From Bing Search to Ransomware in <44 Hours: Bumblebee Loader Deploys Destructive Akira Ransomware via SEO Poisoning
Do Son 
Image: The DFIR Report
In a reminder that even a Google or Bing search can be the first step in a ransomware attack, The DFIR Report has unveiled a rapid and destructive intrusion campaign that begins with Bumblebee malware delivered via SEO poisoning and ends with the deployment of Akira ransomware in under 44 hours.
The campaign targets IT administrators searching for common tools, trojanizing legitimate software installers, and using them to infiltrate corporate networks with devastating efficiency.
The attack chain is very simple. A user looking for “ManageEngine OpManager” on Bing clicked on a malicious search result leading to opmanager[.]pro. They downloaded an MSI installer named ManageEngine-OpManager.msi — a seemingly authentic file.
“Upon execution, [the installer] installed the legitimate software while simultaneously loading the Bumblebee malware msimg32.dll via consent.exe,” the report explains.
This initial infection established Command and Control (C2) with:
109.205.195[.]211:443
188.40.187[.]145:443
These connections used DGA (Domain Generation Algorithm) domains to obfuscate the malware’s behavior.
Within five hours, Bumblebee deployed a second-stage beacon, AdgNsy.exe (AdaptixC2), establishing another C2 at 172.96.137[.]160:443. The attacker launched an aggressive internal recon mission:
- systeminfo, nltest, whoami, and net group domain admins
- Created two new domain accounts: backup_DA and backup_EA
- Added backup_EA to Enterprise Admins
- Used RDP to access the domain controller
- Dumped NTDS.dit (Active Directory credentials) using:
The attacker installed RustDesk for persistent remote access and established a reverse SSH tunnel to 193.242.184[.]150. They also deployed:
- A renamed SoftPerfect Network Scanner (n.exe)
- Credential dumping scripts targeting Veeam backups via PostgreSQL
- FileZilla for data exfiltration to 185.174.100[.]203
- LSASS memory dumps via rundll32.exe and comsvcs.dll
Finally, they launched Akira ransomware using locker.exe, configured to encrypt:
- Local and remote shares
- Specific directories on multiple hosts
“The intrusion culminated in the deployment of Akira ransomware across the root domain… Two days later, the threat actor returned… encrypting systems within a child domain,” the report states.
From a Bing search to ransomware execution, the time-to-ransom (TTR) was just under 44 hours. In a parallel incident reported by Swisscom B2B CSIRT, the TTR was even shorter — just 9 hours.
This indicates a new level of speed and coordination among attackers using well-oiled toolchains and credentialed administrator access from the get-go.
This campaign reflects a dangerous trend where legitimate IT tools become trojanized delivery vehicles, and highly privileged users are the initial victims. The use of SEO poisoning to compromise search results adds another layer of threat sophistication.
Organizations must adopt defense-in-depth, validate software sources, and prioritize behavioral detection over static indicators.
Related Posts:
- Bumblebee Loader Resurfaces with New Infection Chain
- Cyber Alert: Bumblebee Malware Targets US Organizations
- Interlock RAT Gets PHP Makeover: New Variant Uses Steganography & ClickFix for Stealthy Infiltration
- Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
- Microsoft announces that Bing will block cryptocurrency ads
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
