Vobfus (also known as Beebone) is a Windows worm. As documented by Malpedia (Fraunhofer FKIE), it searches for computers on a network and creates copies of itself in folders with open access; for the malware to activate, a user must first run it on the computer. Vobfus is written in the Visual Basic programming language and uses code obfuscation, which is a distinguishing feature of the family. This obfuscation complicates attempts by anti-virus software to analyze the malware. The Beebone botnet associated with Vobfus was the subject of a coordinated takedown.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1091 T1036.005 T1105 T1547.001 T1083
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_VOBFUS {
meta:
description = "Detects Vobfus (worm)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "vobfus" ascii wide nocase
$s2 = "win32.vobfus" ascii wide nocase
$s3 = "vobfus.a" ascii wide nocase
$s4 = "vobfus.b" ascii wide nocase
$s5 = "worm.vobfus" ascii wide nocase
$s6 = "bfus" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Vobfus Activity
id: 513e5152eff74b716e9bc33f02963458
status: experimental
description: Detects generic indicators of the vobfus malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*vobfus*"
- "*win32.vobfus*"
- "*vobfus.a*"
- "*vobfus.b*"
- "*worm.vobfus*"
- "*bfus*"
condition: selection
level: mediumVobfus, also known as Beebone, is a Windows worm. According to Malpedia, it spreads by searching for computers on a network and copying itself into folders with open access, allowing it to propagate to other machines and drives.
Per Malpedia, Vobfus searches for computers on a network and creates copies of itself in folders with open access. For the malware to be activated, a user must first run the copied file on the computer, so it relies on a user executing the dropped copy.
Malpedia notes that Vobfus is written in Visual Basic and uses code obfuscation, which is a distinguishing feature of the family. This obfuscation is designed to complicate attempts by anti-virus software to analyze the malware.
Beebone is another name for the Vobfus family. The Beebone botnet built on this malware was the subject of a coordinated takedown effort, as referenced in the Malpedia entry's cited reporting.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/vobfus.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.