypts a list of modules in memory and executes each in order<i>.<\/i><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>kernel.dll<\/i><\/td>\n<td>The utility component that controls all the other modules.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>installer.dll<\/i><\/td>\n<td>The module used to install components in the compromised machine.<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td><i>keylog.dll<\/i><\/td>\n<td>The keylog component monitors the keystrokes and clipboard content of the victim, and records actions from the victim such as running a process, entering a password, and getting the text of a window. The stolen data will then be run through a XOR logic gate with a two-byte key 0xF29D and saved under %temp%\\kb\\[UserName]\\. The timestamp will be used as the file name.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>loader.dll<\/i><\/td>\n<td>The module that reads the shellcode.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>slaver.dll<\/i><\/td>\n<td>The main module that interacts with the other methods once the backdoor is launched.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 1. BumbleBee’s modules<\/p>\n<p>If a victim is compromised for the first time, <i>launcher.dll<\/i> loads and launches all the other modules. The installer modules will be responsible for the installation and establishing persistence on the compromised machine via the following steps:<\/p>\n<ol>\n<li>Drop a copy of the XecureIO_v20.dll in %APPDATA%\\LOCAL\\TEMP folder.<\/li>\n<li>Encrypt original shellcode file (to be a \u201cbin\u201d file) and path information (to be a \u201cpath\u201d file) by using RC4 algorithm (key is the value of \u201cProductID\u201d from \u201cHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Registration\u201d)<\/li>\n<li>Drop bpu.dll (used to bypass UAC) and launched by rundll32.exe.<\/li>\n<li>Establish persistence on compromised machine.<\/li>\n<li>Delete the original SFX file.<\/li>\n<\/ol>\n<p>Notably, as <i>XecureIO_v20.dll<\/i> is loaded by <i>XcrSvr.exe<\/i>, it will check if the parent process is \u201c<i>XcrSvr.exe<\/i>.\u201d If so, it will patch the entry point of <i>XcrSvr.exe<\/i> with a long jump instruction to direct execution flow to the malicious code.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/fig-3-Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-Like-BookWorm.png\" alt=\"Figure 3. XecureIO_v20.dll hooks its parent process\u2019 entry point\"><figcaption>Figure 3. XecureIO_v20.dll hooks its parent process\u2019 entry point<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/fig-4-Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-Like-BookWorm.png\" alt=\"Figure 4. The original entry point\"><figcaption>Figure 4. The original entry point<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/fig-5-Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-Like-BookWorm.png\" alt=\"Figure 5. The patched entry point\"><figcaption>Figure 5. The patched entry point<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44\">\n<div class=\"responsive-table-wrap\" readability=\"33\">\n<p>Based on our analysis, we think the reason is that the malicious code embedded in XecureIO_v20 will not run if it followed the normal execution flow of <i>XCrSvr.exe<\/i>. Hence, once <i>XecureIO_v20.dll<\/i> is loaded by <i>XCrSvr.exe<\/i>, it will patch the entry point of <i>XCrSvr.exe<\/i> and jump to the address of the malicious code to make sure the code can be executed properly.<br \/>After the client is installed and the persistence is established, the loader, <i>XecureIO_v20.dll<\/i>, will retrieve the value of \u201cProductID\u201d from the registry key \u201c<i>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Registration<\/i>\u201d and use it as the key to decrypt the encrypted payload (the file \u201cbin\u201d) dropped in the first installation. Using the information on the compromised machine as a key to encrypt the payload makes it much more difficult for analysts to decrypt and debug the malware in the analysis environment.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"2.5\">\n<tr>\n<td>File name<\/td>\n<td>Description<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>path<\/td>\n<td>An RC4-encrypted path string used to find the location of next-stage shellcode. It could be a file path or a registry path starting with HKLM or HKCU.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>bin<\/td>\n<td>The next-stage RC4-encrypted shellcode payload.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 2. Payload file names<\/p>\n<p><b><i>Expanded control \u2013 server application<\/i><\/b><br \/>Due to BumbleBee\u2019s complex client application, it took some time for us to fully analyze its functionality. While doing so, we ran across the server application of the malware that acts as a controller. This provided us with further understanding on how BumbleBee works.<br \/>As the client application is running on the infected device, it will communicate with the server application and show the information of the machine it is in. Details, such as computer name, external IP address, geographic location, OS, CPU, and memory, are collected by the client application.<br \/> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/fig-6-Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-evolved-From-BookWorm.png\" alt=\"Figure 6. Connection established\"><figcaption>Figure 6. Connection established<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/fig-7-Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-Like-BookWorm.png\" alt=\"Figure 7. Built-in options in server application\"><figcaption>Figure 7. Built-in options in server application<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"45.5\">\n<div class=\"responsive-table-wrap\" readability=\"36\">\n<p>Based on the options in the server application shown in Figure 7, we can determine that it supports the following functions for controlling the compromised machine:<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"18.5\">\n<tr>\n<td>Functions<\/td>\n<td>Description<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>\u6587\u4ef6\u7ba1\u7406 (File management)<\/td>\n<td>Upload\/download\/delete\/list files from the victim\u2019s environment<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>\u5c4f\u5e55\u63a7\u5236 (Remote desktop control)<\/td>\n<td>Control the victim\u2019s desktop remotely<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>\u8fdb\u7a0b\u7ba1\u7406 (Process management)<\/td>\n<td>List and manage running processes with the image names, current folder, process id and parent process id<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>\u670d\u52a1\u7ba1\u7406 (Service management)<\/td>\n<td>List and manage current services status<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>\u6ce8\u518a\u8868\u7f16\u8f91 (Registry editor)<\/td>\n<td>List and manage the victim\u2019s registry key<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>\u63a7\u5236\u53f0\u547d\u4ee4 (Command shell)<\/td>\n<td>Execute the command shell<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>\u4ea4\u4e92\u5f0f\u63a7\u5236\u53f0 (Interactive console)<\/td>\n<td>Execute the command shell<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>\u53cd\u5411\u4ee3\u7406 (Reverse proxy)<\/td>\n<td>Reverse proxy to help expose a local server behind a NAT or firewall to the internet<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>\u952e\u76d8\u8bb0\u5f55 (Keylogger)<\/td>\n<td>Log keystrokes and clipboard contents<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 3. Supported functions<\/p>\n<p>BumbleBee\u2019s modular framework allowed it to embed a small amount of malicious code that involves stealing keystrokes and clipboard content in the client\u2019s shellcode. However, it could expand its capabilities through its server application by loading additional modules. This design proves that BumbleBee is flexible, allowing its developers to focus on the development of additional modules instead of having to rebuild the malware itself. Its structure could also reduce the risk of exposing itself to analysts and their own modules for comparison.<\/p>\n<p>BumbleBee communicates over the HTTP protocol. It first creates an HTTP request that acts as a network beacon to notify the command and control (C&C) server. The POST request with the following URL, <i>http:\/\/<C&C server>\/update\/<\/i>, is the initial network beacon. The client application will send information of the compromised machine, which is encrypted by RC4 (see Figure 8 and Figure 9) once the first connection is established successfully. All other communication traffic, except for the victim information, are encrypted between server and client applications using the RC4 and compressed by LZO (Lempel\u2013Ziv\u2013Oberhumer) algorithm.<\/p>\n<p>To make sure the received payload is correct, BumbleBee adopts a CRC32 checksum with reversed-presentation mode to verify the received data. For the CRC32 calculation, a self-defined value, \u201d20200105\u201d is used as the initial value (typically, the value is 0xffffffff) for checksum calculation.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/fig-8-Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-evolved-From-BookWorm.png\" alt=\"Figure 8. Encrypted information of the compromised machine\"><figcaption>Figure 8. Encrypted information of the compromised machine<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/fig-9-Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-Like-BookWorm.png\" alt=\"Figure 9. Decrypted information (by RC4)\"><figcaption>Figure 9. Decrypted information (by RC4)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"50.059719438878\">\n<div readability=\"46.133466933868\">\n<p>During the investigation, we found that BumbleBee adopted several techniques for persistence. It will use different techniques depending on the configuration. Here are the techniques adopted by the BumbleBee sample we found:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Abuse registry run key to repeatedly execute the malware once system boot<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Create Windows services to repeatedly execute malicious payloads<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Use Windows logon scripts automatically executed at logon initialization to establish persistence via adding a Registry key <i>HKEY_CURRENT_USER\\Environment<\/i> “<i>UserInitMprLogonScript<\/i>“<\/span><\/li>\n<\/ul>\n<p>Due to the unique modular structure and installation procedures, we started to work on a literature review to clarify if it is an exclusive tool used by a certain threat actor. We found a similar backdoor, \u201cBookWorm,\u201d <a href=\"https:\/\/unit42.paloaltonetworks.com\/bookworm-trojan-a-model-of-modular-architecture\/\" target=\"_blank\" rel=\"noopener\">revealed by Palo Alto<\/a> in 2015. They share the following features:<\/p>\n<ol>\n<li>Both are self-extracted files and abuse legitimate executables to load self-made malware.<\/li>\n<li>Both use the same registry value as RC4 encryption key to encrypt their payload.<\/li>\n<li>Both use modular architecture in the conception of the backdoor.<\/li>\n<li>Both appeared in Southeast Asia, targeting local government-related organizations (similar victimology).<\/li>\n<li>Both use RC4 and LZO algorithms in C&C communications (similar network protocol).<\/li>\n<\/ol>\n<p>We think BumbleBee is likely to be the refactored BookWorm backdoor. They have similar tactics, techniques, and procedures (TTPs), unique encryption approach, and similar target sectors. According to the language (Simplified Chinese) shown in server application, we suspect that the origins and developers of BumbleBee may be in China and of Chinese descent.<\/p>\n<p>Since BumbleBee and Bookworm share the same features, BumbleBee is likely a refactored form of the latter. Focusing on Asian local government targets, all signs point to a suspect linked to a Chinese hacker group.<\/p>\n<p>BumbleBee, being a modular framework, is not only flexible but sophisticated as it will require analysts to investigate its structure and behavior. Another aspect of having a modular framework is that they can just keep developing additional modules since it can easily be integrated with the current version of said malware. <\/p>\n<p>With its modular capabilities, the threat may deploy additional modules that may prove dangerous. Thus, an advanced layer of protection and quick detection is needed to prevent the backdoor from taking root in the system. <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response\/managed-xdr-mdr.html\">Trend Micro Vision One\u2122<\/a> offers both within different entry points of a backdoor.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div class=\"responsive-table-wrap\" readability=\"13\">\n<p><i>Trojan.Win32.MULTICOM.ZTIC<\/i><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"1\">\n<tr readability=\"2\">\n<td><i>f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475<\/i><\/td>\n<td><u><i>slaver.exe<\/i><\/u><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><i>Trojan.Win32.REGLOAD.ZTI<\/i><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"2\">\n<tr readability=\"2\">\n<td><i>ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0<\/i><\/td>\n<td><i>XecureIO_v20.dll<\/i><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810<\/i><\/td>\n<td><i>XecureIO_v20.dll<\/i><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Backdoor.Win32.BUMBLEB.ZTIC<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"6\">\n<tr readability=\"2\">\n<td><i>eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0<\/i><\/td>\n<td>ore<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e<\/i><\/td>\n<td>bin<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee<\/i><\/td>\n<td>bin<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05<\/i><\/td>\n<td>bin<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3<\/i><\/td>\n<td>ore<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><i>8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d<\/i><\/td>\n<td>bin<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b><u>C&C:<\/u><\/b><i><\/i><\/p>\n<p>\u00b7 <i>http[:]\/\/www[.]synolo[.]ns01[.]biz:80\/update<\/i><\/p>\n<p>\u00b7 <i>http[:]\/\/118[.]163[.]105[.]130:80\/update<\/i><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"14\">\n<tr>\n<td>Tactics<\/td>\n<td>Techniques<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"4\">Defense Evasion<\/td>\n<td>T1574.002 – Hijack Execution Flow: DLL Side-Loading<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>T1070.004 – Indicator Removal on Host: File Deletion<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>T1055 – Process Injection<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>T1480.001 – Execution Guardrails: Environmental Keying<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"3\">Persistence<\/td>\n<td>T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>T1037.001 – Boot or Logon Initialization Scripts: Logon Script (Windows)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>T1548.003 – Create or Modify System Process: Windows Service<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Privilege Escalation<\/td>\n<td>T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Collection<\/td>\n<td>T1056.001 – Input Capture: Keylogging<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Reconnaissance<\/td>\n<td>T1592 – Gather Victim Host Information<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"4\">Command and Control<\/td>\n<td>T1071.001 – Application Layer Protocol: Web Protocols<\/td>\n<\/tr>\n<tr>\n<td>T1090 – Proxy<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>T1573.001 – Encrypted Channel: Symmetric Cryptography<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>T1132.001 – Data Encoding: Standard Encoding<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Resource Development<\/td>\n<td>T1587.001 – Develop Capabilities: Malware<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In March 2021, we investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. However, in our recent investigations, we have discovered a controller application that expands its capabilities. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":48268,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9509],"class_list":["post-48267","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-02T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-Like-BookWorm-641.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm\",\"datePublished\":\"2022-09-02T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/\"},\"wordCount\":2109,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/09\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/\",\"name\":\"Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/09\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm.png\",\"datePublished\":\"2022-09-02T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/09\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/09\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm.png\",\"width\":938,\"height\":625},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/","og_locale":"en_US","og_type":"article","og_title":"Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-09-02T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/i\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-like-bookworm\/Buzzing-in-the-Background-BumbleBee-a-New-Modular-Backdoor-Like-BookWorm-641.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm","datePublished":"2022-09-02T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/"},"wordCount":2109,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/09\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/","url":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/","name":"Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/09\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm.png","datePublished":"2022-09-02T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/09\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/09\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm.png","width":938,"height":625},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=48267"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48267\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/48268"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=48267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=48267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=48267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":48267,"date":"2022-09-02T00:00:00","date_gmt":"2022-09-02T00:00:00","guid":{"rendered":"urn:uuid:f1f29c73-5ee8-1326-baa8-9ed4458377cf"},"modified":"2022-09-02T00:00:00","modified_gmt":"2022-09-02T00:00:00","slug":"buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolved-from-bookworm\/","title":{"rendered":"Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm"},"content":{"rendered":"