In a recent revelation by Proofpoint researchers, the infamous Bumblebee malware resurfaced in the cyber threat landscape on February 8, 2024, following a four-month hiatus from Proofpoint’s threat data. Known for its sophistication, Bumblebee serves as a downloader utilized by multiple cybercriminal groups, emerging as a favoured payload from its initial appearance in March 2022 until its disappearance in October 2023.


Unveiling the February Malware Campaign

The resurgence of Bumblebee has sparked renewed concerns among cyber security experts, shedding light on evolving tactics employed by cybercriminals to infiltrate organizations and execute malicious activities.

The February campaign orchestrated by Bumblebee caught the attention of cybersecurity experts as Proofpoint observed a surge in malicious emails targeting organizations in the United States.

These emails bore the subject line “Voicemail February” and were purportedly sent from “info@quarlesaa[.]com,” containing OneDrive URLs. Upon investigation, these URLs directed recipients to Word files with names like “ReleaseEvans#96.docm,” with varying digits preceding the file extension.

Notably, the Word documents were cleverly disguised to mimic communications from the consumer electronics company Humane.

What sets this campaign apart is the utilization of VBA macro-enabled documents, a rarity in contemporary cyber threats.

In a landscape where most threat actors have steered clear of such tactics due to increased security measures, the resurgence of VBA macros raises concerns. Microsoft’s default blocking of macros in 2022 prompted a significant shift in attack methodologies towards exploiting vulnerabilities and employing unconventional file types.


Departure from Previous Tactics

Furthermore, this campaign demonstrates a departure from previously observed Bumblebee tactics. Previous campaigns featured diverse methods of distributing Bumblebee, including emails with URLs leading to DLL downloads, HTML attachments leveraging HTML smuggling, and zipped, password-protected VBS attachments, among others.

Despite these observations, Proofpoint has refrained from attributing the activity to a specific threat actor. However, similarities in the voicemail lure theme, use of OneDrive URLs, and sender address suggest potential connections to previous TA579 activities.

The resurgence of Bumblebee underscores a broader trend of increased cyber threat activity following a period of relative dormancy.

As 2024 unfolds, cybersecurity researchers anticipate sustained high levels of threat activity, characterized by novel attack chains, evasion tactics, and updated malware.



In light of these developments, it is imperative for organizations to remain vigilant and proactive in their cyber security scene. Implementing robust security measures, conducting regular threat assessments, and providing comprehensive employee training are essential steps in mitigating the risks posed by evolving cyber threats.

Stay tuned as Proofpoint researchers continue to monitor and analyse evolving cyber threats, providing insights to safeguard against emerging risks in an ever-evolving digital landscape. Together, we can navigate the complexities of the cyber threat landscape and ensure a secure and resilient digital future.

We hope you’ve liked this blog and that you’ll stick around to see our future releases, covering everything from recent IT News to Knowledgebase articles. Thanks for reading!