From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

   March 8, 2026  Posted in ThreatIntelligence-IncidentResponse
Share: XFacebookPinterestRedditVKDiggLinkedinMix
  • Detect case variation in command execution: Hunt for mixed-case command invocations like Cmd.eXE, CmD.Exe which may indicate evasion attempts

    • Behavioral Correlation Rules

    • Multi-stage attack progression: Alert when a single system exhibits: MSI installation → discovery commands → credential access → lateral movement within 24 hours
    • Cross-system activity correlation: Hunt for accounts created on one system and immediately used for authentication on another (<= 5mins)
    • Tool deployment patterns: Monitor for remote access tool installation (RustDesk) followed by SSH tunneling activity from the same network segment

    Indicators of Compromise (IOCs)

    Domains:

    ev2sirbd269o5j.org (Bumblebee DGA domain)
2rxyt9urhq0bgj.org (Bumblebee DGA domain)

DFIR Report:
opmanager[.]pro (Malicious site for trojanized installer)
    angryipscanner.org (Malicious site for trojanized installer)
    axiscamerastation.org (Malicious site for trojanized installer)
    Swisscom B2B CSIRT:
ip-scanner[.]org (Malicious site for trojanized installer)

    IP Addresses:

    109.205.195[.]211 (Bumblebee C2)
188.40.187[.]145 (Bumblebee C2)

DFIR Report:
172.96.137[.]160 (AdaptixC2 C2)

Swisscom B2B CSIRT:
170.130.55[.]223 (AdaptixC2 C2)

DFIR Report:
193.242.184[.]150 (SSH Tunnel Host)

Swisscom B2B CSIRT:
83.229.17[.]60 (SSH Tunnel Host)

185.174.100[.]203 (SFTP Exfiltration Server)

    File Hashes:

    DFIR Report:
ManageEngine-OpManager.msi
186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da (Malicious installer)

Swisscom B2B CSIRT:
Advanced-IP-Scanner.msi
a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2 (Malicious installer)

DFIR Report:
msimg32.dll
a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331 (Bumblebee)

Swisscom B2B CSIRT:
msimg32.dll
6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23 (Bumblebee)

DFIR Report:
locker.exe
de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d (Akira ransomware)

Swisscom B2B CSIRT:
win.exe
18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a (Akira ransomware)

    #TB36726



    Source link
  • Hunt for RDP logons using newly created accounts: Monitor Type 10 logons from compromised internal systems using accounts like backup_EA
  • Detect suspicious inter-system authentication patterns: Look for authentication from initial access systems to domain controllers within hours of account creation

    • Data Collection & Exfiltration

    • Hunt for FileZilla installation on servers followed by large outbound transfers: Detect FileZilla_*_setup.exe execution on server systems, especially when followed by significant network traffic
    • Look for data staging in ProgramData: Monitor file writes to C:ProgramDatashares.txt, C:ProgramData*.txt containing reconnaissance output

    Defense Evasion

    • Detect case variation in command execution: Hunt for mixed-case command invocations like Cmd.eXE, CmD.Exe which may indicate evasion attempts

    Behavioral Correlation Rules

    • Multi-stage attack progression: Alert when a single system exhibits: MSI installation → discovery commands → credential access → lateral movement within 24 hours
    • Cross-system activity correlation: Hunt for accounts created on one system and immediately used for authentication on another (<= 5mins)
    • Tool deployment patterns: Monitor for remote access tool installation (RustDesk) followed by SSH tunneling activity from the same network segment

    Indicators of Compromise (IOCs)

    Domains:

    ev2sirbd269o5j.org (Bumblebee DGA domain)
2rxyt9urhq0bgj.org (Bumblebee DGA domain)

DFIR Report:
opmanager[.]pro (Malicious site for trojanized installer)
    angryipscanner.org (Malicious site for trojanized installer)
    axiscamerastation.org (Malicious site for trojanized installer)
    Swisscom B2B CSIRT:
ip-scanner[.]org (Malicious site for trojanized installer)

    IP Addresses:

    109.205.195[.]211 (Bumblebee C2)
188.40.187[.]145 (Bumblebee C2)

DFIR Report:
172.96.137[.]160 (AdaptixC2 C2)

Swisscom B2B CSIRT:
170.130.55[.]223 (AdaptixC2 C2)

DFIR Report:
193.242.184[.]150 (SSH Tunnel Host)

Swisscom B2B CSIRT:
83.229.17[.]60 (SSH Tunnel Host)

185.174.100[.]203 (SFTP Exfiltration Server)

    File Hashes:

    DFIR Report:
ManageEngine-OpManager.msi
186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da (Malicious installer)

Swisscom B2B CSIRT:
Advanced-IP-Scanner.msi
a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2 (Malicious installer)

DFIR Report:
msimg32.dll
a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331 (Bumblebee)

Swisscom B2B CSIRT:
msimg32.dll
6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23 (Bumblebee)

DFIR Report:
locker.exe
de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d (Akira ransomware)

Swisscom B2B CSIRT:
win.exe
18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a (Akira ransomware)

    #TB36726



    Source link
  • Hunt for Bumblebee DGA patterns: Look for multiple DNS queries to domains matching pattern [8-14 random chars].org (e.g., ev2sirbd269o5j[.]org, ijt0l3i8brit6q[.]org) within seconds of each other.

    • Lateral Movement

    • Hunt for RDP logons using newly created accounts: Monitor Type 10 logons from compromised internal systems using accounts like backup_EA
    • Detect suspicious inter-system authentication patterns: Look for authentication from initial access systems to domain controllers within hours of account creation

    Data Collection & Exfiltration

    • Hunt for FileZilla installation on servers followed by large outbound transfers: Detect FileZilla_*_setup.exe execution on server systems, especially when followed by significant network traffic
    • Look for data staging in ProgramData: Monitor file writes to C:ProgramDatashares.txt, C:ProgramData*.txt containing reconnaissance output

    Defense Evasion

    • Detect case variation in command execution: Hunt for mixed-case command invocations like Cmd.eXE, CmD.Exe which may indicate evasion attempts

    Behavioral Correlation Rules

    • Multi-stage attack progression: Alert when a single system exhibits: MSI installation → discovery commands → credential access → lateral movement within 24 hours
    • Cross-system activity correlation: Hunt for accounts created on one system and immediately used for authentication on another (<= 5mins)
    • Tool deployment patterns: Monitor for remote access tool installation (RustDesk) followed by SSH tunneling activity from the same network segment

    Indicators of Compromise (IOCs)

    Domains:

    ev2sirbd269o5j.org (Bumblebee DGA domain)
2rxyt9urhq0bgj.org (Bumblebee DGA domain)

DFIR Report:
opmanager[.]pro (Malicious site for trojanized installer)
    angryipscanner.org (Malicious site for trojanized installer)
    axiscamerastation.org (Malicious site for trojanized installer)
    Swisscom B2B CSIRT:
ip-scanner[.]org (Malicious site for trojanized installer)

    IP Addresses:

    109.205.195[.]211 (Bumblebee C2)
188.40.187[.]145 (Bumblebee C2)

DFIR Report:
172.96.137[.]160 (AdaptixC2 C2)

Swisscom B2B CSIRT:
170.130.55[.]223 (AdaptixC2 C2)

DFIR Report:
193.242.184[.]150 (SSH Tunnel Host)

Swisscom B2B CSIRT:
83.229.17[.]60 (SSH Tunnel Host)

185.174.100[.]203 (SFTP Exfiltration Server)

    File Hashes:

    DFIR Report:
ManageEngine-OpManager.msi
186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da (Malicious installer)

Swisscom B2B CSIRT:
Advanced-IP-Scanner.msi
a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2 (Malicious installer)

DFIR Report:
msimg32.dll
a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331 (Bumblebee)

Swisscom B2B CSIRT:
msimg32.dll
6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23 (Bumblebee)

DFIR Report:
locker.exe
de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d (Akira ransomware)

Swisscom B2B CSIRT:
win.exe
18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a (Akira ransomware)

    #TB36726



    Source link
  • Monitor for SSH reverse tunneling to external IPs:
    • ssh root@ -R *:10400 -p22
    • Hunt for Bumblebee DGA patterns: Look for multiple DNS queries to domains matching pattern [8-14 random chars].org (e.g., ev2sirbd269o5j[.]org, ijt0l3i8brit6q[.]org) within seconds of each other.

    Lateral Movement

    • Hunt for RDP logons using newly created accounts: Monitor Type 10 logons from compromised internal systems using accounts like backup_EA
    • Detect suspicious inter-system authentication patterns: Look for authentication from initial access systems to domain controllers within hours of account creation

    Data Collection & Exfiltration

    • Hunt for FileZilla installation on servers followed by large outbound transfers: Detect FileZilla_*_setup.exe execution on server systems, especially when followed by significant network traffic
    • Look for data staging in ProgramData: Monitor file writes to C:ProgramDatashares.txt, C:ProgramData*.txt containing reconnaissance output

    Defense Evasion

    • Detect case variation in command execution: Hunt for mixed-case command invocations like Cmd.eXE, CmD.Exe which may indicate evasion attempts

    Behavioral Correlation Rules

    • Multi-stage attack progression: Alert when a single system exhibits: MSI installation → discovery commands → credential access → lateral movement within 24 hours
    • Cross-system activity correlation: Hunt for accounts created on one system and immediately used for authentication on another (<= 5mins)
    • Tool deployment patterns: Monitor for remote access tool installation (RustDesk) followed by SSH tunneling activity from the same network segment

    Indicators of Compromise (IOCs)

    Domains:

    ev2sirbd269o5j.org (Bumblebee DGA domain)
2rxyt9urhq0bgj.org (Bumblebee DGA domain)

DFIR Report:
opmanager[.]pro (Malicious site for trojanized installer)
    angryipscanner.org (Malicious site for trojanized installer)
    axiscamerastation.org (Malicious site for trojanized installer)
    Swisscom B2B CSIRT:
ip-scanner[.]org (Malicious site for trojanized installer)

    IP Addresses:

    109.205.195[.]211 (Bumblebee C2)
188.40.187[.]145 (Bumblebee C2)

DFIR Report:
172.96.137[.]160 (AdaptixC2 C2)

Swisscom B2B CSIRT:
170.130.55[.]223 (AdaptixC2 C2)

DFIR Report:
193.242.184[.]150 (SSH Tunnel Host)

Swisscom B2B CSIRT:
83.229.17[.]60 (SSH Tunnel Host)

185.174.100[.]203 (SFTP Exfiltration Server)

    File Hashes:

    DFIR Report:
ManageEngine-OpManager.msi
186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da (Malicious installer)

Swisscom B2B CSIRT:
Advanced-IP-Scanner.msi
a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2 (Malicious installer)

DFIR Report:
msimg32.dll
a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331 (Bumblebee)

Swisscom B2B CSIRT:
msimg32.dll
6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23 (Bumblebee)

DFIR Report:
locker.exe
de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d (Akira ransomware)

Swisscom B2B CSIRT:
win.exe
18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a (Akira ransomware)

    #TB36726



    Source link
  • Hunt for backup account creation with predictable naming patterns: Monitor net user backup_* or backup_EA/backup_DA account creation followed by admin group additions

    • Command & Control

    • Monitor for SSH reverse tunneling to external IPs:
    ssh root@ -R *:10400 -p22
    • Hunt for Bumblebee DGA patterns: Look for multiple DNS queries to domains matching pattern [8-14 random chars].org (e.g., ev2sirbd269o5j[.]org, ijt0l3i8brit6q[.]org) within seconds of each other.

    Lateral Movement

    • Hunt for RDP logons using newly created accounts: Monitor Type 10 logons from compromised internal systems using accounts like backup_EA
    • Detect suspicious inter-system authentication patterns: Look for authentication from initial access systems to domain controllers within hours of account creation

    Data Collection & Exfiltration

    • Hunt for FileZilla installation on servers followed by large outbound transfers: Detect FileZilla_*_setup.exe execution on server systems, especially when followed by significant network traffic
    • Look for data staging in ProgramData: Monitor file writes to C:ProgramDatashares.txt, C:ProgramData*.txt containing reconnaissance output

    Defense Evasion

    • Detect case variation in command execution: Hunt for mixed-case command invocations like Cmd.eXE, CmD.Exe which may indicate evasion attempts

    Behavioral Correlation Rules

    • Multi-stage attack progression: Alert when a single system exhibits: MSI installation → discovery commands → credential access → lateral movement within 24 hours
    • Cross-system activity correlation: Hunt for accounts created on one system and immediately used for authentication on another (<= 5mins)
    • Tool deployment patterns: Monitor for remote access tool installation (RustDesk) followed by SSH tunneling activity from the same network segment

    Indicators of Compromise (IOCs)

    Domains:

    ev2sirbd269o5j.org (Bumblebee DGA domain)
2rxyt9urhq0bgj.org (Bumblebee DGA domain)

DFIR Report:
opmanager[.]pro (Malicious site for trojanized installer)
    angryipscanner.org (Malicious site for trojanized installer)
    axiscamerastation.org (Malicious site for trojanized installer)
    Swisscom B2B CSIRT:
ip-scanner[.]org (Malicious site for trojanized installer)

    IP Addresses:

    109.205.195[.]211 (Bumblebee C2)
188.40.187[.]145 (Bumblebee C2)

DFIR Report:
172.96.137[.]160 (AdaptixC2 C2)

Swisscom B2B CSIRT:
170.130.55[.]223 (AdaptixC2 C2)

DFIR Report:
193.242.184[.]150 (SSH Tunnel Host)

Swisscom B2B CSIRT:
83.229.17[.]60 (SSH Tunnel Host)

185.174.100[.]203 (SFTP Exfiltration Server)

    File Hashes:

    DFIR Report:
ManageEngine-OpManager.msi
186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da (Malicious installer)

Swisscom B2B CSIRT:
Advanced-IP-Scanner.msi
a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2 (Malicious installer)

DFIR Report:
msimg32.dll
a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331 (Bumblebee)

Swisscom B2B CSIRT:
msimg32.dll
6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23 (Bumblebee)

DFIR Report:
locker.exe
de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d (Akira ransomware)

Swisscom B2B CSIRT:
win.exe
18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a (Akira ransomware)

    #TB36726



    Source link
  • Detect domain user creation followed by immediate privilege escalation via net utility commands:
    • net user backup_EA P@ssw0rd1234 /add /dom
net group "enterprise admins" backup_EA /add /dom
    • Hunt for backup account creation with predictable naming patterns: Monitor net user backup_* or backup_EA/backup_DA account creation followed by admin group additions

    Command & Control

    • Monitor for SSH reverse tunneling to external IPs:
    ssh root@ -R *:10400 -p22
    • Hunt for Bumblebee DGA patterns: Look for multiple DNS queries to domains matching pattern [8-14 random chars].org (e.g., ev2sirbd269o5j[.]org, ijt0l3i8brit6q[.]org) within seconds of each other.

    Lateral Movement

    • Hunt for RDP logons using newly created accounts: Monitor Type 10 logons from compromised internal systems using accounts like backup_EA
    • Detect suspicious inter-system authentication patterns: Look for authentication from initial access systems to domain controllers within hours of account creation

    Data Collection & Exfiltration

    • Hunt for FileZilla installation on servers followed by large outbound transfers: Detect FileZilla_*_setup.exe execution on server systems, especially when followed by significant network traffic
    • Look for data staging in ProgramData: Monitor file writes to C:ProgramDatashares.txt, C:ProgramData*.txt containing reconnaissance output

    Defense Evasion

    • Detect case variation in command execution: Hunt for mixed-case command invocations like Cmd.eXE, CmD.Exe which may indicate evasion attempts

    Behavioral Correlation Rules

    • Multi-stage attack progression: Alert when a single system exhibits: MSI installation → discovery commands → credential access → lateral movement within 24 hours
    • Cross-system activity correlation: Hunt for accounts created on one system and immediately used for authentication on another (<= 5mins)
    • Tool deployment patterns: Monitor for remote access tool installation (RustDesk) followed by SSH tunneling activity from the same network segment

    Indicators of Compromise (IOCs)

    Domains:

    ev2sirbd269o5j.org (Bumblebee DGA domain)
2rxyt9urhq0bgj.org (Bumblebee DGA domain)

DFIR Report:
opmanager[.]pro (Malicious site for trojanized installer)
    angryipscanner.org (Malicious site for trojanized installer)
    axiscamerastation.org (Malicious site for trojanized installer)
    Swisscom B2B CSIRT:
ip-scanner[.]org (Malicious site for trojanized installer)

    IP Addresses:

    109.205.195[.]211 (Bumblebee C2)
188.40.187[.]145 (Bumblebee C2)

DFIR Report:
172.96.137[.]160 (AdaptixC2 C2)

Swisscom B2B CSIRT:
170.130.55[.]223 (AdaptixC2 C2)

DFIR Report:
193.242.184[.]150 (SSH Tunnel Host)

Swisscom B2B CSIRT:
83.229.17[.]60 (SSH Tunnel Host)

185.174.100[.]203 (SFTP Exfiltration Server)

    File Hashes:

    DFIR Report:
ManageEngine-OpManager.msi
186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da (Malicious installer)

Swisscom B2B CSIRT:
Advanced-IP-Scanner.msi
a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2 (Malicious installer)

DFIR Report:
msimg32.dll
a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331 (Bumblebee)

Swisscom B2B CSIRT:
msimg32.dll
6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23 (Bumblebee)

DFIR Report:
locker.exe
de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d (Akira ransomware)

Swisscom B2B CSIRT:
win.exe
18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a (Akira ransomware)

    #TB36726