In this episode, we break down the resurgence of the Bumblebee malware loader and its latest distribution method: blackhat SEO campaigns and trojanized software installers. By mimicking legitimate download pages through typosquatted domains and poisoning Bing search results, attackers are tricking IT professionals into unknowingly infecting their own networks.

We explore how malware is being embedded into fake versions of tools like Milestone XProtect, RVTools, WinMTR, and Zenmap—critical software often run with administrative privileges. Once executed, these installers silently load Bumblebee, enabling attackers to deploy ransomware, infostealers, or Cobalt Strike payloads.

You’ll also hear about:

• Why Bumblebee’s return fills the gap left by QBot’s takedown
• The anatomy of the campaign’s DLL side-loading and use of legitimate Windows binaries
• Real-world indicators of compromise (IoCs) and typosquatted domains to watch out for
• How a DDoS attack on the real RVTools website added to the confusion
• What security teams must do now to mitigate and respond

If your IT department uses any of the targeted tools, don’t miss this urgent discussion on one of the most deceptive malware delivery strategies we’ve seen this year.