A person is sitting at a desk with a computer surrounded by multiple advertisements and pop-ups on the screen.

Bumblebee Malware Makes Use Of Google Ads, Zoom, And ChatGPT 

Bumblebee Malware targets companies and spreads through Google Ads and SEO poisoning. These techniques boost widely used applications such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace.

The SecureWorks Counter Threat Unit (CTU) has gathered information on the dangerous Bumblebee malware. Phishing attacks have been used to spread ransomware via the Bumblebee malware, which was first discovered in March 2022. It is preferred by ransomware groups as a replacement for BazarLoader.

A new version of the malware loader discovered in September 2022 made use of the PowerSploit framework. The updated version has a stealthier attack chain that adds reflective DLLs into memory.

The ads that have been detected are related to a variety of well-known and high-profile applications. These include Cisco AnyConnect, Citrix Workspace, Zoom, and even the ChatGPT generative artificial intelligence (AI) tool. Users looking for genuine software are unknowingly tricked into installing Bumblebee via fake download sites produced by these adverts. 

SecureWorks discovered a campaign that began with a Google Ads offering a fake download page for the Cisco AnyConnect Secure Mobility Client. The page was established on February 16, 2023 and was hosted on the domain “appcisco[.]com.” 

Fake Cisco VPN Installer with Bumblebee Malware
Fake Cisco VPN Installer with Bumblebee Malware (SecureWorks)

According to SecureWorks’ report: 

An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site.”

The fake web page advertised the “cisco-anyconnect-4_9_0195.msi,” a trojanized MSI installer that installs the BumbleBee malware. A PowerShell script with a fake name “cisco2.ps1” and a copy of the real program installer are copied to the user’s device when it is executed. 

The renamed versions of these two files are moved to the “%Temp%Package Installation Dir” folder and executed when the MSI installer is run.

Malicious Data in the Cisco AnyConnect Installer
Malicious Data in the Cisco AnyConnect Installer (SecureWorks) 

The PowerShell script includes renamed PowerSploit ReflectivePEInjection.ps1 script functionalities as well as a malware payload for the Bumblebee malware that is encoded and loaded reflectively into memory.

To avoid detection, the CiscoSetup.exe downloads and installs the AnyConnect program on the hardware as an original installer.

According to SecureWorks:

The PowerShell script contains a selection of renamed functions copied from the PowerSploit ReflectivePEInjection.ps1 script. It also contains an encoded Bumblebee malware payload that it reflectively loads into memory.

SecureWorks found that Bumblebee is still loading malware into memory via the post-exploitation framework module, undetected by antivirus software. Other computer programs with similar-sounding file matches were also discovered, including CitrixWorkspaceApp.exe and citrix.ps1, ZoomInstaller.exe and zoom.ps1, and ChatGPT.msi and chch.ps1.

Infected enterprise devices are vulnerable to ransomware attacks, as the Trojan software targets this group. In a recent SecureWorks-analysed attack, the threat actor used the compromised system to spread widely throughout the network within around three hours of the initial attack.

In the compromised system, the attackers used multiple tools, including the Cobalt Strike penetration testing suite, network scanning tools, and remote access tools like AnyDesk and DameWare. They also utilised an AD database dumper and a Kerberos credentials stealer.


Organisations can reduce the risk of these risks by ensuring that software installations and updates are obtained only from trusted and reliable websites. It is advisable to restrict a user’s ability to install software or execute scripts on their devices.

Malicious content is inserted into around one out of every 100 internet advertisements, making it difficult for businesses to manage the negative impacts of malicious advertising attacks.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks. 

Recent posts