We've observed a #BumbleBee malspam campaign using Cisco AnyConnect as a lure πͺπ
The malspam contains a PDF with a link to a fake AnyConnect installer. Once downloaded and executed, the payload will open Cisco AnyConnect on the Microsoft App Store to mask the BumbleBee infectionπ₯
The BumbleBee payload comes with a DGA of 300 .live domains. Active #botnet C2s ‡οΈ
45urhm0ldgxb .live (149.154.153.2 - EDIS-AS-EU, π¦πΉ)
gx6xly9rp6vl .live (45.155.37.158 - SHOCK-1, πΊπΈ)
bw59chpi635u .live (79.132.130.23 - SERVINGA, π©πͺ)
peck4grakjq3 .live (45.83.20.213 - STARK-INDUSTRIES, π¬π§)
7mhh5gky493r .live (46.249.38.179 - SERVERIUS-AS, π³π±)
Payload delivery URLs:
π https://urlhaus.abuse.ch/host/95.164.90.189/
BumbleBee payload:
π https://bazaar.abuse.ch/sample/b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8/
=> View attached media | View attached media
=> More informations about this toot | More toots from abuse_ch@ioc.exchange
text/geminiThis content has been proxied by September (3851b).