Full Report
Overview Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery … Read More
Analysis Summary
# Tool/Technique: Bumblebee Malware
## Overview
Bumblebee is an initial access malware that has been actively used by threat actors since late 2021. In the analyzed campaign, it was delivered via SEO poisoning, masquerading as legitimate IT management software installers. Its primary function is to establish a foothold in the environment, often followed by loading secondary payloads like C2 beacons.
## Technical Details
- Type: Malware family
- Platform: Windows
- Capabilities: Initial access, C2 communication, deployment of secondary malware (including AdaptixC2).
- First Seen: Late 2021
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- (Inferred via SEO poisoning leading to malicious download)
## Functionality
### Core Capabilities
- Initial access through trojanized software installers (e.g., masquerading as ManageEngine OpManager).
- Downloads and executes malicious payloads (e.g., in this case, AdaptixC2).
- Establishes Command and Control (C2) using DGA domains.
### Advanced Features
- Delivery via SEO poisoning/search engine manipulation to trick users into downloading trojanized installers.
- Leverages legitimate processes/files for execution (e.g., loading via `consent.exe`).
## Indicators of Compromise
- File Hashes:
- SHA256: `a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331` (msimg32.dll - DFIR Report Hash)
- SHA256: `6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23` (msimg32.dll - Swisscom Hash)
- File Names: `msimg32.dll` (loaded payload), `ManageEngine-OpManager.msi` (trojanized installer)
- Network Indicators:
- C2 IP: `109.205.195[.]211`:443
- C2 IP: `188.40.187[.]145`:443
- DGA Domains: `ev2sirbd269o5j[.]org`, `2rxyt9urhq0bgj[.]org`
- Behavioral Indicators: Execution chain involving MSI installation followed by dropping and loading DLLs.
## Associated Threat Actors
- Threat actors using this malware lead to Akira ransomware deployment (actor not explicitly named, but associated due to observed payload).
## Detection Methods
- Signature-based detection on known Bumblebee file hashes.
- Behavioral detection tracking the execution sequence: MSI installation -> discovery commands -> secondary payload delivery.
- YARA rules: (Not explicitly provided in the context)
## Mitigation Strategies
- Implement strict application whitelisting to prevent execution of unauthorized software.
- Exercise caution regarding software downloaded directly from search engine results, especially for high-privilege tools.
- Monitor DGA domain communication attempts by endpoint security solutions.
## Related Tools/Techniques
- AdaptixC2 (deployed by Bumblebee)
- Akira Ransomware (final payload)
- SEO Poisoning (delivery technique)
***
# Tool/Technique: AdaptixC2
## Overview
AdaptixC2 is a remote access tool (RAT) or Command and Control framework observed being deployed by the Bumblebee malware following initial access. It establishes a secondary, persistent communication channel used by the threat actor for further reconnaissance and action on objective.
## Technical Details
- Type: Attack Tool (C2 Framework/Beacon)
- Platform: Windows (Inferred from context)
- Capabilities: Establishing secondary C2 communication, relaying attacker commands, subsequent post-exploitation activities.
- First Seen: Not specified, known framework.
## MITRE ATT&CK Mapping
- T1071.001 - Application Layer Protocol: Web Protocols
- (Used for C2 communication over TCP/IP)
## Functionality
### Core Capabilities
- Establishing a dedicated C2 session distinct from the initial access beacon.
- Facilitating subsequent attacker actions.
### Advanced Features
- Used in conjunction with reconnaissance and lateral movement activities.
## Indicators of Compromise
- File Hashes: (No specific AdaptixC2 file hash provided, but it was deployed as `AdgNsy.exe`)
- File Names: `AdgNsy.exe`
- Network Indicators:
- C2 IP: `172.96.137[.]160`:443 (DFIR Report Hash)
- C2 IP: `170.130.55[.]223`:443 (Swisscom Hash)
- Behavioral Indicators: The appearance of AdaptixC2 execution shortly after Bumblebee infection, followed by built-in Windows reconnaissance commands (`systeminfo`, `nltest`, `whoami`).
## Associated Threat Actors
- Unknown threat actors leading to Akira ransomware deployment.
## Detection Methods
- Behavioral detection focusing on unusual process execution following Bumblebee's activity.
- Network monitoring for connections to known AdaptixC2 infrastructure IPs.
## Mitigation Strategies
- Strict egress filtering to limit communication to known good C2 infrastructure.
- Monitoring for unauthorized process invocations for known C2 implants.
## Related Tools/Techniques
- Bumblebee (loader)
- Akira Ransomware (payload)
***
# Tool/Technique: Akira Ransomware
## Overview
Akira is the final stage ransomware payload deployed in this intrusion campaign following Bumblebee initial access and AdaptixC2 command execution. Its deployment signifies the culmination of the compromise, resulting in widespread encryption across the victim organization.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Inferred, encrypts domain systems)
- Capabilities: File encryption and likely demanding ransom for decryption.
- First Seen: The report specifies deployment occurred in July 2025 during this specific campaign observation.
## MITRE ATT&CK Mapping
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Encrypting systems across the network, including the domain controller and associated domains.
### Advanced Features
- Deployed across the root domain, and then reportedly repeated two days later on a child domain, indicating persistence or coordinated multi-stage attack planning.
## Indicators of Compromise
- File Hashes:
- SHA256: `de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d` (locker.exe - DFIR Report Hash)
- SHA256: `18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a` (win.exe - Swisscom Hash)
- File Names: `locker.exe`, `win.exe`
- Network Indicators: SFTP server (`185.174.100[.]203`) used for exfiltration prior to encryption.
## Associated Threat Actors
- Unknown threat actors utilizing this specific multi-stage tool chain (Bumblebee -> AdaptixC2 -> Akira).
## Detection Methods
- Signature-based detection on Akira ransomware file hashes.
- Behavioral detection focusing on mass file modification or encryption patterns following reconnaissance actions.
## Mitigation Strategies
- Robust and segmented backups, tested offline recovery procedures.
- Strict segmentation between critical domains (root vs. child domains).
## Related Tools/Techniques
- Bumblebee, AdaptixC2.
***
# Technique: SEO Poisoning / Trojanized Installers
## Overview
This describes the initial access technique where a user searching for legitimate IT software (e.g., "ManageEngine OpManager") on Bing is redirected to a malicious website hosting a trojanized installer.
## Technical Details
- Type: Technique / Delivery Vector
- Platform: Internet Search / Windows Endpoint
- Capabilities: Deceiving users into downloading malware disguised as trusted software delivery.
- First Seen: SEO poisoning delivery used by Bumblebee reported in 2023.
## MITRE ATT&CK Mapping
- T1588.002 - Obtain Capabilities: Obtain Software Content
- (The attacker uses search results to direct victims toward malicious software acquisition)
## Functionality
### Core Capabilities
- Manipulating search engine results to promote malicious download sites.
- Hosting trojanized MSI installers (`ManageEngine-OpManager.msi`).
### Advanced Features
- The MSI installer correctly installs the legitimate software component while simultaneously loading the malware (Bumblebee via `msimg32.dll`).
- Targeting IT administrators who often run software installers with high privileges.
## Indicators of Compromise
- Malicious Sites:
- `opmanager[.]pro` (DFIR Report)
- `angryipscanner[.]org`
- `axiscamerastation[.]org`
- `ip-scanner[.]org` (Swisscom CSIRT observed variant)
- Installer Hash (DFIR): `186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da`
## Associated Threat Actors
- Actors responsible for the July 2025 intrusion campaign.
## Detection Methods
- Monitoring DNS requests matching known malicious delivery domains.
- Application control policies against executing MSI installers from non-standard download sources.
## Mitigation Strategies
- User awareness training focused on validating download sources, even from trusted search engines.
- Employing browser extensions or security solutions that validate the reputation of linking domains.
## Related Tools/Techniques
- Bumblebee (Payload delivery mechanism)