Threat Actors Poison Bing Search Results to Distribute Bumblebee Malware via ‘ManageEngine OpManager’ Queries

Threat actors leveraged SEO poisoning techniques to manipulate Bing search results, directing users querying for “ManageEngine OpManager” to a malicious domain, opmanager[.]pro.

This site distributed a trojanized MSI installer named ManageEngine-OpManager.msi, which covertly deployed the Bumblebee malware loader while installing legitimate software.

Bumblebee, first identified in late 2021 as an initial access tool associated with actors like EXOTIC LILY and TA578, utilizes a unique user-agent string and is often delivered via ISO files containing DLLs with custom loaders.

Emergence of SEO Poisoning Campaign

In this instance, the malware was embedded in msimg32.dll and executed through consent.exe, establishing command-and-control (C2) communications with dynamically generated domains via a domain generation algorithm (DGA).

This resurgence echoes prior reports, including a May 2025 Cyjax analysis of similar Bing-based poisoning impersonating IT tools, and aligns with Bumblebee’s evolution toward modular structures akin to TrickBot, as noted in 2022 ESET research.

The campaign’s targeting of privileged IT administrators searching for network management software facilitated rapid escalation, with Bumblebee fetching payloads like Cobalt Strike or, in this case, leading to Akira ransomware deployment.

Confirmation from Swisscom B2B CSIRT of a parallel intrusion via a trojanized Advanced-IP-Scanner.msi further underscores the campaign’s breadth, affecting multiple organizations and resulting in swift time-to-ransomware (TTR) metrics, ranging from nine hours in the Swisscom case to 44 hours in the observed incident.

Detailed Intrusion Analysis

According to the report, upon execution, the Bumblebee payload initiated C2 with IP addresses such as 109.205.195[.]211 and 188.40.187[.]145 using DGA domains like ev2sirbd269o5j.org.

Within hours, it deployed an AdaptixC2 beacon (AdgNsy.exe) for additional C2 to 172.96.137[.]160, enabling internal reconnaissance via commands like systeminfo, nltest /dclist:, and net group domain admins /dom.

Threat actors then created privileged accounts (e.g., backup_EA) and escalated privileges, laterally moving to domain controllers via RDP to dump NTDS.dit using wbadmin.exe for credential extraction.

Persistence was achieved through RustDesk installations, while an SSH reverse tunnel to 193.242.184[.]150 proxied further activity.

Discovery involved deploying a renamed SoftPerfect network scanner (n.exe) and querying Veeam PostgreSQL databases with psql.exe for stored credentials.

Data exfiltration occurred via FileZilla SFTP to 185.174.100[.]203, preceded by LSASS dumping using rundll32.exe with comsvcs.dll across multiple hosts.

The intrusion culminated in Akira ransomware (locker.exe) deployment, encrypting root and child domains with options targeting local drives and network shares.

This sequence highlights Bumblebee’s role in pre-ransomware ecosystems, as documented in historical analyses from Proofpoint and Microsoft, where it overlaps with tools like Sliver and Conti.

For detection, organizations should hunt for anomalous MSI executions from user directories spawning consent.exe, mixed-case command invocations for evasion, and rapid enumeration sequences.

Behavioral rules correlating MSI installs with discovery, credential access, and lateral movement within 24 hours can enhance threat hunting, while monitoring DGA patterns and SSH tunneling provides proactive defense against such initial access brokers.

Indicators of Compromise (IOCs)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free