From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

    Date: 06/30/2026

    Severity: Critical

    Summary

    Threat actors used SEO poisoning to distribute a trojanized ManageEngine OpManager installer that deployed BumbleBee malware for initial access. The intrusion progressed with AdaptixC2, credential theft from the domain controller, SSH-based lateral movement, and data exfiltration via FileZilla and SFTP. The attack ultimately culminated in the deployment of Akira ransomware, encrypting both the root domain and a child domain. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    opmanager.pro

    download-center.online

    ev2sirbd269o5j.org

    2rxyt8yrhq0bgj.org

    d1hmxkpwby0d4s.org

    yj6jurm5qqkye5.org

    ewujsfb1dp5ran.org

    8doj8uvx604eck.org

    kwywztxoo2xdot.org

    ky1d1p1daahe5t.org

    ovh1kn1tcqw5kp.org

    6cimu4mc085em8.org

    5ka8rxp6t6eup2.org

    ks501oz9nm3v05.org

    v5rjsdqogstopr.org

    IP Address

    192.121.22.94

    109.205.195.211

    188.40.187.145

    171.22.183.43

    194.127.178.21

    172.96.137.160

    193.242.184.150

    185.174.100.203

    Hash

    124a48b78060fa851e1cc077ca35713c

    ca8646dfc88423bb9fffda811160cebe

    8c113b3aa82c81eee7c6b4ed0ba9a90f

    ab82bf27132323861810c0efcac6d5dd01600dd4

    febbaf5f08a8e0782ffcce8beef1f2b4e249a52b

    d66944e1a57daf04d3e809f22cd01946d593acaf

    186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da

    a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331

    de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "2rxyt8yrhq0bgj.org" or url like "2rxyt8yrhq0bgj.org" or siteurl like "2rxyt8yrhq0bgj.org" or domainname like "ks501oz9nm3v05.org" or url like "ks501oz9nm3v05.org" or siteurl like "ks501oz9nm3v05.org" or domainname like "ev2sirbd269o5j.org" or url like "ev2sirbd269o5j.org" or siteurl like "ev2sirbd269o5j.org" or domainname like "ewujsfb1dp5ran.org" or url like "ewujsfb1dp5ran.org" or siteurl like "ewujsfb1dp5ran.org" or domainname like "ky1d1p1daahe5t.org" or url like "ky1d1p1daahe5t.org" or siteurl like "ky1d1p1daahe5t.org" or domainname like "6cimu4mc085em8.org" or url like "6cimu4mc085em8.org" or siteurl like "6cimu4mc085em8.org" or domainname like "d1hmxkpwby0d4s.org" or url like "d1hmxkpwby0d4s.org" or siteurl like "d1hmxkpwby0d4s.org" or domainname like "v5rjsdqogstopr.org" or url like "v5rjsdqogstopr.org" or siteurl like "v5rjsdqogstopr.org" or domainname like "8doj8uvx604eck.org" or url like "8doj8uvx604eck.org" or siteurl like "8doj8uvx604eck.org" or domainname like "download-center.online" or url like "download-center.online" or siteurl like "download-center.online" or domainname like "kwywztxoo2xdot.org" or url like "kwywztxoo2xdot.org" or siteurl like "kwywztxoo2xdot.org" or domainname like "ovh1kn1tcqw5kp.org" or url like "ovh1kn1tcqw5kp.org" or siteurl like "ovh1kn1tcqw5kp.org" or domainname like "5ka8rxp6t6eup2.org" or url like "5ka8rxp6t6eup2.org" or siteurl like "5ka8rxp6t6eup2.org" or domainname like "yj6jurm5qqkye5.org" or url like "yj6jurm5qqkye5.org" or siteurl like "yj6jurm5qqkye5.org" or domainname like "opmanager.pro" or url like "opmanager.pro" or siteurl like "opmanager.pro"

    Detection Query 2 :

    dstipaddress IN ("193.242.184.150","171.22.183.43","172.96.137.160","188.40.187.145","109.205.195.211","192.121.22.94","194.127.178.21","185.174.100.203") or srcipaddress IN ("193.242.184.150","171.22.183.43","172.96.137.160","188.40.187.145","109.205.195.211","192.121.22.94","194.127.178.21","185.174.100.203")

    Detection Query 3 :

    md5hash IN ("124a48b78060fa851e1cc077ca35713c","8c113b3aa82c81eee7c6b4ed0ba9a90f","ca8646dfc88423bb9fffda811160cebe")

    Detection Query 4 :

    sha1hash IN ("d66944e1a57daf04d3e809f22cd01946d593acaf","ab82bf27132323861810c0efcac6d5dd01600dd4","febbaf5f08a8e0782ffcce8beef1f2b4e249a52b")

    Detection Query 5 :

    sha256hash IN ("de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d","a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331","186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da")

    Reference:    

    https://thedfirreport.com/2026/06/29/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-3/#case-summary          


    Tags

    SEO PoisoningTrojanBumblebeeAdaptixC2Credential HarvestingExfiltrationMalwareThreat ActorRansomwareAkira

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags