A technically sophisticated ransomware campaign has been documented in detail by The DFIR Report in partnership with Swisscom B2B CSIRT, revealing how a single Bing search led to a full-scale Akira ransomware attack that encrypted an entire enterprise network within 44 hours. The infection chain began with SEO poisoning — a technique that pushes malicious websites to the top of search engine results — and leveraged BumbleBee malware and the AdaptixC2 framework to maintain persistent access before deploying ransomware.
A Search Turned Trap
The attack began in July 2025 when an IT administrator searched Bing for “ManageEngine OpManager,” a widely used network monitoring tool. Rather than landing on the legitimate ManageEngine website, the user was redirected to opmanager[.]pro, a convincing lookalike domain positioned near the top of search results through SEO poisoning. This site cloned the official ManageEngine download page and routed victims to a secondary delivery server where a trojanized MSI installer awaited.
Targeting a ManageEngine installer was a deliberate strategic choice: IT administrators running such tools typically hold elevated system privileges, making them high-value targets for initial access. The malicious MSI carried a revoked code-signing certificate issued to “LLC Resource+,” a signer with a documented history of BumbleBee-linked malware distribution.
BumbleBee Loader and DLL Sideloading
Once the file ManageEngine-OpManager.msi was executed, it dropped three files into a temporary folder: the real OpManager software as a convincing decoy, a legitimate Windows binary called consent.exe, and the BumbleBee loader disguised as msimg32.dll. The loader exploited the Windows DLL search order to run silently inside a trusted process, making detection difficult for standard security tooling.
Approximately five hours after infection, BumbleBee dropped a file named AdgNsy.exe — a renamed copy of the legitimate Windows Address Book utility — which had been injected with AdaptixC2 shellcode. This established a persistent command-and-control channel to a remote server, from which the attacker began mapping the internal network and identifying key assets, including domain controllers.
Lateral Movement, Credential Theft, and Data Exfiltration
The threat actors operated with patience and precision over the following days. Two rogue domain accounts, backup_DA and backup_EA, were created, with backup_EA added to the Enterprise Admins group to achieve full forest-wide control. RustDesk remote access software was then installed as a Windows service on multiple servers to ensure continued access if other channels were disrupted.
The attackers proceeded to:
- Extract the NTDS.dit Active Directory database using
wbadmin.exe - Dump Veeam credentials from a PostgreSQL database
- Dump LSASS memory across multiple hosts using the lsassy tool
- Establish a reverse SSH tunnel to bypass firewall restrictions
- Exfiltrate over 75GB of sensitive data to a server located in Ukraine using FileZilla over SFTP
Akira Ransomware Deployed Across the Entire Network
The ransomware payload, staged as locker.exe, used Windows Management Instrumentation (WMI) to delete Volume Shadow Copies before encrypting systems across the primary domain. The threat actor returned two days later to encrypt a child domain as well, ensuring no part of the network was left untouched. The total time from initial click to full network encryption was approximately 44 hours.
Defensive Recommendations
Organizations can defend against SEO poisoning and similar campaigns by implementing the following measures:
- Block MSI execution from untrusted or unverified sources via application control policies
- Monitor Bing and Google search results for impersonation of enterprise tools used by IT teams
- Enforce DLL load order controls and audit DLL sideloading opportunities
- Alert on unexpected domain admin account creation, especially accounts named after backup or admin roles
- Flag remote access tools like RustDesk when registered as Windows services outside approved software
- Implement robust network egress monitoring to detect large SFTP or FTP transfers
The full indicators of compromise (IoCs), including malicious domains, IP addresses, and file hashes, have been published by The DFIR Report and should be imported into SIEM and threat intelligence platforms immediately.