The Bumblebee malware campaign used trojanized IT management tools distributed via SEO poisoning to gain initial access, ultimately leading to Akira ransomware deployment in July 2025. Multiple organizations were affected, with attackers leveraging privileged IT accounts for lateral movement, credential dumping, and data exfiltration. #Bumblebee #AkiraRansomware #SEOpoisoning #ManageEngineOpManager
Keypoints
- Bumblebee malware used SEO poisoned sites impersonating IT tools like ManageEngine OpManager to deliver trojanized installers.
- Initial access granted malware execution and lateral movement to domain controllers, enabling credential dumping and persistent access.
- Threat actors created privileged domain accounts and deployed the RustDesk remote access tool for persistence and SSH tunneling for command and control.
- Data exfiltration occurred via SFTP using FileZilla, followed by deployment of Akira ransomware affecting root and child domains.
- Affected organizations included those reported by Swisscom B2B CSIRT with similar tactics and malware tools observed.
- Detection recommendations include monitoring MSI installations in user directories, LSASS memory dumping, domain enumeration, and unusual account creations.
- Indicators of compromise involve malicious domains, IP addresses, trojanized installer file hashes, and C2 infrastructure associated with Bumblebee and Akira ransomware.
MITRE Techniques
- [T1078] Valid Accounts – Creation of new domain accounts (backup_DA, backup_EA) and privilege escalation by adding to Enterprise Administrators group (“net user backup_EA P@ssw0rd1234 /add /dom”).
- [T1003] Credential Dumping – Dumping NTDS.dit using wbadmin.exe (“wbadmin.exe start backup -backuptarget:127.0.0.1C$ProgramData -include…”).
- [T1059] Command and Scripting Interpreter – Use of built-in Windows utilities for discovery such as systeminfo, nltest, whoami, and net group commands (“internal reconnaissance using built-in Windows utilities”).
- [T1105] Ingress Tool Transfer – Download and execution of trojanized MSI installers like ManageEngine-OpManager.msi and accompanying DLLs (“downloaded a trojanized MSI installer… loading Bumblebee malware msimg32.dll”).
- [T1219] Remote Access Software – Installation of RustDesk remote access tool for persistence and re-entry (“installed the RustDesk remote access tool on several hosts”).
- [T1041] Exfiltration Over C2 Channel – Exfiltration of data using SFTP client and FileZilla (“exfiltrated data via SFTP to 185.174.100[.]203”).
- [T1490] Inhibit System Recovery – Deployment of Akira ransomware locker.exe with commands encrypting network shares and local files (“executed it with various command-line options to encrypt local, remote network shares”).
- [T1573] Encrypted Channel – Use of SSH tunneling to proxy attacker activity (“established a SSH tunnel to an external server at 193.242.184[.]150”).
Indicators of Compromise
- [Domain] Malicious SEO poisoned sites – opmanager[.]pro, angryipscanner.org, axiscamerastation.org, ip-scanner[.]org
- [IP Address] Command and control and infrastructure – 109.205.195[.]211, 188.40.187[.]145 (Bumblebee C2), 172.96.137[.]160 (AdaptixC2 C2), 193.242.184[.]150 (SSH Tunnel Host), 185.174.100[.]203 (SFTP exfiltration server)
- [File Hash] Trojanized installers and malware payloads – ManageEngine-OpManager.msi (186b26df…), msimg32.dll (a6df0b49…), locker.exe (de730d96…) associated with Bumblebee and Akira ransomware, plus other variants reported by Swisscom B2B CSIRT
Read more: https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/