A recent and highly sophisticated search engine optimization (SEO) poisoning campaign has been identified, which exploited Bing search results to distribute the dangerous Bumblebee malware, a precursor to devastating Akira ransomware attacks. Active throughout July 2025, the campaign specifically targeted users searching for legitimate IT management software, demonstrating a growing trend where threat actors weaponize trusted search platforms to compromise enterprise networks. This attack serves as a stark reminder of the evolving tactics used by cybercriminals to bypass security measures and gain a foothold in corporate environments.
The attack was meticulously planned and began when unsuspecting users searched for “ManageEngine OpManager” on Microsoft’s Bing search engine.
Instead of being directed to the official vendor’s website, users were led to a malicious domain, opmanager[.]pro. This carefully crafted impersonation site hosted a trojanized MSI installer file named ManageEngine-OpManager.msi. This file was designed to look identical to the authentic software package, but it was embedded with malicious components intended to establish initial access to victim networks. The deceptive nature of the site and the installer made it difficult for users to distinguish the fake from the genuine software.
Upon execution, the malicious installer appeared to function normally, proceeding with the installation of the legitimate ManageEngine OpManager application to avoid raising suspicion. However, behind the scenes, a malicious dynamic link library (DLL) file named msimg32.dll was simultaneously deployed through the Windows consent.exe process. Analysts from The DFIR Report identified this as a sophisticated technique designed to bypass standard security controls by masquerading as part of a legitimate software installation process.
This stealthy method allowed the malware to gain a foothold in the system without triggering immediate alerts, a crucial step for the threat actors to maintain persistence.
Following the successful installation, the Bumblebee malware established command and control (C2) communications with two remote servers using domain generation algorithm (DGA) domains. These C2 servers, located at IP addresses 109.205.195[.]211:443 and 188.40.187[.]145:443, allowed the threat actors to maintain remote access. Approximately five hours after the initial infection, the malware deployed an AdaptixC2 beacon, AdgNsy.exe, which created an additional communication channel to 172.96.137[.]160:443. This beacon provided the attackers with persistent and robust access to the compromised environment, enabling them to move laterally and prepare for the final stages of the attack.
The success of this campaign was largely due to its strategic targeting of IT management tools, ensuring that users executing the malware possessed highly privileged administrator accounts within their Active Directory environments. This strategic approach provided threat actors with immediate elevated access, eliminating the need for complex and time-consuming privilege escalation techniques. By directly targeting high-privilege users, the attackers were able to quickly and efficiently establish control over the network, ultimately paving the way for the deployment of the devastating Akira ransomware, which encrypts critical data and demands a ransom for its decryption.
Reference:
