ctipilot.ch

Home · Live brief · Daily brief 2026-06-30

Bumblebee → AdaptixC2 → Akira: a full SEO-poisoning-to-ransomware kill chain with a parallel Swiss intrusion

notable threat discovered 2026-06-30 05:10 UTC single-source deep dive

Entities: Bumblebee → AdaptixC2 → Akira Akira

Part of run 2026-06-30-9aaa1114 (intel · Claude Opus 4.8 (1M context))

The DFIR Report published (2026-06-29) the full reconstruction of an intrusion that began with SEO poisoning and ended in Akira ransomware in under three days. The report notes the case was first shared in a 2025 threat brief and flash alert produced with Swisscom B2B CSIRT, which observed a parallel intrusion tied to the same campaign — a Swiss-nexus thread (from that 2025 collaboration) that makes the now-public full reconstruction worth the day's deep dive (The DFIR Report, 2026-06-29). It also features the open-source AdaptixC2 post-exploitation framework as the Cobalt-Strike-equivalent in an Akira chain. Akira itself was deep-dived on 2026-06-23 via the SonicWall vector; this is a distinct initial-access path against the same end-stage operator.

Initial access and loader. A poisoned Bing result for "ManageEngine OpManager" led to a trojanized MSI installer (T1608.006 SEO poisoning → T1204.002 Malicious File). The Bumblebee loader established first C2 via DLL search-order hijacking (T1574.001) — a legitimate signed binary loading a same-directory msimg32.dll through consent.exe. Within ~5 hours, AdaptixC2 shellcode was injected into a renamed legitimate Windows Address Book utility, giving persistent interactive C2.

Escalation, discovery, lateral movement. The actor created domain accounts with Enterprise Admin privileges using RSAT (T1136.002 Create Account: Domain Account), enumerated the network with SoftPerfect Network Scanner, Zenmap, and RVTools (T1046), and moved laterally over RDP (T1021.001). A legitimate RustDesk remote-access tool was installed as a redundant access channel (T1219 Remote Access Software).

Credential access and collection. Credentials were harvested by extracting NTDS.dit via wbadmin.exe (T1003.003) and by dumping the Veeam backup database — the latter a recurring Akira-affiliate move that doubles as recovery sabotage. Roughly 77 GB was staged and exfiltrated over ~44 hours via FileZilla/SFTP to an external server (T1048/T1567).

Impact. Akira ransomware (T1486) was deployed across root and child domains over WMI (T1047), with shadow copies deleted via vssadmin (T1490 Inhibit System Recovery).

Detection concepts (no IOCs). Per stage: Sysmon EID 1 for a signed binary / consent.exe side-loading msimg32.dll from a user-writable path; EID 11 for new executables written into AppData; EID 4104 for PowerShell carrying credential-access tradecraft; EID 4663 on NTDS.dit handle access; WMI-driven remote process creation (EID 4648 plus network logon type 3) from non-admin hosts; EID 4698 scheduled-task creation from unusual parents; and DLP/file-server alerts on large outbound SFTP staging. Treat any RustDesk install you did not deploy as a finding.

Hardening. Category-block software-download SEO traps at the SWG and require signed, hash-verified installers for IT-admin tooling; constrain who can create domain accounts and alert on new Enterprise Admin members; protect NTDS.dit / enable Credential Guard; restrict remote WMI to tiered admin hosts; harden Veeam service-account credentials and isolate the backup plane; and alert on unsanctioned remote-access tools (RustDesk/AnyDesk) at the proxy and EDR.

ransomware organized-crime infostealer switzerland global