Scouring the DNS for Traces of Bumblebee SEO Poisoning | WhoisXML API

Threat Reports

Scouring the DNS for Traces of Bumblebee SEO Poisoning

Not all online ads are created equal. Some could be more than just bothersome. They could be malware in disguise. Such was Bumblebee’s case, which posed as a software installer in poisoned ads.1 

Secureworks publicized 31 IoCs for the Bumblebee SEO poisoning attack in an in-depth analysis report. The WhoisXML API research team trooped to the DNS to find all potential threat vectors via an IoC expansion analysis and found:

  • 18 domains that shared some of the IoCs’ IP hosts, two of which turned out to be malicious
  • 1,900+ domains that contained the string appcisco. akin to one of the domains identified as an IoC and the strings cisco., chatgpt., zoom., and citrix. that represented the names of the software the threat actors abused, three of which turned out to be malware hosts

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
Try our WhoisXML API for free
Get started