Full Report
Key Takeaways This case was first reported to customers in a threat brief released in July 2025 and in a public flash alert in August 2025 in partnership with Swisscom B2B CSIRT, which observed another intrusion tied to the same campaign. This report contains data from both intrusions. We plan to release a DFIR Labs […] The post From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira appeared first on The DFIR Report.
Analysis Summary
# Incident Report: From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira
## Executive Summary
In July 2025, a sophisticated SEO poisoning campaign via Bing search results led to the delivery of Bumblebee malware, which subsequently dropped AdaptixC2 beacons. The threat actors leveraged this access to move laterally, exfiltrate sensitive data, and ultimately deploy Akira ransomware across both root and child domains. The intrusion utilized trojanized enterprise software installers and hijacked legitimate processes to maintain persistence and evade detection.
## Incident Details
- **Discovery Date:** July 2025
- **Incident Date:** May - July 2025
- **Affected Organization:** Not disclosed (Observed in partnership with Swisscom B2B CSIRT)
- **Sector:** Multiple (Targeted IT and Network Admin tools)
- **Geography:** International (notably Switzerland involvement)
## Timeline of Events
### Initial Access
- **Date/Time:** July 2025
- **Vector:** SEO Poisoning / Malvertising via Bing Search.
- **Details:** A user searching for "ManageEngine OpManager" was directed to a lookalike domain (`opmanager[.]pro`) and redirected to a delivery gateway (`download-center[.]online`) to download a trojanized MSI installer.
### Lateral Movement
- **Details:** Following the execution of the MSI by an IT administrator, Bumblebee dropped an AdaptixC2 beacon. The actors used this to pivot to a Domain Controller, dumped the `NTDS.dit` file for credential harvesting, and established an SSH proxy for broad network access.
### Data Exfiltration/Impact
- **Details:** The threat actor utilized FileZilla and SFTP to exfiltrate data to an external server. Following exfiltration, Akira ransomware was deployed across the root domain, followed by a second wave of encryption on a child domain 48 hours later.
### Detection & Response
- **Discovery:** Initially flagged via threat briefs in July 2025 and forensic analysis of browser history and malicious MSI execution.
- **Response Actions:** Engagement with Swisscom B2B CSIRT for cross-intrusion data correlation and identification of the SEO poisoning infrastructure.
## Attack Methodology
- **Initial Access:** SEO poisoning targeting IT management software (ManageEngine, Zenmap, Advanced IP Scanner).
- **Persistence:** DLL Sideloading (e.g., `consent.exe` loading `msimg32.dll`) and AdaptixC2 beacons.
- **Privilege Escalation:** Domain Controller compromise and NTDS.dit dumping.
- **Defense Evasion:** Use of legitimate signed binaries (MSI signers like "LLC Vector"), DLL sideloading into trusted processes, and DGA (Domain Generation Algorithms) for C2.
- **Credential Access:** NTDS.dit dumping from Domain Controllers.
- **Discovery:** Use of network scanning tools and LDAP queries (implied via lateral movement to DC).
- **Lateral Movement:** SSH proxying and RDP/SMB traversal.
- **Collection:** Manual staging of files for exfiltration.
- **Exfiltration:** Data sent to external servers via FileZilla/SFTP.
- **Impact:** Encryption of root and child domains using Akira Ransomware.
## Impact Assessment
- **Financial:** High (Ransom demand and recovery costs).
- **Data Breach:** Exfiltration of internal corporate data and potential credential loss (NTDS.dit).
- **Operational:** Total business disruption due to domain-wide encryption.
- **Reputational:** High, involving customers and partners in the supply chain.
## Indicators of Compromise
- **Network Indicators:**
- `opmanager[.]pro`
- `download-center[.]online`
- `soft-hub[.]pro`
- `download-server[.]online`
- `soft-server[.]online`
- `zenmap[.]pro`
- **File Indicators:**
- `version.dll` (sideloaded)
- `msimg32.dll` (sideloaded)
- Trojanized MSI installers signed by "LLC Vector" or "LLC Leighton".
- **Behavioral Indicators:**
- `consent.exe` spawning unexpected DLLs from non-system folders.
- Large volume SFTP traffic to unknown external IPs.
- Execution of `ntdsutil` or similar on Domain Controllers.
## Response Actions
- **Containment:** Isolation of infected hosts (beachhead and Domain Controllers).
- **Eradication:** Removal of malicious DLLs and termination of unauthorized SSH proxies.
- **Recovery:** Restoration of root and child domains from backups after ensuring the removal of persistence mechanisms.
## Lessons Learned
- **Trust in Search Results:** Users often trust top-tier search results; SEO poisoning remains a highly effective delivery vector for initial access.
- **Admin Privilege Risks:** The execution of a "downloaded" tool by an IT administrator accelerated the compromise significantly.
- **Infrastructure Overlap:** The attackers reused code-signing certificates and delivery patterns (DGA/URL parameters), allowing for proactive blocking once the pattern was identified.
## Recommendations
- **Endpoint Security:** Implement strict AppLocker or Software Restriction Policies (SRP) to prevent execution from user-writable directories (e.g., Downloads).
- **Network Filtering:** Block or alert on newly registered domains (NRDs) and enforce strict egress filtering for protocols like SSH and SFTP.
- **User Education:** Train IT staff on the risks of third-party "download centers" and the importance of verifying MD5/SHA256 hashes against official vendor documentation.
- **Monitoring:** Monitor for unusual DLL loads into systemic processes like `consent.exe`.