From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira
In July 2025, threat actors compromised organizations through SEO poisoning campaigns targeting users searching for legitimate IT management tools. Users downloading trojanized installers for ManageEngine OpManager received Bumblebee malware, granting initial access. The attackers exploited the fact that users executing these IT tools were privileged administrators, enabling rapid lateral movement to domain controllers. They dumped credentials using wbadmin, created backdoor accounts with enterprise admin privileges, and installed RustDesk for persistent access. AdaptixC2 beacons were deployed for command and control. The threat actors conducted extensive reconnaissance, dumped LSASS memory across multiple systems, attempted Veeam credential theft, and exfiltrated data via SFTP using FileZilla. The intrusion culminated in Akira ransomware deployment across both root and child domains within 44 hours, with subsequent re-encryption two days later affecting the child domain.
AI Analysis
Technical Summary
This threat involves a multi-stage intrusion starting with SEO poisoning campaigns that trick users into downloading trojanized ManageEngine OpManager installers containing Bumblebee malware. The malware provides initial access, exploiting the fact that users running these IT tools have privileged administrative rights. Attackers perform lateral movement to domain controllers, dump credentials using wbadmin and LSASS memory, create enterprise admin backdoors, and install RustDesk for persistent access. AdaptixC2 is deployed as the command and control infrastructure. The attackers conduct reconnaissance, attempt credential theft from Veeam, and exfiltrate data via SFTP using FileZilla. The intrusion ends with deployment of Akira ransomware across multiple domains within 44 hours, followed by a re-encryption event two days later targeting the child domain.
Potential Impact
The threat results in unauthorized privileged access to enterprise networks, credential theft, persistent backdoors, data exfiltration, and widespread ransomware encryption affecting both root and child domains. This can cause significant operational disruption, data loss, and potential financial impact due to ransomware.
Mitigation Recommendations
No official patch or fix is available as this is a malware campaign exploiting user behavior and privilege misuse rather than a software vulnerability. Mitigation should focus on user awareness to avoid downloading trojanized installers, restricting administrative privileges, monitoring for unusual lateral movement and credential dumping activities, and employing endpoint detection to identify Bumblebee, AdaptixC2, and Akira ransomware behaviors. Incident response should include credential resets and removal of persistence mechanisms once detected.
Indicators of Compromise
- ip: 172.96.137.160
- domain: angryipscanner.org
- domain: opmanager.pro
- hash: a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2
- hash: a746da514c90f26a187a294fda7edc1b
- hash: bcee0ab10b23f5999bcdb56c0b4a631a
- hash: 1b9aa401457d29405c0bcf19cbf19a7028a0d214
- hash: f352cec89a56e23dae20cdd62df4d40bc7f22b5e
- hash: 186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da
- hash: 18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a
- hash: 6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23
- hash: a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331
- hash: de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d
- ip: 109.205.195.211
- ip: 193.242.184.150
- domain: 2rxyt9urhq0bgj.org
- domain: axiscamerastation.org
- domain: ev2sirbd269o5j.org
- domain: ijt0l3i8brit6q.org
- domain: ip-scanner.org
- hash: ca8646dfc88423bb9fffda811160cebe
- hash: febbaf5f08a8e0782ffcce8beef1f2b4e249a52b
From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira
Description
In July 2025, threat actors compromised organizations through SEO poisoning campaigns targeting users searching for legitimate IT management tools. Users downloading trojanized installers for ManageEngine OpManager received Bumblebee malware, granting initial access. The attackers exploited the fact that users executing these IT tools were privileged administrators, enabling rapid lateral movement to domain controllers. They dumped credentials using wbadmin, created backdoor accounts with enterprise admin privileges, and installed RustDesk for persistent access. AdaptixC2 beacons were deployed for command and control. The threat actors conducted extensive reconnaissance, dumped LSASS memory across multiple systems, attempted Veeam credential theft, and exfiltrated data via SFTP using FileZilla. The intrusion culminated in Akira ransomware deployment across both root and child domains within 44 hours, with subsequent re-encryption two days later affecting the child domain.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a multi-stage intrusion starting with SEO poisoning campaigns that trick users into downloading trojanized ManageEngine OpManager installers containing Bumblebee malware. The malware provides initial access, exploiting the fact that users running these IT tools have privileged administrative rights. Attackers perform lateral movement to domain controllers, dump credentials using wbadmin and LSASS memory, create enterprise admin backdoors, and install RustDesk for persistent access. AdaptixC2 is deployed as the command and control infrastructure. The attackers conduct reconnaissance, attempt credential theft from Veeam, and exfiltrate data via SFTP using FileZilla. The intrusion ends with deployment of Akira ransomware across multiple domains within 44 hours, followed by a re-encryption event two days later targeting the child domain.
Potential Impact
The threat results in unauthorized privileged access to enterprise networks, credential theft, persistent backdoors, data exfiltration, and widespread ransomware encryption affecting both root and child domains. This can cause significant operational disruption, data loss, and potential financial impact due to ransomware.
Mitigation Recommendations
No official patch or fix is available as this is a malware campaign exploiting user behavior and privilege misuse rather than a software vulnerability. Mitigation should focus on user awareness to avoid downloading trojanized installers, restricting administrative privileges, monitoring for unusual lateral movement and credential dumping activities, and employing endpoint detection to identify Bumblebee, AdaptixC2, and Akira ransomware behaviors. Incident response should include credential resets and removal of persistence mechanisms once detected.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/"]
- Adversary
- null
- Pulse Id
- 6a429369377f216bcfbdda03
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip172.96.137.160 | — | |
ip109.205.195.211 | — | |
ip193.242.184.150 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainangryipscanner.org | — | |
domainopmanager.pro | — | |
domain2rxyt9urhq0bgj.org | — | |
domainaxiscamerastation.org | — | |
domainev2sirbd269o5j.org | — | |
domainijt0l3i8brit6q.org | — | |
domainip-scanner.org | — |
Hash
| Value | Description | Copy |
|---|---|---|
hasha14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2 | — | |
hasha746da514c90f26a187a294fda7edc1b | — | |
hashbcee0ab10b23f5999bcdb56c0b4a631a | — | |
hash1b9aa401457d29405c0bcf19cbf19a7028a0d214 | — | |
hashf352cec89a56e23dae20cdd62df4d40bc7f22b5e | — | |
hash186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da | — | |
hash18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a | — | |
hash6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23 | — | |
hasha6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331 | — | |
hashde730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d | — | |
hashca8646dfc88423bb9fffda811160cebe | — | |
hashfebbaf5f08a8e0782ffcce8beef1f2b4e249a52b | — |
Threat ID: 6a43a6ca27e9c79719a54469
Added to database: 06/30/2026, 11:21:46 UTC
Last enriched: 06/30/2026, 11:36:17 UTC
Last updated: 06/30/2026, 22:46:13 UTC
Views: 49
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.