A documented cybersecurity incident revealed a sophisticated attack chain that commenced with a Bing search and culminated in the network-wide deployment of Akira ransomware. This intrusion utilized the Bumblebee malware loader and the AdaptixC2 command-and-control framework to systematically compromise a corporate environment.

Initial Compromise Through Malvertising

The attack vector was initiated when an employee used the Bing search engine to find the legitimate remote desktop application, AnyDesk. The user clicked on a malicious advertisement presented within the search results, which redirected them to a threat actor-controlled website. The user then downloaded a malicious ISO file disguised as the software installer. The execution of a shortcut file (.LNK) contained within the ISO leveraged DLL side-loading to load the Bumblebee malware onto the workstation, establishing the initial foothold for the attackers.

Attack Progression: Bumblebee to Ransomware Deployment

Once active on the system, the Bumblebee loader was used to conduct reconnaissance and escalate privileges. The threat actors used tools to dump credentials from memory and deployed Cobalt Strike for command and control. Following this, the attackers deployed the AdaptixC2 framework, a post-exploitation tool written in Rust, to ensure persistent access. Using the established access and stolen credentials, the actors moved laterally across the network. The final stage of the attack was the deployment of the Akira ransomware payload, which proceeded to encrypt data on critical systems, causing significant business disruption.

Source: https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/