Ransomware cyber

ManageEngine

Aug 6, 2025 1 min read
ManageEngine

A sophisticated SEO poisoning campaign exploited Bing search results to distribute Bumblebee malware, leading to Akira ransomware attacks. Users searching for ManageEngine OpManager were redirected to a malicious site hosting a trojanized installer. The malware established command and control communications, escalated privileges, and exfiltrated domain account hashes. The attack culminated in ransomware deployment, encrypting systems within 44 hours and compromising child domains, causing significant operational disruption and data loss.

Source: https://cybersecuritynews.com/threats-actors-poisoned-bing-search-results-to-deliver-bumblebee-malware/

TPRM report: https://www.rankiteo.com/company/manageengine

"id": "man305080925",
"linkid": "manageengine",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'IT Management',
                        'name': 'ManageEngine',
                        'type': 'Software Vendor'}],
 'attack_vector': 'SEO Poisoning, Trojanized Software Installer',
 'data_breach': {'data_encryption': 'Yes',
                 'data_exfiltration': 'Yes',
                 'file_types_exposed': 'NTDS.dit, SYSTEM, SECURITY',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Password hashes, Domain account '
                                             'information'},
 'date_detected': 'July 2025',
 'description': 'A sophisticated search engine optimization (SEO) poisoning '
                'campaign that exploited Bing search results to distribute '
                'Bumblebee malware, ultimately leading to devastating Akira '
                'ransomware attacks. The campaign targeted users searching for '
                'legitimate IT management software, redirecting them to a '
                'malicious domain hosting a trojanized MSI installer.',
 'impact': {'data_compromised': 'Password hashes, Domain account information',
            'identity_theft_risk': 'High',
            'operational_impact': 'Domain-wide administrative privileges '
                                  'obtained, Ransomware encryption',
            'systems_affected': 'Enterprise networks, Domain controllers'},
 'initial_access_broker': {'backdoors_established': 'Yes',
                           'entry_point': 'Bing search results, Trojanized MSI '
                                          'installer',
                           'high_value_targets': 'Domain controllers, '
                                                 'Enterprise networks',
                           'reconnaissance_period': 'Approximately five hours'},
 'motivation': 'Financial gain, Data exfiltration',
 'post_incident_analysis': {'root_causes': 'SEO poisoning, Trojanized '
                                           'software, Lack of detection for '
                                           'malicious DLL deployment'},
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Yes',
                'ransomware_strain': 'Akira'},
 'references': [{'source': 'The DFIR Report'}],
 'title': 'SEO Poisoning Campaign Distributing Bumblebee Malware Leading to '
          'Akira Ransomware Attacks',
 'type': 'Malware, Ransomware'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.