← All briefs
high September 21, 2025

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

Source report →

In July 2025, a threat actor used SEO poisoning (maliciously optimized Bing search results) to lure users searching for legitimate enterprise tools (e.g. ManageEngine OpManager) to download a trojanized installer that delivered Bumblebee malware. From there they moved aggressively through the network: establishing persistent remote access, obtaining high-privileged credentials (including via dumping domain controller NTDS.dit), performing lateral movement, exfiltrating data via SFTP, and ultimately deploying Akira ransomware first across the root domain and later into a child domain. The time from initial access to ransomware was rapid (≈44 hours in one case, ≈9 hours in another), and multiple organizations were affected. The campaign demonstrates a well-orchestrated end-to-end intrusion lifecycle, with emphasis on targeting privileged administrator accounts via plausible, trusted software installers.

This campaign is notable for pairing Bumblebee with AdaptixC2 in the same intrusion chain, a combination not widely reported before. It also highlights a sharpened delivery tactic, SEO poisoning of enterprise IT tools, which directly targets privileged users. Combined with the rapid domain-wide ransomware deployment, these shifts point to a streamlined and increasingly aggressive playbook.

IOCs (19)

Scan your environment for IOCs →
IP ADDRESS 7
109.205.195.211
188.40.187.145
172.96.137.160
170.130.55.223
193.242.184.150
83.229.17.60
185.174.100.203
DOMAIN 6
ev2sirbd269o5j.org
2rxyt9urhq0bgj.org
opmanager.pro
angryipscanner.org
axiscamerastation.org
ip-scanner.org
SHA256 FILE HASH 6
18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a
de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d
6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23
a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331
a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2
186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da

Detections

Enable detections →
Library detections (2)
  • LSASS Memory Dump via comsvcs.dll (rundll32)
  • MSI Installation from Suspicious Locations (Windows) <agnostic id>
Additional detection ideas (5)
  • Monitor for installation or execution of remote access tools not approved in your environment
  • Detect SEO-poisoned results by monitoring for sponsored ad clicks leading to newly registered or typosquatted domains
  • Alert when users execute files downloaded from the internet lacking Mark-of-the-Web
  • Monitor for C2 communication over HTTP/HTTPS to uncommon or newly registered domains
  • Detect mass file encryption patterns — high-frequency file writes with entropy changes