From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

This DFIR report describes a July 2025 SEO-poisoning campaign that served trojanized IT management installers (e.g., ManageEngine OpManager) to deliver the Bumblebee loader, allowing actors to gain privileged admin access, perform discovery and credential dumping (NTDS/LSASS), install remote access tools (RustDesk), exfiltrate data via SFTP, and deploy Akira ransomware across domains; the report includes detailed TTPs, detection/hunting guidance, and IOCs (domains, IPs, and hashes).