This report details a sophisticated ransomware attack involving Bumblebee loader and AdaptixC2 framework, culminating in the deployment of Akira ransomware. The intrusion began with an SEO poisoning campaign in July 2025, luring victims to fake software download sites that delivered a trojanized MSI installer for applications like ManageEngine OpManager. Initial access was gained via DLL side-loading, executing the Bumblebee loader which then deployed AdaptixC2 for persistent command-and-control. Threat actors rapidly established persistence through new domain accounts with Enterprise Admin privileges and installed remote access tools like RustDesk and Cloudflare tunneling.
Throughout the multi-day compromise, adversaries employed extensive credential harvesting techniques, including dumping the NTDS.dit database, decrypting Veeam credentials via DPAPI, and performing remote LSASS memory dumps using lsassy. Defense evasion was prominent, utilizing process injection, command-line obfuscation, and in one instance, a Bring Your Own Vulnerable Driver (BYOVD) attack to neutralize endpoint security. Lateral movement primarily occurred via RDP, often proxied through reverse SSH tunnels.
Data exfiltration, totaling over 75GB, was facilitated by FileZilla and SFTP to a server in Ukraine, targeting file shares, credentials, and SYSVOL configurations. The attack concluded with the widespread deployment of Akira ransomware, staged as locker.exe, which deleted Volume Shadow Copies to maximize impact across the root and child domains. This comprehensive analysis highlights the intricate tactics, techniques, and procedures (TTPs) employed by this threat group.
Top comments (0)