Threats Actors Poisoned Bing Search Results to Deliver Bumblebee Malware if User Searched for ‘ManageEngine OpManager’

Cybersecurity researchers have uncovered a sophisticated search engine optimization (SEO) poisoning campaign that exploited Bing search results to distribute Bumblebee malware, ultimately leading to devastating Akira ransomware attacks.

The campaign, active throughout July 2025, specifically targeted users searching for legitimate IT management software, demonstrating how threat actors continue to weaponize trusted search platforms to compromise enterprise networks.

The attack began when unsuspecting users searched for “ManageEngine OpManager” on Microsoft’s Bing search engine and were redirected to the malicious domain opmanager[.]pro instead of the legitimate software vendor’s website.

This carefully crafted impersonation site hosted a trojanized MSI installer file named ManageEngine-OpManager.msi, which appeared identical to the authentic software package but contained embedded malicious components designed to establish initial access to victim networks.

Upon execution of the malicious installer, the software appeared to function normally, installing the legitimate ManageEngine OpManager application to avoid suspicion.

However, during the installation process, the malware simultaneously deployed a malicious dynamic link library (DLL) file named msimg32.dll through the Windows consent.exe process.

The DFIR Report analysts identified this sophisticated technique as a method to bypass security controls while maintaining the appearance of legitimate software installation.

The Bumblebee malware established command and control communications with two remote servers at IP addresses 109.205.195[.]211:443 and 188.40.187[.]145:443 using domain generation algorithm (DGA) domains.

Approximately five hours after initial execution, the malware deployed an AdaptixC2 beacon identified as AdgNsy.exe, which created an additional communication channel to 172.96.137[.]160:443, providing threat actors with persistent access to the compromised environment.

Infection Mechanism and Privilege Escalation

The attack’s success largely stemmed from targeting IT management tools, ensuring that users executing the malware possessed highly privileged administrator accounts within Active Directory environments.

This strategic approach provided threat actors with immediate elevated access, eliminating the need for complex privilege escalation techniques typically required in targeted attacks.

Following initial reconnaissance using built-in Windows utilities including systeminfo, nltest /dclist:, whoami /groups, and net group domain admins /dom, the attackers created two new domain accounts named backup_DA and backup_EA.

The backup_EA account was strategically added to the Enterprise Administrators group using the command net group "enterprise admins" backup_EA /add /dom, granting the attackers domain-wide administrative privileges.

The threat actors then connected to domain controllers via Remote Desktop Protocol and extracted the NTDS.dit file using Windows Backup Admin tool with the command: wbadmin.exe start backup -backuptarget:\127.0.0.1C$ProgramData -include:"C:windowsNTDSntds.dit,C:windowssystem32configSYSTEM,C:windowssystem32configSECURITY" -quiet.

This technique allowed them to obtain password hashes for all domain accounts.

The campaign culminated in Akira ransomware deployment using the payload locker.exe, with attackers achieving encryption in just 44 hours from initial access.

The threat actors demonstrated persistence by returning two days later to compromise child domains, highlighting the campaign’s systematic and methodical approach to enterprise-wide network destruction.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial