Worm:Win32/Beebone (also known as AAHMBot) is a highly sophisticated, polymorphic trojan downloader and worm that functions as a highly resilient botnet, famously utilized in tandem with the Vobfus worm to create an unstoppable infection cycle.
Understanding Beebone
To the victim, Beebone is invisible, but it rapidly degrades network performance. For threat intelligence analysts, Beebone represents a masterclass in resilience and botnet architecture. It does not steal data directly; its sole purpose is to maintain an unbreakable foothold on the endpoint and act as a reliable delivery mechanism for other severe malware families (like ZeuS, Cryptolocker, or ZeroAccess).
Execution and Evasion Strategies
Beebone was famously partnered with the Vobfus worm. Vobfus would spread via USB drives and network shares, and its primary payload was to download Beebone. Beebone, in turn, would download updated variants of Vobfus. If AV deleted one, the other immediately downloaded a fresh, cryptographically distinct copy of its partner. Beebone is heavily polymorphic, repacking itself constantly. It establishes deep persistence, disables Windows Defender, and utilizes a complex, multi-tiered C2 infrastructure (often employing DGA - Domain Generation Algorithms) to ensure it can always receive commands.
Indicators of Compromise & Impact
The impact of Beebone is a fully compromised endpoint acting as a staging ground for the worst malware on the internet. Threat hunters will observe a massive volume of outbound DNS queries for pseudo-random, highly entropic domain names (DGA traffic). The presence of randomly named, highly obfuscated executables constantly reappearing in the %AppData% directory, even after deletion, is the classic Beebone/Vobfus signature.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1568.002 | Dynamic Resolution: Domain Generation Algorithms | Command and Control |
T1105 | Ingress Tool Transfer | Command and Control |
T1027.002 | Obfuscated Files or Information: Software Packing | Defense Evasion |
T1091 | Replication Through Removable Media | Lateral Movement |
T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_BEEBONE {
meta:
description = "Detects Beebone (worm)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "beebone" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Beebone Activity
id: ce380fb913dacd0caa041073992913b3
status: experimental
description: Detects generic indicators of the beebone malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*beebone*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/beebone.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.