Search results on Bing have been manipulated to distribute Bumblebee malware when users search for ‘ManageEngine OpManager’.

In July 2025, a sophisticated Search Engine Optimisation (SEO) poisoning campaign exploited Bing search results to distribute Bumblebee malware, leading to significant Akira ransomware attacks. This campaign specifically targeted users searching for legitimate IT management software, illustrating how threat actors continue to weaponise trusted search platforms to compromise enterprise networks. The attack commenced when unsuspecting users searched for “ManageEngine OpManager” on Microsoft’s Bing search engine and were redirected to the malicious domain opmanager[.]pro instead of the authentic software vendor’s website. This impersonation site hosted a trojanised MSI installer file named ManageEngine-OpManager.msi, which closely resembled the legitimate software package but contained malicious components designed to gain initial access to victim networks. Upon execution, the installer appeared to function normally, installing the genuine ManageEngine OpManager application to avoid raising suspicion.

During the installation process, the malware simultaneously deployed a malicious dynamic link library (DLL) file named msimg32.dll through the Windows consent.exe process. Analysts from The DFIR Report identified this technique as a method to bypass security controls while maintaining the guise of legitimate software installation. The Bumblebee malware established command and control communications with two remote servers at IP addresses 109.205.195[.]211:443 and 188.40.187[.]145:443 using domain generation algorithm (DGA) domains. Approximately five hours after the initial execution, the malware deployed an AdaptixC2 beacon identified as AdgNsy.exe, creating an additional communication channel to 172.96.137[.]160:443, thereby providing threat actors with persistent access to the compromised environment. The attack’s success was largely attributed to targeting IT management tools, ensuring that users executing the malware held highly privileged administrator accounts within Active Directory environments. This strategic approach granted threat actors immediate elevated access, eliminating the need for complex privilege escalation techniques typically required in targeted attacks. Following initial reconnaissance using built-in Windows utilities, the attackers created two new domain accounts named backup_DA and backup_EA, with the backup_EA account strategically added to the Enterprise Administrators group, granting the attackers domain-wide administrative privileges.