Home/Threat Actor/Bumblebee Operators / EXOTIC LILY
Threat Actor

Bumblebee Operators / EXOTIC LILY

bumblebee_exotic_lily · russia_speaking_organized_cybercrime · active since 2021-09

Bumblebee Operators / EXOTIC LILY (canonical Google TAG naming EXOTIC LILY.

Microsoft DEV-0413.

MITRE Group G1011; Mandiant UNC3753 partial overlap.

malware-family-based industry naming "Bumblebee Operators" derived from the signature custom loader's distinctive 'bumblebee' user-agent string in C2 traffic) is a Russia-speaking organized cyber- criminal initial-access-broker (IAB) cluster financially- motivated, active publicly since September 2021, one of the few publicly-attributed clusters explicitly operating under the initial-access-broker operational specialization model and with documented custom-loader-development capability.

operational signature is human-operated identity- spoofing at scale (lookalike domains, fake email accounts impersonating legitimate-business employees, business- proposal-themed social-engineering messages building trust over multi-message conversation threads, payload delivery via legitimate file-sharing services TransferXL/WeTransfer using built-in email-notification features)

operational- emergence event was September 2021 exploitation of CVE- 2021-40444 Microsoft Windows MSHTML zero-day at peak operational scale of 5,000+ phishing emails per day to ~650 organizations globally.

subsequently pivoted to BazarLoader distribution (October 2021 - early 2022) confirming operational relationship with Wizard Spider / Conti ecosystem, then introduced the custom Bumblebee loader (March 2022) which became one of the operationally significant Russia-speaking-organized-cybercrime loader families of 2022-2025 era.

Google TAG documented operational hours consistent with operators working 09:00-17:00 EST weekdays with little weekend activity, Central/Eastern European time-zone operational pattern.

primary downstream customer relationship was Wizard Spider for Conti and Diavol ransomware operations (2021-2022), diversifying post- Conti-shutdown to BlackCat/ALPHV, Black Basta, Quantum Locker, and broader post-Conti-ecosystem affiliate operations (2022-2025)

fills the modern initial-access-broker cell in the curated corpus complementing the broader Tier-2.5 loader- as-a-service coverage (qakbot_operators, emotet_operators, icedid_operators).

russia_speaking_organized_cybercrime confidence: high 14 aliases MITRE ATT&CK G1011 ↗
Sigma rules203 YARA rules47 Live IOCs180 CVEs exploited5

Profile

Bumblebee Operators / EXOTIC LILY (canonical Google Threat Analysis Group naming EXOTIC LILY.

Microsoft DEV-0413; Mandiant UNC3753 partial overlap.

MITRE Group G1011.

malware- family-based industry naming "Bumblebee Operators" derived from the signature custom loader's distinctive 'bumblebee' user-agent string in C2 traffic) is a Russia-speaking organized cyber-criminal initial-access-broker (IAB) cluster financially-motivated, active publicly since September 2021. The cluster is operationally significant as one of the few publicly-attributed clusters explicitly operating under the initial-access-broker operational specialization model and with documented custom-loader-development capability, operationally distinguishing EXOTIC LILY from typical IAB operators that rely on commodity tooling and from ransomware- as-a-service operations themselves. The cluster's operational signature is human-operated identity spoofing at scale: the cluster operationally creates lookalike domains impersonating legitimate businesses and fake email accounts that appear to belong to legitimate-business employees, then uses the spoofed identities to engage targeted organizations with business-proposal-themed social- engineering messages designed to build trust before delivering malicious payload. The cluster delivers phishing payloads via legitimate file-sharing services (TransferXL, WeTransfer, OneDrive) using the file-sharing-service built-in email- notification feature, this tradecraft enables the malicious- link-delivery email to originate from the legitimate file- sharing service's actual email address rather than the attacker's email infrastructure, dramatically improving social-engineering effectiveness against targeted recipients. Operational phases of the cluster's longitudinal history: (1) MSHTML CVE-2021-40444 ZERO-DAY EXPLOITATION ERA (September 2021). Google TAG first observed the cluster exploiting CVE-2021-40444, a then-zero-day vulnerability in Microsoft Windows MSHTML platform, via widespread phishing campaigns sending business-proposal-themed emails at peak operational scale of over 5,000 emails per day to approximately 650 targeted organizations globally. The September 2021 zero-day exploitation was the cluster's operational-emergence event and immediately distinguished EXOTIC LILY from typical financially-motivated organized cyber-criminal clusters: zero-day acquisition capability is typically associated with state-aligned threat actors. The cluster's CVE-2021-40444 access appears to have been operationally acquired from a shared zero-day source, Microsoft tracking under DEV-0413 documented multiple actors exploiting CVE-2021-40444 simultaneously, but EXOTIC LILY's operationally-consistent use of the zero-day across 5,000+ emails per day demonstrates significant operational investment.

(2) BAZARLOADER DISTRIBUTION ERA (October 2021
  • Early 2022). Following the September 2021 zero-day operations, EXOTIC LILY operationally pivoted to distributing BazarLoader DLLs via ISO files containing weaponized DLLs and LNK shortcuts. The BazarLoader operational pattern operationally confirmed EXOTIC LILY's operational relationship with the broader Wizard Spider / TrickBot / Conti ecosystem, Google TAG noted that "the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER." (3) BUMBLEBEE CUSTOM LOADER ERA (March 2022.
  • Present). In March 2022, EXOTIC LILY began deploying a custom-built loader subsequently named Bumblebee by Google TAG researchers based on the loader's distinctive 'bumblebee' user-agent string in C2 traffic. Bumblebee was a significant operational tradecraft maturation: custom-built by or for EXOTIC LILY, used WMI to collect target system information (OS version, username, domain name) and exfiltrate the data in JSON format to command-and-control servers, supported shellcode execution and dropping additional payloads (primarily Cobalt Strike Beacon). Bumblebee distribution was via ISO files containing the Bumblebee DLL and an LNK shortcut for execution. The Bumblebee operational era operationally established EXOTIC LILY as one of the few publicly-attributed IAB clusters with demonstrated custom- loader-development capability. (4) BUMBLEBEE PROLIFERATION ACROSS MULTIPLE DISTRIBUTION AFFILIATES (April 2022.
  • 2023). Following Bumblebee's March 2022 emergence, the loader was subsequently observed in operational use by additional distribution affiliates beyond EXOTIC LILY itself, industry tracking observed Bumblebee deployed alongside BazarLoader, TrickBot, and IcedID distributor operations. The Bumblebee proliferation operationally extended the loader's reach beyond EXOTIC LILY's direct operations. (5) POST-CONTI DIVERSIFICATION + CONTINUED OPERATIONS (Mid-2022.
  • Present). Following Conti's operational shutdown in mid-2022 (post-Conti-Leaks operational dissolution), EXOTIC LILY's operational downstream ransomware-customer relationships diversified across multiple successor ransomware-as-a-service operations including Quantum Locker, BlackCat / ALPHV, Black Basta, and broader post-Conti- ecosystem affiliate operations. Continued operational tempo through 2024-2025 demonstrates sustained operational viability across approximately 4+ years of tracked operations.
Signature operational tradecraft includes
  • Human-operated 9-to-5 weekday operational pattern: Google TAG documented the cluster's operational hours as consistent with operators working from 09:00 AM to 05:00 PM EST during weekdays with very little activity during the weekends, operationally consistent with Central/Eastern European time-zone operations (one of the strongest operational-attribution indicators).
  • Identity-spoofing-at-scale tradecraft: lookalike domain creation, fake email accounts impersonating legitimate- business employees, business-proposal-themed social- engineering messages designed to build trust over multi-message conversation threads before delivering malicious payload.
  • Legitimate file-sharing service abuse for payload delivery: TransferXL, WeTransfer, OneDrive, and similar legitimate file-sharing services used via built-in email-notification features, phishing emails originate from the legitimate file-sharing service rather than attacker infrastructure, dramatically improving recipient trust.
  • Custom Bumblebee loader (in-house developed): signature operational asset demonstrating cluster operational capability investment beyond typical IAB commodity-tooling reliance.
  • ISO + LNK + DLL distribution format: signature post- March-2022 distribution format using ISO container files to evade Microsoft Mark-of-the-Web protections (ISO files did not propagate MOTW to extracted contents).
  • Cobalt Strike Beacon delivery: primary post-compromise framework delivered via Bumblebee, with cluster-distinctive Cobalt Strike profile (RiskIQ documentation) providing additional operational-attribution signal.
  • 5,000+ emails per day peak operational scale targeting ~650 organizations globally: signature operational scale among IAB clusters, demonstrating sustained operational investment in phishing-distribution capability.
  • Initial-access-broker operational specialization: the cluster operates specifically as a paid-service provider to downstream ransomware-affiliate customers (primary customer-relationship is Wizard Spider / Conti / Diavol), operationally distinguishable from ransomware-as-a-service operations and broader organized-cybercrime clusters that maintain in-house initial-access capability. The cluster is operationally significant as one of the best-publicly-documented examples of the initial-access- broker operational specialization model within the modern Russia-speaking-organized-cybercrime ecosystem. Google TAG researchers characterized initial-access-brokers as "the opportunistic locksmiths of the security world, and it's a full-time job", operationally establishing the IAB cluster-category as a distinct analytical tier within the broader Russia-speaking-organized-cybercrime ecosystem and operationally complementing the broader loader-as-a-service coverage in this curated corpus (qakbot_operators.yaml, emotet_operators.yaml, icedid_operators.yaml). The Bumblebee custom loader is one of the operationally significant Russia-speaking-organized-cybercrime loader families of the 2022-2025 era. The cluster fills the modern initial-access- broker cell in this curated corpus, providing analytical coverage of the IAB specialization layer of the broader organized-cybercrime ecosystem.

Aliases

14
exotic lilyexotic-lilyexoticlilydev-0413dev0413unc3753unc-3753g1011bumblebeebumblebee_loaderbumble beebumblebee_operatorsbumblebee operatorswater curupira

Notable Campaigns

9
2024-2025Continued Bumblebee Operations and Industry Tracking (2024-Present)
2022-2023Bumblebee Proliferation Across Multiple Distribution Affiliates (April 2022 - 2023)
2022-2023Bumblebee Active Directory Compromise Operational Pattern (Mid-2022 Onward)
2022-2023Post-Conti Operational Diversification (Mid-2022 Onward)
2022Bumblebee Custom Loader Operational Emergence (March 2022)
2022Google Threat Analysis Group Canonical EXOTIC LILY Disclosure (March 17, 2022)
2021-presentIdentity Spoofing + Domain Spoofing Signature Tradecraft (2021-Present)
2021-2022BazarLoader Distribution Operational Era (October 2021 - Early 2022)
2021EXOTIC LILY Operational Emergence, MSHTML CVE-2021-40444 Zero-Day Exploitation (September 2021)

Attribution & Reporting

Attributed by
Google Threat Analysis Group (TAG)Microsoft Threat Intelligence CenterMandiantGoogle Cloud Threat IntelligenceCrowdStrikeProofpointCybereasonSecureWorks Counter Threat UnitCisco TalosTrend MicroSymantec / Broadcom Threat Hunter TeamSentinelOneCheck Point ResearchRecorded Future Insikt GroupEclecticIQ Threat ResearchRiskIQ (Microsoft)Bank Info SecurityAspire Technology SolutionsNetWitnessUS FBI
Key reporting
reportGoogle Threat Analysis Group (TAG), Vlad Stolyarov + Benoit Sevens: Exposing Initial Access Broker Ties With Ransomware Actors (March 17, 2022), canonical EXOTIC LILY first-disclosure publication
reportCybereason, Meroujan Antonyan + Alon Laufer: Threat Analysis Report, Bumblebee Loader Compromise Operations (August 2022)
reportProofpoint: Bumblebee Is Still Transforming Flowers Into Honey (multiple campaign analyses)
reportProofpoint: This Isn't Optimus Prime's Bumblebee but It's Still Transforming (April 2022), canonical Proofpoint Bumblebee disclosure
reportCisco Talos: Bumblebee Loader Technical Analysis
reportElastic Security Labs: The Bumblebee Malware Loader (detailed technical analysis)
reportSentinelOne: Bumblebee Coordinated Loader Operations Analysis
reportRiskIQ (Microsoft): EXOTIC LILY Cobalt Strike Profile Unique-Identifier Analysis
reportMandiant: UNC3753 Operational Tracking (Bumblebee distribution affiliate, post-acquisition Mandiant tracking continued)
reportMicrosoft Threat Intelligence: DEV-0413 / Storm-* Tracking (EXOTIC LILY adjacent)
reportSymantec / Broadcom Threat Hunter Team: Bumblebee Continued Tracking
reportTrend Micro: Water Curupira + Bumblebee Adjacent Tracking
reportCrowdStrike: EXOTIC LILY + Wizard Spider Relationship Documentation
reportSecureWorks Counter Threat Unit: Bumblebee Operational Profile
reportCheck Point Research: Bumblebee Evolution Continued Tracking
reportRecorded Future Insikt Group: EXOTIC LILY Operational Tracking
reportEclecticIQ Threat Research: Bumblebee Threat Analysis
reportAspire Technology Solutions: Bumblebee Malware Loader Threat Analysis
reportMITRE ATT&CK Group G1011, Exotic Lily
reportMalpedia Malware Profile: Win.Bumblebee
reportMalpedia Actor Profile: Exotic Lily

Operational

State sponsor

Russia-speaking organized cyber-criminal initial-access- broker cluster, financially-motivated. Google's Threat Analysis Group (TAG), which provided the canonical disclosure of the cluster in March 2022, assessed the cluster's operational hours as consistent with operators working "from 09:00 AM to 05:00 PM EST during weekdays" with "very little activity during the weekends," and assessed the operational time-zone as "likely from a Central or Eastern European time zone", operationally consistent with operators based in Russia or adjacent Eastern European Russia-speaking jurisdictions. No formal government cybersecurity attribution to a specific state actor has been asserted.

the cluster has not been linked to state intelligence services. EXOTIC LILY operates specifically as an initial-access broker (IAB), a financially-motivated organized-cybercrime cluster specialized in obtaining initial foothold access to target organizations through phishing operations and then selling that access to downstream threat-actor customers (primarily ransomware-as-a-service affiliate operators). The operational specialization in initial-access brokerage operationally distinguishes EXOTIC LILY from ransomware-as-a-service operations themselves and from the broader Russia-speaking-organized-cybercrime ecosystem. Google TAG documented "the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER" (CrowdStrike naming) / FIN12 (Mandiant naming), the same Russia-speaking- organized-cybercrime operator umbrella behind Conti, Ryuk, and earlier TrickBot operations. EXOTIC LILY operationally provided initial access to Wizard Spider for downstream Conti and Diavol ransomware deployments. Google TAG noted that EXOTIC LILY "seems to operate as a separate entity" from Conti / Wizard Spider despite the operational relationship, operationally consistent with the broader Russia-speaking-organized-cybercrime ecosystem pattern of specialized service-provider operational relationships (initial-access-broker cluster + ransomware-as-a-service cluster operating in coordinated service-provider chains). The cluster's signature Bumblebee custom loader is the malware-family-naming basis for industry references to "Bumblebee operators", operationally the same EXOTIC LILY cluster, though Bumblebee was subsequently observed in use by additional distribution affiliates beyond EXOTIC LILY itself.

Motivations
initial_access_brokerage, financial_gain_via_access_resale, phishing_as_a_service_operations, data_exfiltration_for_extortion, establishment_of_corporate_network_footholds
Sectors
it_servicescybersecurityhealthcarefinancial_servicesmanufacturingtechnologylogistics_and_supply_chainlegal_servicesretailhospitalityreal_estateeducationgovernment_administration
Regions
united_statesunited_kingdomcanadagermanyfranceitalynetherlandsaustraliaglobal_western_economies

Techniques Used

60
T1003T1003.001T1005T1010T1012T1016T1018T1020T1021T1021.001T1021.002T1027T1027.001T1027.002T1029T1033T1036T1036.005T1039T1041T1047T1053T1053.005T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1071T1071.001T1071.004T1074T1074.001T1078T1082T1083T1087T1090T1090.001T1090.003T1095T1106T1110T1112T1119T1129T1134T1140T1203T1204T1204.001T1204.002T1213T1218T1218.005

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)59/60 · 98%
Analytics (MITRE CAR)33/60 · 55%
Runtime / container (Falco)6/60 · 10%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

2 mapped
S0002 · MimikatzS0633 · Sliver
Other tooling / TTPs (curation, not ATT&CK-mapped):
METERPRETERSHARPHOUND

CVEs Exploited

5
CVECVE-2017-0199
CVECVE-2017-11882
CVECVE-2021-40444
CVECVE-2022-30190
CVECVE-2023-36025
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin