News and Analysis

A simple Bing search for a popular IT tool turned into a full-scale ransomware attack. Threat actors abused search engine optimization (SEO) poisoning to push a fake download link into Bing search results, tricking IT administrators into installing malware disguised as legitimate software.

The campaign has raised serious concerns about how routine daily search habits can become a direct gateway to a devastating network compromise.

The attack began in July 2025 when a user searched Bing for “ManageEngine OpManager,” a widely used network monitoring tool.

Instead of landing on the real site, the user was redirected to a convincing lookalike domain that served a trojanized MSI installer. What followed was a carefully executed multi-day intrusion that ended with Akira ransomware deployed across the victim’s entire network.

Analysts from The DFIR Report documented this intrusion in a detailed technical report published on June 29, 2026, in partnership with Swisscom B2B CSIRT. 

The DFIR Report said in a report shared with Cyber Security News (CSN), the attack leveraged two core tools, BumbleBee malware and an AdaptixC2 beacon, to maintain persistent access and move freely through the victim environment.

The threat actors worked with patience and precision. They created fake admin accounts, installed remote access software as a Windows service, dumped the Active Directory database, and exfiltrated over 75GB of sensitive data to a server in Ukraine.

Initial Access (Source – The DFIR Report)

The entire operation from first click to ransomware deployment took roughly 44 hours.

The damage was severe. Akira ransomware, staged as locker.exe, used Windows Management Instrumentation to delete Volume Shadow Copies before encrypting systems.

The threat actor returned two days later to encrypt a child domain as well, ensuring no part of the network was left untouched.

‘ManageEngine OpManager’ Delivers Akira Ransomware

The infection chain started at opmanager[.]pro, a deceptive domain that appeared near the top of Bing search results through SEO poisoning.

The site cloned the legitimate ManageEngine download page and redirected victims to download-center[.]online, where the malicious MSI installer was ultimately delivered to the victim machine.

OpManager installer were dropped and executed by the malicious MSI (Source – The DFIR Report)

Once ManageEngine-OpManager.msi was executed, it dropped three files into a temporary folder: the real OpManager software as a decoy, a legitimate Windows binary called consent.exe, and the BumbleBee loader disguised as msimg32.dll.

The loader exploited the Windows DLL search order to run silently inside a trusted process, making detection difficult for standard security tools.

The MSI carried a revoked code-signing certificate issued to “LLC Resource+,” a signer with a documented history of BumbleBee-linked malware.

Targeting a ManageEngine installer was deliberate since IT administrators running such tools typically hold elevated system privileges, making them high-value targets for initial access.

AdaptixC2, Lateral Movement, and Data Exfiltration

About five hours after infection, BumbleBee dropped AdgNsy.exe, a renamed copy of the legitimate Windows Address Book utility, which was injected with AdaptixC2 shellcode.

This established a persistent command-and-control channel to 172.96.137[.]160, from which the attacker began mapping the internal network and identifying key assets including domain controllers.

Two rogue domain accounts named backup_DA and backup_EA were created, with backup_EA added to the Enterprise Admins group for full forest-wide control.

RustDesk remote access software was then installed as a Windows service on multiple servers to ensure continued access if other channels were disrupted.

Veeam Credential Dump (Source – The DFIR Report)

On day two, the attacker moved to a domain controller via RDP and extracted the NTDS.dit Active Directory database using wbadmin.exe.

Veeam credentials were also pulled from a PostgreSQL database, and LSASS memory was dumped across multiple hosts. A reverse SSH tunnel then routed RDP traffic through an external server, effectively bypassing all firewall restrictions.

Organizations should monitor search results for impersonation of enterprise tools, especially those used by IT teams.

Blocking MSI execution from untrusted sources, enforcing DLL load order controls, and alerting on unexpected domain admin account creation are essential defensive steps.

Watching for remote access tools like RustDesk being registered as Windows services is equally important, as this was a pivotal persistence method used throughout this attack.

Indicators of Compromise (IoCs):-

TypeIndicatorDescriptionDomainopmanager[.]proSEO poisoning lookalike domain impersonating ManageEngine OpManagerDomaindownload-center[.]onlineTier-2 delivery gateway serving trojanized MSI installer (Wave 2)Domaindownload-server[.]onlineTier-2 delivery gateway (Wave 1)Domainsoft-server[.]onlineTier-2 delivery gateway (Wave 1)Domainzenmap[.]proSEO poisoning domain impersonating Zenmap (Wave 1)Domainip-scanner[.]orgImpersonation domain used in Swisscom incident (Advanced IP Scanner)Domainnetml[.]shopRelated campaign delivery domain (Ivanti VPN targeting)Domainshopping5[.]shopRelated campaign delivery domain (Ivanti VPN targeting)Domainev2sirbd269o5j[.]orgBumbleBee DGA-generated C2 domainDomain2rxyt9urhq0bgj[.]orgBumbleBee DGA-generated C2 domainIP Address188.40.187[.]145BumbleBee C2 IP address (port 443)IP Address109.205.195[.]211BumbleBee C2 IP address and AdaptixC2 payload delivery (port 443)IP Address171.22.183[.]43BumbleBee C2 IP addressIP Address172.96.137[.]160AdaptixC2 C2 beacon IP (beachhead host)IP Address170.130.55[.]223AdaptixC2 C2 IP (Swisscom intrusion)IP Address84.32.84.32Shared Hostinger staging IP used across Wave 1 and Ivanti campaignIP Address4.239.95[.]1C2 IP for Ivanti-targeting credential stealer (port 8080)File NameManageEngine-OpManager.msiTrojanized MSI installer (BumbleBee dropper)File Namemsimg32.dllBumbleBee first-stage loader (DLL side-loading)File Nameconsent.exeLegitimate Windows binary abused for DLL side-loadingFile NameAdgNsy.exeRenamed WAB.exe injected with AdaptixC2 shellcodeFile Namelocker.exeAkira ransomware binary staged for deploymentFile NameAdvanced-IP-Scanner.msiTrojanized MSI installer used in Swisscom incidentFile Namen.exeSoftPerfect Network Scanner binary dropped by threat actorFile Name1.ps1PowerShell script used to install Cloudflare tunnel as service (Swisscom)SSH C245[.]xxx[.]xxx[.]150Reverse SSH tunnel C2 server (port 22, internal RDP exposed on port 10400)UtilitylsassyCredential dumping tool used to extract LSASS memory across multiple hostsUtilityFileZillaUsed for data exfiltration via SFTP to Ukraine-based serverUtilityRustDeskRemote access tool installed as Windows service for persistenceRegistry/Accountbackup_DA / backup_EARogue domain accounts created for persistence and privilege escalation

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Bing Search for ‘ManageEngine OpManager’ Delivers Akira Ransomware appeared first on Cyber Security News.