BumbleBee - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as BumbleBee. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.bumblebee

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BumbleBee:

There are 3 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of BumbleBee.

ID	IP address	Hostname	Campaign	Confidence
1	0.151.228.146	-	-	High
2	0.208.210.72	-	-	High
3	1.32.39.22	-	-	High
4	1.39.166.217	1-39-166-217.live.vodafone.in	-	High
5	2.50.39.29	bba-2-50-39-29.alshamil.net.ae	-	High
6	2.56.10.16	-	-	High
7	2.97.24.126	host-2-97-24-126.as13285.net	-	High
8	2.100.7.120	host-2-100-7-120.as13285.net	-	High
9	2.126.13.36	027e0d24.bb.sky.com	-	High
10	2.190.89.140	-	-	High
11	2.211.111.213	dynamic-002-211-111-213.2.211.pool.telefonica.de	-	High
12	2.240.132.127	dynamic-002-240-132-127.2.240.pool.telefonica.de	-	High
13	3.85.198.66	ec2-3-85-198-66.compute-1.amazonaws.com	-	Medium
14	3.144.143.242	ec2-3-144-143-242.us-east-2.compute.amazonaws.com	-	Medium
15	3.172.226.46	-	-	High
16	3.215.24.1	ec2-3-215-24-1.compute-1.amazonaws.com	-	Medium
17	4.13.210.199	-	-	High
18	4.165.175.212	-	-	High
19	4.177.13.86	-	-	High
20	4.236.88.115	-	-	High
21	5.45.54.50	-	-	High
22	5.53.19.66	dhcp-66-19-53-5.metrosg.ru	-	High
23	5.141.46.137	-	-	High
24	5.152.80.211	-	-	High
25	5.237.231.132	-	-	High
26	5.239.33.172	-	-	High
27	6.10.249.12	-	-	High
28	6.30.139.246	-	-	High
29	6.249.22.42	-	-	High
30	7.12.29.221	-	-	High
31	7.71.244.186	-	-	High
32	7.233.9.154	-	-	High
33	8.12.181.20	-	-	High
34	8.76.233.176	-	-	High
35	8.126.95.33	-	-	High
36	8.219.132.142	-	-	High
37	8.222.182.83	-	-	High
38	8.222.227.103	-	-	High
39	8.253.171.67	-	-	High
40	9.63.15.101	-	-	High
41	9.240.112.25	-	-	High
42	10.28.17.62	-	-	High
43	11.1.201.27	-	-	High
44	12.75.186.131	131.newark-21-23rs.nj.dial-access.att.net	-	High
45	12.115.36.174	-	-	High
46	12.153.80.238	-	-	High
47	12.194.222.34	-	-	High
48	12.202.229.195	-	-	High
49	12.236.242.155	-	-	High
50	13.2.200.200	-	-	High
51	13.218.205.215	-	-	High
52	13.234.171.104	ec2-13-234-171-104.ap-south-1.compute.amazonaws.com	-	Medium
53	14.7.69.141	-	-	High
54	14.11.77.37	M014011077037.v4.enabler.ne.jp	-	High
55	14.40.68.19	-	-	High
56	14.63.191.213	-	-	High
57	14.102.170.127	cache-ipnet01.nexlogic.ph	-	High
58	14.128.51.19	-	-	High
59	14.155.143.74	-	-	High
60	14.163.179.250	static.vnpt.vn	-	High
61	14.195.237.81	static-81.237.195.14-tataidc.co.in	-	High
62	15.209.19.148	-	-	High
63	15.248.60.137	-	-	High
64	16.86.113.88	-	-	High
65	16.249.204.133	-	-	High
66	17.29.249.188	-	-	High
67	17.147.212.14	-	-	High
68	18.8.71.243	-	-	High
69	18.127.96.221	-	-	High
70	18.141.105.98	ec2-18-141-105-98.ap-southeast-1.compute.amazonaws.com	-	Medium
71	18.151.45.13	-	-	High
72	18.210.196.217	ec2-18-210-196-217.compute-1.amazonaws.com	-	Medium
73	19.32.56.182	-	-	High
74	19.71.13.153	-	-	High
75	19.128.78.21	-	-	High
76	20.150.149.28	-	-	High
77	21.21.141.32	-	-	High
78	21.29.238.98	-	-	High
79	21.175.22.99	-	-	High
80	21.246.85.34	-	-	High
81	22.39.164.0	-	-	High
82	22.83.186.45	-	-	High
83	22.175.0.90	-	-	High
84	22.252.18.49	-	-	High
85	23.19.58.176	i58.176.lofame.net	-	High
86	23.19.58.212	-	-	High
87	23.19.58.251	-	-	High
88	23.29.115.164	23-29-115-164.static.hvvc.us	-	High
89	23.29.115.172	23-29-115-172.static.hvvc.us	-	High
90	23.81.246.17	-	-	High
91	23.81.246.22	-	-	High
92	23.81.246.171	-	-	High
93	23.81.246.187	-	-	High
94	23.81.246.205	-	-	High
95	23.82.19.119	-	-	High
96	23.82.19.208	-	-	High
97	23.82.128.11	-	-	High
98	23.82.128.116	-	-	High
99	23.82.128.127	-	-	High
100	23.82.128.149	-	-	High
101	23.82.140.14	-	-	High
102	23.82.140.100	-	-	High
103	23.82.140.133	-	-	High
104	23.82.140.155	-	-	High
105	23.82.140.180	-	-	High
106	23.82.141.11	-	-	High
107	23.82.141.184	-	-	High
108	23.82.141.185	-	-	High
109	23.83.133.1	v327.er01.dal.ubiquity.io	-	High
110	23.83.133.13	-	-	High
111	23.83.133.182	-	-	High
112	23.83.133.215	-	-	High
113	23.83.133.216	-	-	High
114	23.83.134.110	-	-	High
115	23.83.134.133	-	-	High
116	23.83.134.136	-	-	High
117	23.88.117.246	static.246.117.88.23.clients.your-server.de	-	High
118	23.106.124.23	-	-	High
119	23.106.124.154	-	-	High
120	23.106.160.33	-	-	High
121	23.106.160.39	-	-	High
122	23.106.160.40	-	-	High
123	23.106.160.52	-	-	High
124	23.106.160.82	-	-	High
125	23.106.160.112	-	-	High
126	23.106.160.117	-	-	High
127	23.106.160.120	-	-	High
128	23.106.160.137	-	-	High
129	23.106.160.141	-	-	High
130	23.106.215.45	-	-	High
131	23.106.215.60	-	-	High
132	23.106.215.82	-	-	High
133	23.106.215.123	-	-	High
134	23.106.215.133	-	-	High
135	23.106.215.141	-	-	High
136	23.106.215.165	zootech.click	-	High
137	23.106.215.225	-	-	High
138	23.106.215.230	-	-	High
139	23.106.215.233	-	-	High
140	23.106.223.1	-	-	High
141	23.106.223.14	-	-	High
142	23.106.223.130	-	-	High
143	23.106.223.144	-	-	High
144	23.106.223.182	-	-	High
145	23.106.223.197	-	-	High
146	23.106.223.209	-	-	High
147	23.106.223.219	-	-	High
148	23.106.223.222	-	-	High
149	23.108.57.5	-	-	High
150	23.108.57.13	-	-	High
151	23.108.57.29	-	-	High
152	23.108.57.57	tuks.net	-	High
153	23.108.57.59	-	-	High
154	23.108.57.65	-	-	High
155	23.108.57.66	-	-	High
156	23.108.57.79	-	-	High
157	23.108.57.87	-	-	High
158	23.108.57.161	-	-	High
159	23.108.57.200	-	-	High
160	23.108.57.201	-	-	High
161	23.108.57.250	-	-	High
162	23.136.208.76	-	-	High
163	23.227.198.195	multiatom.com	-	High
164	23.227.198.217	23-227-198-217.static.hvvc.us	-	High
165	23.227.198.241	23-227-198-241.static.hvvc.us	-	High
166	23.227.202.179	trackvous.com	-	High
167	23.227.203.120	23-227-203-120.static.hvvc.us	-	High
168	23.229.117.229	-	-	High
169	23.254.142.159	client-23-254-142-159.hostwindsdns.com	-	High
170	23.254.161.46	hwsrv-1063022.hostwindsdns.com	-	High
171	23.254.167.63	hwsrv-1063920.hostwindsdns.com	-	High
172	23.254.167.143	client-23-254-167-143.hostwindsdns.com	-	High
173	23.254.201.97	hwsrv-974106.hostwindsdns.com	-	High
174	23.254.202.59	hwsrv-987701.hostwindsdns.com	-	High
175	23.254.204.109	client-23-254-204-109.hostwindsdns.com	-	High
176	23.254.204.210	hwsrv-1046249.hostwindsdns.com	-	High
177	23.254.217.20	hwsrv-984041.hostwindsdns.com	-	High
178	23.254.217.222	hwsrv-976272.hostwindsdns.com	-	High
179	23.254.224.200	hwsrv-1001143.hostwindsdns.com	-	High
180	23.254.225.130	hwsrv-1067630.hostwindsdns.com	-	High
181	23.254.225.249	client-23-254-225-249.hostwindsdns.com	-	High
182	23.254.227.53	hwsrv-1057942.hostwindsdns.com	-	High
183	23.254.227.144	hwsrv-982332.hostwindsdns.com	-	High
184	23.254.229.131	ruth.gobuddy.info	-	High
185	23.254.229.210	tigern.throwbackdinos.com	-	High
186	23.254.247.48	hwsrv-1063028.hostwindsdns.com	-	High
187	24.4.68.32	c-24-4-68-32.hsd1.ca.comcast.net	-	High
188	24.57.185.167	d24-57-185-167.home.cgocable.net	-	High
189	24.121.25.160	24-121-25-160.sdoncmtk01.com.dyn.suddenlink.net	-	High
190	24.183.132.242	024-183-132-242.res.spectrum.com	-	High
191	25.5.198.104	-	-	High
192	25.131.252.242	-	-	High
193	25.169.42.242	-	-	High
194	25.170.215.18	-	-	High
195	25.181.64.39	-	-	High
196	26.6.83.53	-	-	High
197	27.31.180.123	-	-	High
198	28.11.143.222	-	-	High
199	28.23.200.103	-	-	High
200	28.53.120.108	-	-	High
201	28.107.38.196	-	-	High
202	28.148.236.16	-	-	High
203	28.183.174.200	-	-	High
204	29.15.120.102	-	-	High
205	29.64.0.111	-	-	High
206	29.122.243.158	-	-	High
207	29.203.98.166	-	-	High
208	30.17.4.146	-	-	High
209	30.65.48.152	-	-	High
210	30.140.193.246	-	-	High
211	30.205.76.70	-	-	High
212	30.225.24.243	-	-	High
213	31.135.71.34	-	-	High
214	31.228.253.114	-	-	High
215	31.232.16.192	-	-	High
216	32.54.188.44	-	-	High
217	32.181.245.23	-	-	High
218	33.93.97.183	-	-	High
219	33.145.184.132	-	-	High
220	33.191.119.32	-	-	High
221	34.1.180.202	-	-	High
222	34.2.221.48	-	-	High
223	34.34.152.166	166.152.34.34.bc.googleusercontent.com	-	Medium
224	34.77.116.45	45.116.77.34.bc.googleusercontent.com	-	Medium
225	34.119.95.6	6.95.119.34.bc.googleusercontent.com	-	Medium
226	34.229.154.31	ec2-34-229-154-31.compute-1.amazonaws.com	-	Medium
227	35.120.155.220	-	-	High
228	35.239.11.197	197.11.239.35.bc.googleusercontent.com	-	Medium
229	36.110.58.103	103.58.110.36.static.bjtelecom.net	-	High
230	36.150.76.13	-	-	High
231	36.201.196.202	-	-	High
232	37.1.214.72	-	-	High
233	37.1.214.229	-	-	High
234	37.28.155.36	d155036.artnet.gda.pl	-	High
235	37.28.156.24	d156024.artnet.gda.pl	-	High
236	37.28.157.29	d157029.artnet.gda.pl	-	High
237	37.42.62.77	-	-	High
238	37.64.220.2	2.220.64.37.rev.sfr.net	-	High
239	37.72.174.9	emailmail.org.uk	-	High
240	37.72.174.23	37-72-174-23.static.hvvc.us	-	High
241	37.120.198.248	-	-	High
242	37.189.74.5	bl28-74-5.dsl.telepac.pt	-	High
243	37.221.67.104	host001	-	High
244	37.221.67.122	finese	-	High
245	38.12.57.131	-	-	High
246	38.48.147.152	-	-	High
247	38.180.4.165	-	-	High
248	38.180.25.71	-	-	High
249	38.180.25.111	-	-	High
250	39.57.152.217	-	-	High
251	40.47.149.113	-	-	High
252	40.72.17.141	-	-	High
253	41.7.15.180	vc-cpt-41-7-15-180.umts.vodacom.co.za	-	High
254	41.15.71.157	vc-gp-n-41-15-71-157.umts.vodacom.co.za	-	High
255	41.28.188.77	vc-gp-s-41-28-188-77.umts.vodacom.co.za	-	High
256	41.56.181.200	-	-	High
257	41.70.42.112	-	-	High
258	42.63.100.82	-	-	High
259	42.104.196.184	-	-	High
260	42.179.23.39	-	-	High
261	43.184.255.110	-	-	High
262	44.94.75.93	-	-	High
263	44.224.48.159	ec2-44-224-48-159.us-west-2.compute.amazonaws.com	-	Medium
264	45.3.236.177	045-003-236-177.biz.spectrum.com	-	High
265	45.11.19.70	-	-	High
266	45.11.19.86	-	-	High
267	45.11.19.208	-	-	High
268	45.11.19.224	-	-	High
269	45.11.19.252	-	-	High
270	45.32.37.109	45.32.37.109.vultrusercontent.com	-	High
271	45.61.184.8	mail.oelke.tec.br	-	High
272	45.61.184.24	-	-	High
273	45.61.184.227	MiamiTorNew1.Quetzalcoatl-relays.org	-	High
274	45.61.185.65	exitrelay40.medvideos-tor.org	-	High
275	45.61.185.227	-	-	High
276	45.61.186.18	-	-	High
277	45.61.186.51	-	-	High
278	45.61.187.10	45-61-187-10.ger.priv.allsafevpn.com	-	High
279	45.61.187.40	-	-	High
280	45.61.187.123	smtp20.shbgura.xyz	-	High
281	45.61.187.160	-	-	High
282	45.61.187.170	-	-	High
283	45.61.187.204	-	-	High
284	45.61.187.225	-	-	High
285	45.66.151.59	-	-	High
286	45.66.151.142	-	-	High
287	45.66.151.150	-	-	High
288	45.66.151.151	-	-	High
289	45.66.151.155	-	-	High
290	45.66.151.193	-	-	High
291	45.66.248.61	parts861.simplestartvideos.com	-	High
292	45.66.248.64	0n3reye0i0.alyanova.com	-	High
293	45.66.248.156	-	-	High
294	45.66.248.216	spam.lastmer.xyz	-	High
295	45.67.231.123	mihome.ru	-	High
296	45.67.231.151	vm1197030.stark-industries.solutions	-	High
297	45.84.0.13	vm523902.stark-industries.solutions	-	High
298	45.84.240.87	-	-	High
299	45.132.180.49	-	-	High
300	45.138.172.22	-	-	High
301	45.138.172.246	-	-	High
302	45.140.146.30	vm542320.stark-industries.solutions	-	High
303	45.140.146.244	-	-	High
304	45.141.58.37	-	-	High
305	45.141.58.139	galorebase.com	-	High
306	45.142.214.120	vm516885.stark-industries.solutions	-	High
307	45.142.214.167	-	-	High
308	45.147.229.23	-	-	High
309	45.147.229.47	-	-	High
310	45.147.229.50	-	-	High
311	45.147.229.101	-	-	High
312	45.147.229.177	-	-	High
313	45.147.229.199	-	-	High
314	45.147.229.223	-	-	High
315	45.147.230.179	-	-	High
316	45.147.230.233	-	-	High
317	45.147.230.245	poppuworls.club	-	High
318	45.147.231.107	-	-	High
319	45.147.231.156	-	-	High
320	45.147.231.202	-	-	High
321	45.147.231.232	-	-	High
322	45.150.67.154	vm1326648.stark-industries.solutions	-	High
323	45.153.240.56	-	-	High
324	45.153.240.94	-	-	High
325	45.153.240.139	-	-	High
326	45.153.240.155	-	-	High
327	45.153.241.19	-	-	High
328	45.153.241.64	-	-	High
329	45.153.241.120	-	-	High
330	45.153.241.187	-	-	High
331	45.153.241.209	-	-	High
332	45.153.241.234	-	-	High
333	45.153.241.245	-	-	High
334	45.153.242.61	-	-	High
335	45.153.242.100	-	-	High
336	45.153.242.105	-	-	High
337	45.153.242.183	-	-	High
338	45.153.242.184	-	-	High
339	45.153.242.242	-	-	High
340	45.153.243.82	-	-	High
341	45.153.243.93	-	-	High
342	45.153.243.111	-	-	High
343	45.153.243.126	-	-	High
344	45.153.243.130	-	-	High
345	45.153.243.222	-	-	High
346	46.21.153.145	145.153.21.46.static.swiftway.net	-	High
347	46.21.153.157	157.153.21.46.static.swiftway.net	-	High
348	46.21.153.246	246.153.21.46.static.swiftway.net	-	High
349	46.44.240.53	46-44-240-53.ip.welcomeitalia.it	-	High
350	46.142.186.28	28-186-142-46.pool.kielnet.net	-	High
351	46.142.187.27	27-187-142-46.pool.kielnet.net	-	High
352	46.142.187.96	96-187-142-46.pool.kielnet.net	-	High
353	...	...	...	...

There are 1410 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by BumbleBee. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Weakness	Description	Confidence
1	T1006	CWE-21, CWE-22, CWE-23, CWE-24, CWE-29, CWE-35	Pathname Traversal	High
2	T1040	CWE-294	Authentication Bypass by Capture-replay	High
3	T1055	CWE-74	Injection	High
4	T1059	CWE-94, CWE-1321	Cross Site Scripting	High
5	T1059.007	CWE-79, CWE-80	Cross Site Scripting	High
6	T1068	CWE-250, CWE-264, CWE-266, CWE-269, CWE-284	J2EE Misconfiguration: Weak Access Permissions for EJB Methods	High
7	...	...	...	...

There are 24 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BumbleBee. This data is unique as it uses our predictive model for actor profiling.

ID	Type	Indicator	Confidence
1	File	`/academy/home/courses`	High
2	File	`/admin.php?c=upload&f=zip&_noCache=0.1683794968`	High
3	File	`/admin/adclass.php`	High
4	File	`/admin/students/view_details.php`	High
5	File	`/ajax-files/followBoard.php`	High
6	File	`/ajax.php?action=read_msg`	High
7	File	`/api/baskets/{name}`	High
8	File	`/app/search/table`	High
9	File	`/auth/callback`	High
10	File	`/authenticationendpoint/login.do`	High
11	File	`/cgi-bin/wlogin.cgi`	High
12	File	`/cgi.cgi`	Medium
13	File	`/collection/all`	High
14	File	`/Content/Template/root/reverse-shell.aspx`	High
15	File	`/ctcprotocol/Protocol`	High
16	File	`/dashboard/add-blog.php`	High
17	File	`/debug/pprof`	Medium
18	File	`/DXR.axd`	Medium
19	File	`/emap/devicePoint_addImgIco?hasSubsystem=true`	High
20	File	`/file/upload/1`	High
21	File	`/files/`	Low
22	File	`/forum/away.php`	High
23	File	`/fusion/portal/action/Link`	High
24	File	`/getcfg.php`	Medium
25	File	`/goform/setportList`	High
26	File	`/gracemedia-media-player/templates/files/ajax_controller.php`	High
27	File	`/group1/uploa`	High
28	File	`/h/autoSaveDraft`	High
29	File	`/importexport.php`	High
30	File	`/inc/parser/xhtml.php`	High
31	File	`/index.php/sysmanage/Login/login_auth/`	High
32	File	`/index.php?p=admin/actions/users/send-password-reset-email`	High
33	File	`/index.php?page=member`	High
34	File	`/jurusanmatkul/data`	High
35	File	`/log/decodmail.php`	High
36	File	`/login.php?do=login`	High
37	File	`/pf/idprofile.ping`	High
38	File	`/preview.php`	Medium
39	File	`/public/login.htm`	High
40	File	`/QueryView.php`	High
41	File	`/romfile.cfg`	Medium
42	File	`/squashfs-root/etc_ro/custom.conf`	High
43	File	`/staff/bookdetails.php`	High
44	File	`/staff/edit_book_details.php`	High
45	File	`/student/bookdetails.php`	High
46	...	...	...

There are 401 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

36 KiB Raw Blame History