Beebone

Category: worm · Aliases: None known · Sample count (EMBER 2018): 151 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Worm:Win32/Beebone (also known as AAHMBot) is a highly sophisticated, polymorphic trojan downloader and worm that functions as a highly resilient botnet, famously utilized in tandem with the Vobfus worm to create an unstoppable infection cycle.

Understanding Beebone
To the victim, Beebone is invisible, but it rapidly degrades network performance. For threat intelligence analysts, Beebone represents a masterclass in resilience and botnet architecture. It does not steal data directly; its sole purpose is to maintain an unbreakable foothold on the endpoint and act as a reliable delivery mechanism for other severe malware families (like ZeuS, Cryptolocker, or ZeroAccess).

Execution and Evasion Strategies
Beebone was famously partnered with the Vobfus worm. Vobfus would spread via USB drives and network shares, and its primary payload was to download Beebone. Beebone, in turn, would download updated variants of Vobfus. If AV deleted one, the other immediately downloaded a fresh, cryptographically distinct copy of its partner. Beebone is heavily polymorphic, repacking itself constantly. It establishes deep persistence, disables Windows Defender, and utilizes a complex, multi-tiered C2 infrastructure (often employing DGA - Domain Generation Algorithms) to ensure it can always receive commands.

Indicators of Compromise & Impact
The impact of Beebone is a fully compromised endpoint acting as a staging ground for the worst malware on the internet. Threat hunters will observe a massive volume of outbound DNS queries for pseudo-random, highly entropic domain names (DGA traffic). The presence of randomly named, highly obfuscated executables constantly reappearing in the %AppData% directory, even after deletion, is the classic Beebone/Vobfus signature.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1568.002Dynamic Resolution: Domain Generation AlgorithmsCommand and Control
T1105Ingress Tool TransferCommand and Control
T1027.002Obfuscated Files or Information: Software PackingDefense Evasion
T1091Replication Through Removable MediaLateral Movement
T1562.001Impair Defenses: Disable or Modify ToolsDefense Evasion

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_BEEBONE {
    meta:
        description = "Detects Beebone (worm)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "beebone" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Beebone Activity
id: ce380fb913dacd0caa041073992913b3
status: experimental
description: Detects generic indicators of the beebone malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*beebone*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the endpoint immediately; Beebone's presence guarantees that secondary payloads (like ransomware or banking trojans) are actively downloading.
  2. Sinkhole the identified DGA domains at the corporate firewall to sever Beebone's ability to receive updated payloads or commands.
  3. Do not attempt manual file deletion; the Beebone/Vobfus symbiotic relationship will instantly restore the deleted files.
  4. Given the extreme resilience and polymorphic nature of the threat, performing a clean OS rebuild is the only guaranteed method of eradication.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not assume the endpoint is clean if your AV quarantines a single Beebone executable; the partner worm (Vobfus) is likely still active.
  2. Avoid plugging any USB drives into the infected machine, as the associated Vobfus worm will immediately infect them.

References & External Analysis

Related Families (Category: worm)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/beebone.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.