A sophisticated malware campaign leveraging search engine optimization (SEO) poisoning on Microsoft Bing has emerged, delivering the notorious Bumblebee malware to unsuspecting users.
The campaign, identified in May 2025, specifically targets users searching for specialized software tools, demonstrating a concerning evolution in malware distribution tactics that exploits trusted search engine results.
Bumblebee, a downloader malware first discovered in 2022, has been linked to ransomware operations due to its developer’s connections with the Conti group.
.png
)
The malware has gained notoriety for its effectiveness and has been delivered through various methods including phishing emails, malicious documents, and now SEO poisoning campaigns.
In this latest attack vector, threat actors have created convincing duplicate websites for legitimate software packages, successfully manipulating Bing’s search algorithms to position these malicious sites at the top of search results.
Cyjax researchers identified the campaign after discovering a series of fake download websites targeting users searching for specific software packages.
The current campaign focuses on two specialized software tools: WinMTR, an open-source network diagnostic tool, and Milestone XProtect, a video management software used for surveillance systems.
.webp)
Both legitimate applications are popular within technical and security environments, suggesting a potential focus on targeting developer and IT professional systems.
The attack employs a sophisticated domain typosquatting technique where domains closely resembling legitimate ones are registered.
For instance, the legitimate domain “winmtr.net” is spoofed by “winmtr.org,” while “milestonesys.com” is mimicked by “milestonesys.org.”
Both malicious domains are hosted on the same server owned by Truehost Cloud in Nairobi, indicating a coordinated campaign by a single threat actor group.
Infection Mechanism Analysis
The infection process begins when users click download links on the spoofed websites. The malicious MSI installers, hosted on an external domain called “software-server[.]online,” are then delivered to the victim’s system.
.webp)
When executed via msiexec[.]exe, the installer delivers both the legitimate application (such as winmtr.exe) and malicious components, including a legitimate-appearing Windows binary called icardagt.exe and a malicious DLL named version.dll.
The execution flow, as shown in Figure 1, demonstrates how the malware maintains stealth by running the legitimate application while simultaneously loading the malicious DLL.
The icardagt.exe executable, despite using an expired certificate from January 2010, loads version.dll, which then executes the Bumblebee malware. Once activated, Bumblebee establishes connections to numerous command and control (C2) domains, all using the “.life” top-level domain (TLD).
This campaign represents a significant shift from previous Bumblebee SEO poisoning efforts that targeted more widely recognized software like Zoom, Cisco AnyConnect, and ChatGPT installers.
The pivot to more obscure technical tools suggests an intentional targeting of environments where users may have elevated privileges, creating ideal conditions for further network compromise or information theft.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
