Full Report
Overview Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery mechanism. Recently in May of 2025 Cyjax reported on a campaign using this method again, impersonating various IT tools. We observed a similar campaign in […] The post Flash Alert: From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira appeared first on The DFIR Report.
Analysis Summary
# Incident Report: Bumblebee and AdaptixC2 Delivery of Akira Ransomware
## Executive Summary
In July 2025, a threat actor successfully compromised an organization by leveraging SEO poisoning to distribute Bumblebee malware via a trojanized "ManageEngine OpManager" installer. The intrusion escalated from initial access to a full-scale network compromise involving AdaptixC2, credential harvesting from a domain controller, and data exfiltration. The incident culminated in the deployment of Akira ransomware across the environment.
## Incident Details
- **Discovery Date:** July 2025
- **Incident Date:** July 2025
- **Affected Organization:** Not disclosed
- **Sector:** Technology/IT Management (Targeted via IT tool impersonation)
- **Geography:** Global (SEO poisoning delivery)
## Timeline of Events
### Initial Access
- **Date/Time:** July 2025
- **Vector:** SEO Poisoning / Malicious Advertising (Bing Search)
- **Details:** A user searched for "ManageEngine OpManager" and was directed to a malicious site (`opmanager[.]pro`). The user downloaded and executed a trojanized MSI installer (`ManageEngine-OpManager.msi`) which dropped the Bumblebee malware loader.
### Lateral Movement
- **Details:** After establishes a foothold via Bumblebee, the attackers deployed AdaptixC2 for advanced command and control. They used valid credentials and administrative tools to move laterally from the initial workstation to a Domain Controller.
### Data Exfiltration/Impact
- **Details:** The threat actor performed internal reconnaissance and identified sensitive data. Data was staged and exfiltrated to a remote server (`185.174.100[.]203`) via SFTP before the final ransomware deployment.
### Detection & Response
- **Detection:** Discovered via endpoint alerts and subsequent ransomware note.
- **Response:** Forensic analysis by The DFIR Report; identification of C2 infrastructure and malicious binaries.
## Attack Methodology
- **Initial Access:** SEO Poisoning/Drive-by Download of trojanized IT software.
- **Persistence:** Installation of remote access tools and AdaptixC2 agents.
- **Privilege Escalation:** Credential dumping from memory and registry on high-value targets.
- **Defense Evasion:** Use of DLL side-loading (`msimg32.dll`) and living-off-the-land binaries (LoLBins).
- **Credential Access:** Dumping NTDS.dit and LSA secrets from the Domain Controller.
- **Discovery:** Use of tools like Advanced IP Scanner (often trojanized) and native Windows commands (net view, nltest).
- **Lateral Movement:** SMB/RDP using compromised administrative credentials.
- **Collection:** Archiving files into staging folders for theft.
- **Exfiltration:** Exfiltration over SFTP to attacker-controlled infrastructure.
- **Impact:** Deployment of **Akira Ransomware** (`locker.exe`) to encrypt files and delete shadow copies.
## Impact Assessment
- **Financial:** High (Ransom demand and recovery costs).
- **Data Breach:** Confirmed exfiltration of organizational data to an external SFTP server.
- **Operational:** Total business disruption due to file encryption across workstations and servers.
- **Reputational:** Potential impact if client data or proprietary IT management information was leaked.
## Indicators of Compromise
- **Network Indicators:**
- `opmanager[.]pro`
- `angyipscanner[.]org`
- `109.205.195[.]211` (Bumblebee C2)
- `172.96.137[.]160` (AdaptixC2 C2)
- `185.174.100[.]203` (Exfiltration)
- **File Indicators:**
- `ManageEngine-OpManager.msi` (186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da)
- `msimg32.dll` (Bumblebee Loader)
- `locker.exe` (Akira Ransomware)
- **Behavioral Indicators:**
- Execution of MSI installers from non-standard web domains.
- Unexpected SSH/SFTP traffic to high-volume external IPs.
- Large-scale credential dumping activities on Domain Controllers.
## Response Actions
- **Containment:** Isolated infected hosts and blocked identified C2 IP addresses at the firewall.
- **Eradication:** Terminated malicious processes, deleted trojanized installers, and reset all domain credentials.
- **Recovery:** Restored systems from offline backups (where unaffected by ransomware).
## Lessons Learned
- **SEO Risks:** Attackers are successfully bypassing email filters by using search engines to deliver malware directly to IT staff.
- **Tool Sprawl:** The use of multiple C2 frameworks (Bumblebee then AdaptixC2) shows increasing sophistication in maintaining access.
- **Speed of Escalation:** The transition from initial download to domain-wide ransomware can occur within hours or days.
## Recommendations
- **Web Filtering:** Implement strict web category filtering to block newly registered domains (NRDs).
- **Application Whitelisting:** Restrict the execution of MSI and EXE files from `Downloads` or `Temp` folders.
- **Identity Security:** Implement Multi-Factor Authentication (MFA) on all lateral movement paths and restrict DA (Domain Admin) logins to Tier-0 assets only.
- **User Education:** Specifically train IT staff on the dangers of downloading management tools from third-party "sponsored" search results.