Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

0
Medium
Published: 06/29/2026 (06/29/2026, 15:46:49 UTC)
Source: AlienVault OTX General

Description

In July 2025, threat actors compromised organizations through SEO poisoning campaigns targeting users searching for legitimate IT management tools. Users downloading trojanized installers for ManageEngine OpManager received Bumblebee malware, granting initial access. The attackers exploited the fact that users executing these IT tools were privileged administrators, enabling rapid lateral movement to domain controllers. They dumped credentials using wbadmin, created backdoor accounts with enterprise admin privileges, and installed RustDesk for persistent access. AdaptixC2 beacons were deployed for command and control. The threat actors conducted extensive reconnaissance, dumped LSASS memory across multiple systems, attempted Veeam credential theft, and exfiltrated data via SFTP using FileZilla. The intrusion culminated in Akira ransomware deployment across both root and child domains within 44 hours, with subsequent re-encryption two days later affecting the child domain.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 11:36:17 UTC

Technical Analysis

This threat involves a multi-stage intrusion starting with SEO poisoning campaigns that trick users into downloading trojanized ManageEngine OpManager installers containing Bumblebee malware. The malware provides initial access, exploiting the fact that users running these IT tools have privileged administrative rights. Attackers perform lateral movement to domain controllers, dump credentials using wbadmin and LSASS memory, create enterprise admin backdoors, and install RustDesk for persistent access. AdaptixC2 is deployed as the command and control infrastructure. The attackers conduct reconnaissance, attempt credential theft from Veeam, and exfiltrate data via SFTP using FileZilla. The intrusion ends with deployment of Akira ransomware across multiple domains within 44 hours, followed by a re-encryption event two days later targeting the child domain.

Potential Impact

The threat results in unauthorized privileged access to enterprise networks, credential theft, persistent backdoors, data exfiltration, and widespread ransomware encryption affecting both root and child domains. This can cause significant operational disruption, data loss, and potential financial impact due to ransomware.

Mitigation Recommendations

No official patch or fix is available as this is a malware campaign exploiting user behavior and privilege misuse rather than a software vulnerability. Mitigation should focus on user awareness to avoid downloading trojanized installers, restricting administrative privileges, monitoring for unusual lateral movement and credential dumping activities, and employing endpoint detection to identify Bumblebee, AdaptixC2, and Akira ransomware behaviors. Incident response should include credential resets and removal of persistence mechanisms once detected.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/"]
Adversary
null
Pulse Id
6a429369377f216bcfbdda03
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip172.96.137.160
ip109.205.195.211
ip193.242.184.150

Domain

ValueDescriptionCopy
domainangryipscanner.org
domainopmanager.pro
domain2rxyt9urhq0bgj.org
domainaxiscamerastation.org
domainev2sirbd269o5j.org
domainijt0l3i8brit6q.org
domainip-scanner.org

Hash

ValueDescriptionCopy
hasha14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2
hasha746da514c90f26a187a294fda7edc1b
hashbcee0ab10b23f5999bcdb56c0b4a631a
hash1b9aa401457d29405c0bcf19cbf19a7028a0d214
hashf352cec89a56e23dae20cdd62df4d40bc7f22b5e
hash186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da
hash18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a
hash6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23
hasha6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331
hashde730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d
hashca8646dfc88423bb9fffda811160cebe
hashfebbaf5f08a8e0782ffcce8beef1f2b4e249a52b

Threat ID: 6a43a6ca27e9c79719a54469

Added to database: 06/30/2026, 11:21:46 UTC

Last enriched: 06/30/2026, 11:36:17 UTC

Last updated: 06/30/2026, 22:46:13 UTC

Views: 49

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses