Bumblebee and AdaptixC2 Chain Deliver Akira Ransomware via SEO Poisoning

A recent investigation by The DFIR Report details a complex intrusion campaign that begins with a seemingly innocuous search engine query and ends with the devastating deployment of Akira ransomware. The attack chain, observed in July 2025, utilized SEO poisoning to lure victims searching for legitimate software, specifically ManageEngine OpManager, to a malicious look-alike domain. This domain then redirected users to download a trojanized installer, which, upon execution, dropped the BumbleBee first-stage loader.

Once on the beachhead host, the BumbleBee loader (msimg32.dll) established command-and-control (C2) communication with the threat actor's infrastructure. Approximately five hours into the compromise, the attackers escalated their presence by deploying AdaptixC2 shellcode, disguised as a renamed legitimate Windows utility (AdgNsy.exe). This established a persistent C2 channel, allowing the threat actors to conduct reconnaissance using built-in Windows tools like systeminfo and nltest to map the internal network. To solidify their foothold, they created new domain accounts with Enterprise Admin privileges and installed RustDesk as a Windows service on multiple servers.

The second and third days of the intrusion saw the threat actors move laterally across the network, utilizing Remote Desktop Protocol (RDP) to access a domain controller and a backup server. Their activities included extensive credential harvesting, employing tools like wbadmin.exe to extract the NTDS.dit Active Directory database and custom PowerShell scripts to decrypt Veeam credentials. The lsassy utility was also used to dump LSASS memory from various hosts, further aiding in their credential acquisition efforts.

Throughout the operation, the threat actors demonstrated a focus on defense evasion and stealth. They established a reverse SSH tunnel to proxy RDP traffic, effectively bypassing firewall restrictions. Command-line obfuscation techniques, such as using mixed-case characters in pOWerShELl.exE, were also employed. In a parallel incident linked to the same campaign, a Bring Your Own Vulnerable Driver (BYOVD) attack was used to disable endpoint security controls, highlighting a multi-faceted approach to evading detection.

Data exfiltration was a significant component of the attack, with the threat actors using FileZilla, likely introduced via RDP clipboard, to transfer over 75GB of sensitive data. This included file shares, user credentials, and SYSVOL domain configurations, all exfiltrated to a server located in Ukraine. The intrusion culminated approximately 44 hours after initial access with the deployment of Akira ransomware, staged as locker.exe. The ransomware utilized Windows Management Instrumentation (WMI) to delete Volume Shadow Copies, a common tactic to prevent easy recovery and maximize the impact of the encryption.

This campaign aligns with a broader BumbleBee SEO poisoning operation identified earlier in May 2025. The attackers employed a standardized two-tier delivery architecture: Tier 1 consisted of impersonation front-ends on malvertising domains that appeared in search results, serving high-fidelity clones of legitimate download pages. Tier 2 involved backend servers hosting trojanized MSI installers, dynamically serving malicious packages via a uniform URL parameter. This infrastructure was used to distribute BumbleBee infections by masquerading as various enterprise software suites.

The DFIR Report's analysis, combined with observations from Swisscom B2B CSIRT in a parallel intrusion, provides a comprehensive view of this evolving threat. The campaign's reliance on SEO poisoning for initial access, coupled with the sophisticated use of AdaptixC2 for C2 and the ultimate deployment of Akira ransomware, underscores the persistent threat posed by well-resourced and adaptable threat actors targeting organizations through multiple vectors.