Malware loaders commonly used by threat actors, such as BazaLoader and IcedID, are seemingly being replaced by a new loader called Bumblebee.
Bumblebee uses APC injection to start commands received from the command-and-control (C2) server, and has been observed dropping Cobalt Strike, shellcode, Sliver, and Meterpreter.
This new loader is distributed via an email campaign branded to look like it comes from DocuSign, prompting the user to download a document that is actually a malicious zipped ISO file hosted on OneDrive.
The Active Protection included in Acronis Cyber Protect Cloud detects and blocks Bumblebee and other malware loaders, while the Advanced Email Security pack prevents malicious emails from reaching users' inboxes in the first place.