The BumbleBee web shell allows APT attackers to upload and download files, and move laterally by running commands. Palo Alto Networks’ Unit 42 says attackers used VPN access to directly talk to the web shell, frequently switching between different VPN servers from different countries. The firm also found that the attackers used SSH tunnels to interact with these, created using PuTTY Link (Plink) tool. The attack is part of an ongoing xHunt espionage campaign that has targeted Microsoft Exchange servers at Kuwaiti organizations.
Source: https://threatpost.com/bumblebee-exchange-servers-xhunt-spy/162973/