Bumblebee Malware SEO Poisoning Campaign Leads to Akira Ransomware Deployment

Aug. 5, 2025, 2:05 p.m.

Description

A coordinated threat campaign has been identified leveraging SEO poisoning to distribute Bumblebee malware via trojanized installers of IT management tools. The campaign targets users searching for legitimate software like ManageEngine OpManager. Upon execution, Bumblebee establishes initial access, enabling lateral movement, credential dumping, deployment of remote access tools, and data exfiltration. The intrusions often end with the deployment of Akira ransomware, resulting in severe operational disruptions. Multiple organizations have been impacted, with various security teams reporting consistent patterns of compromise.

External References

https://otx.alienvault.com/pulse/689208038d812ad250ca2759
Tags
seo poisoning
lateral movement
data exfiltration
akira
credential dumping
bumblebee
initial access
akira ransomware
trojanized installers
2025-08-05

Date

  • Created: Aug. 5, 2025, 1:32 p.m.
  • Published: Aug. 5, 2025, 1:32 p.m.
  • Modified: Aug. 5, 2025, 2:05 p.m.

Indicators

  • de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d
  • a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2
  • 6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23
  • a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331
  • 18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a
  • 186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da
  • 83.229.17.60
  • 188.40.187.145
  • 193.242.184.150
  • 185.174.100.203
  • 170.130.55.223
  • 109.205.195.211
  • 172.96.137.160
  • opmanager.pro
  • ip-scanner.org
  • ev2sirbd269o5j.org
  • axiscamerastation.org
  • angryipscanner.org
  • 2rxyt9urhq0bgj.org
Download all indicators here!

Attack Patterns

  • Bumblebee - S1039
  • Akira