Bumblebee malware infects victims via fake Zoom, Cisco and ChatGPT software installers

Cybersecurity researchers say they’ve observed a sophisticated malware variant hitching a ride on fake online advertisements for well-known programs like ChatGPT, Zoom, and Citrix.

Researchers at cybersecurity firm Secureworks said Bumblebee malware has been spreading thanks to consumers — often remote workers — who are interested in installing popular software on their devices.

In one incident the researchers examined, a malicious Google advertisement sent users to a hacked WordPress site, which then redirected users to a fake download page that mimicked a Cisco program. Users who attempted to download the program could find their devices infected with Bumblebee — a “highly sophisticated malware” that is usually distributed via phishing emails, according to cybersecurity firm Avertium.

Similar schemes attempted to spread Bumblebee malware through fake Zoom, ChatGPT, and Citrix installers, the researchers said.

Bumblebee malware was first detected in 2021 by Google’s Threat Analysis Group and is linked to several threat actors and high-profile ransomware operations, including Quantum and MountLocker.

Bumblebee has also been deployed by the Exotic Lily threat actor — a financially motivated group that often makes use of ransomware variants like Diavol and Conti. Google believes the group may be working with the Russian cyber gang known as FIN12.

To mitigate this and similar threats, Secureworks recommend organizations to only download software installers and updates from known and trusted websites.