From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

A July 2025 SEO-poisoning campaign lured IT administrators to trojanized installers (e.g., ManageEngine-OpManager.msi) that side-loaded the Bumblebee loader (msimg32.dll), enabling AdaptixC2 access, rapid domain compromise (NTDS.dit dump, LSASS memory theft), persistence (RustDesk), SSH tunneling for proxying, data exfiltration via SFTP, and deployment of Akira ransomware across root and child domains; multiple IOCs (domains, IPs, and file hashes) and defensive hunting recommendations are provided.