A sophisticated search engine optimization (SEO) poisoning campaign that exploited Bing search results to distribute Bumblebee malware, ultimately leading to devastating Akira ransomware attacks.<\/p>\n
The campaign, active throughout July 2025, specifically targeted users searching for legitimate IT management software, demonstrating how threat actors continue to weaponize trusted search platforms to compromise enterprise networks.<\/p>\n
The attack began when unsuspecting users searched for \u201cManageEngine OpManager\u201d on Microsoft\u2019s Bing search engine and were redirected to the malicious domain opmanager[.]pro instead of the legitimate software vendor\u2019s website.<\/p>\n
This carefully crafted impersonation site hosted a trojanized MSI installer<\/a> file named ManageEngine-OpManager.msi, which appeared identical to the authentic software package but contained embedded malicious components designed to establish initial access to victim networks.<\/p>\n Upon execution of the malicious installer, the software appeared to function normally, installing the legitimate ManageEngine OpManager application to avoid suspicion.<\/p>\n However, during the installation process, the malware simultaneously deployed a malicious dynamic link library (DLL) file named msimg32.dll through the Windows consent.exe process.<\/p>\n The DFIR Report analysts identified<\/a> this sophisticated technique as a method to bypass security controls while maintaining the appearance of legitimate software installation.<\/p>\n The Bumblebee malware<\/a> established command and control communications with two remote servers at IP addresses 109.205.195[.]211:443 and 188.40.187[.]145:443 using domain generation algorithm (DGA) domains.<\/p>\n Approximately five hours after initial execution, the malware deployed an AdaptixC2 beacon identified as AdgNsy.exe, which created an additional communication channel to 172.96.137[.]160:443, providing threat actors with persistent access to the compromised environment.<\/p>\n The attack\u2019s success largely stemmed from targeting IT management tools<\/a>, ensuring that users executing the malware possessed highly privileged administrator accounts within Active Directory environments.<\/p>\n This strategic approach provided threat actors with immediate elevated access, eliminating the need for complex privilege escalation techniques typically required in targeted attacks.<\/p>\n Following initial reconnaissance using built-in Windows utilities including The backup_EA account was strategically added to the Enterprise Administrators group using the command The threat actors then connected to domain controllers via Remote Desktop Protocol and extracted the NTDS.dit file using Windows Backup Admin tool with the command: This technique allowed them to obtain password hashes for all domain accounts.<\/p>\n The campaign culminated in Akira ransomware<\/a> deployment using the payload locker.exe, with attackers achieving encryption in just 44 hours from initial access.<\/p>\n The threat actors demonstrated persistence by returning two days later to compromise child domains, highlighting the campaign\u2019s systematic and methodical approach to enterprise-wide network destruction.<\/p>\n Equip your SOC with full access to the latest threat data from\u00a0ANY.RUN TI Lookup<\/strong>\u00a0that can Improve incident response ->\u00a0Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\n The post Bing Search Poisoned to Deliver Bumblebee Malware for \u2018ManageEngine OpManager\u2019 Searches<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiFFwCXl5f4OyJ7kXn063DpNPe4n-IlEAppCMUP-ukrqom-J7mWKZ_f2Ddxq24jqokoOC7f7qv3tOA_xjMHmWJ0Hbm9r0Rp3CN0wWq5ACbLHDkN8hxTHQU6tzmVUm_3ud2Hixf317zfWNZg84SQ2ihuyM2dNwu9Oe-jtZYj0yQuTwNUgp8k30QRt6T8ky8\/s16000\/ManageEngine%2520OpManager%2520In%2520Search%2520Result%2520%28Source%2520-%2520The%2520DFIR%2520Report%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh-1lhES-OYCPBvs71ge2iTD5txOFOjbqXHgXXfiNJDCw9493gJqu9C9nEjlb3BR4bwIaIMgvFN6wAIJRwJ6uGebSB27UkVBkSELNrt2w7bM03VJzX7gJqEfZzW50P_mYguhjJyCXF9_INALLQqam7otn2ThI2xvj8cZVaXXWKqmipYmhDZh2OMKoA41YU\/s16000\/Trojanized%2520MSI%2520installer%2C%2520ManageEngine-OpManager.msi%2520%28Source%2520-%2520The%2520DFIR%2520Report%29.webp?ssl=1\")
Infection Mechanism and Privilege Escalation<\/strong><\/h2>\n
systeminfo<\/code>, nltest \/dclist:<\/code>, whoami \/groups<\/code>, and net group domain admins \/dom<\/code>, the attackers created two new domain accounts named backup_DA and backup_EA.<\/p>\nnet group \"enterprise admins\" backup_EA \/add \/dom<\/code>, granting the attackers domain-wide administrative privileges.<\/p>\nwbadmin.exe start backup -backuptarget:\\127.0.0.1C$ProgramData -include:\"C:windowsNTDSntds.dit,C:windowssystem32configSYSTEM,C:windowssystem32configSECURITY\" -quiet<\/code>.<\/p>\n