Bing Search Leads to Akira Ransomware Attack via SEO Poisoning

A recent Bing search for a well-known IT management tool has resulted in a widespread ransomware attack, leveraging SEO poisoning techniques. Cybercriminals manipulated search engine results to redirect users to a malicious download, masquerading as legitimate software, thereby compromising IT administrators’ systems.

SEO Manipulation and Initial Attack

The attack was initiated in July 2025 when a Bing search for ‘ManageEngine OpManager’ redirected users to a fake domain mimicking the official software site. This deceptive page offered a trojanized MSI installer, leading to a sophisticated multi-day cyber intrusion, culminating in the deployment of Akira ransomware across the victim’s network.

According to a joint report by The DFIR Report and Swisscom B2B CSIRT, the attackers employed BumbleBee malware and an AdaptixC2 beacon to gain and maintain unauthorized access. This strategic assault involved creating false admin accounts and installing remote access software to exfiltrate over 75GB of sensitive data to a server located in Ukraine.

Technical Details and Execution

The attack was meticulously executed over approximately 44 hours. Initially, the attackers used Windows Management Instrumentation to erase Volume Shadow Copies before encrypting the systems with Akira ransomware, disguised as locker.exe. Two days later, they targeted a child domain, ensuring complete network disruption.

The compromised download originated from opmanager[.]pro, a domain placed prominently in Bing search results through SEO poisoning. This site replicated the genuine ManageEngine download page, ultimately redirecting users to download malicious software from download-center[.]online.

Advanced Techniques and Persistence

Within five hours of infection, BumbleBee deployed AdgNsy.exe, an altered version of a legitimate Windows utility injected with AdaptixC2 shellcode. This enabled a persistent command-and-control channel, facilitating network mapping and identification of crucial assets like domain controllers.

Rogue accounts named backup_DA and backup_EA were created, with the latter gaining full administrative privileges. The attackers also utilized RustDesk remote access software as a Windows service across multiple servers to ensure continued access.

On the second day, further escalation involved accessing a domain controller, extracting the Active Directory database, and siphoning off Veeam credentials. The attackers bypassed firewall protections using a reverse SSH tunnel for RDP traffic.

Preventive Measures and Recommendations

Organizations must vigilantly monitor search results for impersonations of enterprise software, particularly tools used by IT teams. Implementing strict controls on MSI execution from untrusted sources, regulating DLL load orders, and setting alerts for unexpected domain admin account creations are critical defense strategies.

Detection of unauthorized remote access tools, such as RustDesk, is vital, as these were instrumental in maintaining the attackers’ persistence throughout the incident. Strengthening security operations centers (SOCs) by integrating advanced threat detection tools is essential to mitigate such sophisticated attacks.