Full Report
Overview Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery mechanism. Recently in May of 2025 Cyjax reported on a campaign using this method again, impersonating various IT tools. We observed a similar campaign in […] The post From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira appeared first on The DFIR Report.
Analysis Summary
# Incident Report: Bumblebee Malware and AdaptixC2 Leading to Akira Ransomware
## Executive Summary
In July 2025, a legal or corporate entity was compromised via an SEO poisoning campaign where a user downloaded a trojanized IT management tool. The intrusion involved the deployment of Bumblebee malware and AdaptixC2, which facilitated lateral movement and data exfiltration, ultimately resulting in the deployment of Akira ransomware. The incident demonstrates the continued effectiveness of impersonating legitimate software to bypass initial security perimeters.
## Incident Details
- **Discovery Date:** July 2025
- **Incident Date:** July 2025
- **Affected Organization:** Not disclosed
- **Sector:** Likely IT, Legal, or Corporate (due to tools targeted)
- **Geography:** Global/Undisclosed
## Timeline of Events
### Initial Access
- **Date/Time:** July 2025
- **Vector:** SEO Poisoning / Drive-by Download
- **Details:** A user searching for "ManageEngine OpManager" via Bing was directed to a malicious site (`opmanager[.]pro`) and downloaded a trojanized installer (`ManageEngine-OpManager.msi`).
### Lateral Movement
- **Details:** Following the execution of Bumblebee via the malicious MSI, the threat actors deployed AdaptixC2 and utilized SSH tunneling to move laterally across the environment. They targeted domain controllers and file servers to gain broader access.
### Data Exfiltration/Impact
- **Details:** The threat actors utilized Rclone for data collection and an SFTP server (`185.174.100[.]203`) for exfiltration. The final stage involved the deployment of Akira ransomware (`locker.exe`), encrypting systems across the network.
### Detection & Response
- **Discovery:** Detection of anomalous network traffic to known C2 IPs and subsequent ransomware notes.
- **Response:** The organization initiated its incident response plan to contain the ransomware spread and assess the volume of exfiltrated data.
## Attack Methodology
- **Initial Access:** SEO Poisoning (impersonating ManageEngine, Advanced IP Scanner).
- **Persistence:** Component Object Model (COM) hijacking and Schtasks.
- **Privilege Escalation:** Exploitation of system vulnerabilities and credential harvesting if available.
- **Defense Evasion:** DLL Sideloading (`msimg32.dll`), use of legitimate tools for tunneling, and obfuscated PowerShell scripts.
- **Credential Access:** Likely LSASS memory dumping or harvesting from browser/system caches.
- **Discovery:** Use of Advanced IP Scanner (legitimate and trojanized versions) to map the network.
- **Lateral Movement:** AdaptixC2 beaconing, SMB, and SSH Tunneling.
- **Collection:** Identifying sensitive file shares and local directories.
- **Exfiltration:** Data pushed to an external SFTP server using Rclone.
- **Impact:** Encryption of files via Akira ransomware and operational downtime.
## Impact Assessment
- **Financial:** High (Ransom demand and recovery costs).
- **Data Breach:** Confirmed exfiltration of sensitive organizational data.
- **Operational:** Critical business disruption due to system encryption.
- **Reputational:** Potential impact depending on data sensitivity and public disclosure requirements.
## Indicators of Compromise
- **Network:**
- `opmanager[.]pro`
- `angryipscanner[.]org`
- `109.205.195[.]211`
- `172.96.137[.]160`
- `185.174.100[.]203`
- **Files:**
- `186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da` (MSI)
- `de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d` (Akira)
- **Behavioral:**
- Unexpected MSI installations from browser downloads.
- SSH sessions originating from unauthorized internal hosts.
- Massive outbound SFTP traffic.
## Response Actions
- **Containment:** Isolated infected hosts and blocked C2 IPs/domains at the firewall.
- **Eradication:** Removed malicious scheduled tasks, DLLs, and registry keys associated with Bumblebee.
- **Recovery:** Restored systems from offline backups and forced a domain-wide password reset.
## Lessons Learned
- **SEO Risks:** Search engines can be manipulated to serve malware; users often trust top search results blindly.
- **Tool Sprawl:** The use of unapproved IT management tools provided a "living off the land" opportunity for attackers.
- **Visibility:** Early detection of the Bumblebee beacon could have prevented the final ransomware stage.
## Recommendations
- **Web Filtering:** Implement strict category-based web filtering to block newly registered domains and known malicious SEO sites.
- **Application Whitelisting:** Prevent the execution of unauthorized MSI installers and unsigned DLLs.
- **User Training:** Educate staff to only download software from official vendor portals (e.g., manageengine.com) rather than search engine links.
- **Egress Monitoring:** Alert on large-scale outbound transfers via protocols like SFTP or Rclone to unknown IPs.