BumbleBee and AdaptixC2 Deliver Akira Ransomware via Bing SEO

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Attack Chain: BumbleBee malware led to Akira ransomware deployment via a Bing SEO poisoning attack.
  • Initial Lure: A trojanized ManageEngine OpManager MSI was served from opmanager[.]pro.
  • Data Stolen: Over 75GB was exfiltrated via FileZilla and SFTP to a Ukraine-based server.

The DFIR Report has published an analysis of an Akira ransomware intrusion that began with a Bing SEO poisoning attack in July 2025. A user searching for "ManageEngine OpManager" was lured to the lookalike domain opmanager[.]pro, which delivered a trojanized MSI installer that deployed the BumbleBee loader via DLL side-loading.  

The threat actor exfiltrated over 75GB of data, including file shares, credentials, and SYSVOL configurations, via FileZilla and SFTP to a server in Ukraine. A second, related intrusion was confirmed by Swisscom B2B CSIRT.

From SEO Poisoning to BumbleBee Loader

After an IT administrator executed the malicious MSI, BumbleBee established command-and-control (C2) communication. Roughly five hours later, the threat actor deployed AdgNsy.exe, a renamed copy of the legitimate Windows Address Book utility (WAB.exe), injected with AdaptixC2 shellcode, creating a persistent C2 channel for network discovery.

Forensic analysis of the browser history mapped the sequence of redirects leading to the malicious host | Source: The DFIR Report
Forensic analysis of the browser history mapped the sequence of redirects leading to the malicious host | Source: The DFIR Report

The attacker pivoted to a domain controller and extracted the Active Directory (AD) database using the native wbadmin.exe utility, according to The DFIR Report. 

They also performed Veeam credential dumping through the PostgreSQL database on the backup server and used a high-confidence match for the lsassy utility to dump LSASS memory across multiple hosts. A reverse SSH tunnel exposed internal RDP sessions to a threat actor-controlled external server.

Akira Deployed

The intrusion culminated approximately 44 hours after initial access with Akira ransomware, staged as locker.exe, which used WMI to delete Volume Shadow Copies. The actor returned two days later to encrypt a child domain.

In April, Tropic Trooper deployed AdaptixC2 and a custom beacon listener against targets in Asia. An early 2026 report found that Qilin and Akira emerged as the most prolific ransomware groups. 

In December 2025, security researchers discovered that Shanya Packer-as-a-Service (VX Crypt) powers modern Akira, Qilin, and Medusa ransomware attacks. 


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: