From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

    Wednesday, August 6, 2025 In: Threat Research Print

    Date: 08/06/2025

    Severity: High

    Summary

    Bumblebee malware has been used for initial access since 2021, with SEO poisoning reported as a delivery method in 2023. In 2025, campaigns impersonating IT tools delivered trojanized software, leading to Bumblebee infections and Akira ransomware deployment. Threat actors leveraged this access to move laterally, steal credentials, install persistent tools, and exfiltrate data. The attacks escalated to full network compromise, encrypting both root and child domains, causing major operational disruption.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    ev2sirbd269o5j.org

    2rxyt9urhq0bgj.org

    opmanager.pro

    angryipscanner.org

    axiscamerastation.org

    ip-scanner.org

    IP Address : 

    109.205.195.211

    188.40.187.145

    172.96.137.160

    170.130.55.223

    193.242.184.150

    83.229.17.60

    185.174.100.203

    Hash : 

    186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da

    a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2

    a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331

    6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23

    de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d

    18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    domainname like "opmanager.pro" or url like "opmanager.pro" or siteurl like "opmanager.pro" or domainname like "2rxyt9urhq0bgj.org" or url like "2rxyt9urhq0bgj.org" or siteurl like "2rxyt9urhq0bgj.org" or domainname like "ev2sirbd269o5j.org" or url like "ev2sirbd269o5j.org" or siteurl like "ev2sirbd269o5j.org" or domainname like "ip-scanner.org" or url like "ip-scanner.org" or siteurl like "ip-scanner.org" or domainname like "angryipscanner.org" or url like "angryipscanner.org" or siteurl like "angryipscanner.org" or domainname like "axiscamerastation.org" or url like "axiscamerastation.org" or siteurl like "axiscamerastation.org"

    IP Address :

    dstipaddress IN ("109.205.195.211","188.40.187.145","172.96.137.160","170.130.55.223","193.242.184.150","83.229.17.60","185.174.100.203") or srcipaddress IN ("109.205.195.211","188.40.187.145","172.96.137.160","170.130.55.223","193.242.184.150","83.229.17.60","185.174.100.203")

    Hash  :

    sha256hash IN ("6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23","a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331","186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da","a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2","de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d","18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a")

    Reference:    

    https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/


    Tags

    MalwareRansomwareBumblebeeAkira

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.