Date: 2026-07-03
Source: Security Arsenal Threat Intelligence Unit
TLP: WHITE
Threat Summary
Recent OTX pulse data indicates a aggressive convergence of initial access vectors aimed at harvesting credentials and deploying ransomware. Threat actors are actively exploiting the supply chain of IT management tools—specifically via SEO poisoning (Bumblebee), RMM vulnerabilities (SimpleHelp CVE-2026-48558), and AI framework flaws (Langflow).
The primary objective across these disparate campaigns is credential theft to facilitate lateral movement. The "From Bing Search to Ransomware" campaign demonstrates how trojanized installers for tools like ManageEngine OpManager grant attackers immediate privileged access, paving the way for Akira ransomware. Simultaneously, clusters of RedLine Stealer and Ousaban banking trojans are targeting the maritime sector and Iberian Peninsula, respectively, utilizing sophisticated infrastructure pivoting and geofencing techniques.
Threat Actor / Malware Profile
1. Bumblebee Loader & AdaptixC2
- Distribution: SEO poisoning on Bing search results, trojanized installers for legitimate IT tools (e.g., ManageEngine OpManager).
- Behavior: Acts as a loader for ransomware. Utilizes AdaptixC2 for command and control. Focuses on credential dumping (LSASS memory) to move laterally across the network.
- Persistence: Scheduled tasks and service creation.
2. RedLine Stealer & Maritime Cluster
- Distribution: Spear-phishing and Business Email Compromise (BEC) targeting South Korean maritime entities.
- Behavior: Information stealer targeting browser data, crypto-wallets, and FTP credentials. Infrastructure pivoting observed using distinct IP ports (e.g., 55615).
- C2: HTTP communication to attacker-owned infrastructure (194.156.79.122).
3. TaskWeaver & Djinn Stealer
- Distribution: Exploitation of CVE-2026-48558 in SimpleHelp RMM software.
- Behavior: TaskWeaver is a Node.js loader that delivers Djinn Stealer. Heavily obfuscated to evade detection. Targets AI development environments.
4. Ousaban Banking Trojan
- Distribution: Phishing PDFs with embedded redirects.
- Behavior: Geofenced to Spain and Portugal. Uses VBS scripts to download steganographic images hiding payloads. Targets banking credentials.
IOC Analysis
The provided indicators of compromise (IOCs) reveal a high-risk infrastructure footprint:
- IP Addresses: The pulses highlight specific C2 nodes including
172.96.137.160(Bumblebee/Akira),194.156.79.122(RedLine), and96.126.130.126(TaskWeaver). - Domains: Look-alike domains such as
opmanager.proandangryipscanner.orgare used in SEO poisoning campaigns to trick IT admins. - File Hashes: Multiple MD5, SHA1, and SHA256 hashes are associated with the trojanized installers and malware payloads. These should be immediately blocklisted in EDR solutions.
- CVEs:
CVE-2026-48558(SimpleHelp) andCVE-2026-33017/CVE-2026-55255(Langflow) represent critical vulnerabilities requiring immediate patching.
Operationalization: SOC teams should feed the IPs and Domains into Firewall/NGFW blocklists. File hashes must be uploaded to EDR allowlist/blocklist engines. The CVEs should be cross-referenced with asset management systems to identify vulnerable SimpleHelp or Langflow instances.
Detection Engineering
The following detection rules and hunts are designed to identify the specific behaviors and artifacts detailed in the OTX pulses.
Sigma Rules
title: Potential Bumblebee Loader AdaptixC2 Activity
id: 5d7f4c1a-9b2e-4a3f-8c5d-6e7f8a9b0c1d
description: Detects potential network activity associated with Bumblebee loader and AdaptixC2 infrastructure based on OTX Pulse IOCs.
status: experimental
date: 2026/07/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/665c5a0b7c5c9c0f9c5b5b5b
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
detection:
selection:
DestinationIp:
- '172.96.137.160'
- '96.126.130.126'
- '45.207.216.55'
condition: selection
falsepositives:
- Legitimate administrative access to these specific IPs (unlikely given nature of IOCs)
level: critical
---
title: SimpleHelp RMM Exploitation CVE-2026-48558
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects exploitation attempts against SimpleHelp RMM software or suspicious Node.js execution related to TaskWeaver.
status: experimental
date: 2026/07/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/665c5a0b7c5c9c0f9c5b5b5b
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection_img:
Image|endswith:
- '\node.exe'
- '\SimpleHelp.exe'
selection_cli:
CommandLine|contains:
- 'CVE-2026-48558'
- 'TaskWeaver'
- 'Djinn'
condition: 1 of selection*
falsepositives:
- Legitimate Node.js development or authorized SimpleHelp usage
level: high
---
title: Ousaban Trojan Phishing Chain
id: e5f6g7h8-9012-34cd-efab-567890abcdef0
description: Detects the execution chain typical of Ousaban banking Trojan involving PDF readers spawning VBS scripts.
status: experimental
date: 2026/07/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/665c5a0b7c5c9c0f9c5b5b5b
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\AcroRd32.exe'
- '\chrome.exe'
- '\msedge.exe'
selection_child:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cmd:
CommandLine|contains:
- '.vbs'
- 'http'
condition: all of selection_*
falsepositives:
- Legitimate automated PDF form processing
level: medium
KQL (Microsoft Sentinel)
// Hunt for OTX Pulse IOCs in Network Events
let IoC_IPs = dynamic(["172.96.137.160", "194.156.79.122", "85.17.40.98", "96.126.130.126", "45.207.216.55", "162.33.179.46"]);
let IoC_Domains = dynamic(["angryipscanner.org", "opmanager.pro"]);
DeviceNetworkEvents
| where RemoteIP in (IoC_IPs) or RemoteUrl has_any (IoC_Domains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| extend AlertInfo = "OTX Pulse Intel Match"
;
// Hunt for File Hash IOCs
let IoC_Hashes = dynamic(["a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2", "d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3"]);
DeviceProcessEvents
| where SHA256 in (IoC_Hashes)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, SHA256
| extend AlertInfo = "OTX Malware Hash Match"
PowerShell Hunt Script
# OTX Pulse IOC Hunter - Checks for file artifacts and suspicious connections
$MaliciousHashes = @(
"a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
"a746da514c90f26a187a294fda7edc1b",
"d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3"
)
Write-Host "[+] Initiating sweep for OTX Pulse artifacts..." -ForegroundColor Cyan
# Check file hashes in common download directories
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\Windows\Temp")
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Write-Host "[*] Scanning $Path..." -ForegroundColor Yellow
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $FileHash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
}
}
# Check for active network connections to known C2 IPs
$C2_IPs = @("194.156.79.122", "96.126.130.126", "45.207.216.55")
$ActiveConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($IP in $C2_IPs) {
$Matches = $ActiveConnections | Where-Object { $_.RemoteAddress -eq $IP }
if ($Matches) {
Write-Host "[!] SUSPICIOUS CONNECTION DETECTED to $IP on PID: $($Matches.OwningProcess)" -ForegroundColor Red
}
}
Write-Host "[+] Scan complete." -ForegroundColor Green
Response Priorities
-
Immediate (0-4 hours):
- Block all IOCs (IPs, Domains, Hashes) at the perimeter and endpoint level.
- Isolate any systems with confirmed hits on the malware hashes or C2 connections.
- Hunt specifically for
angryipscanner.organdopmanager.proin DNS logs.
-
Within 24 hours:
- Review SimpleHelp RMM logs for signs of exploitation of CVE-2026-48558.
- Verify credentials for IT administrators who may have downloaded trojanized tools (Bumblebee vector).
- Conduct targeted phishing awareness for Maritime and Iberian Peninsula office branches regarding Ousaban PDFs.
-
Within 1 week:
- Patch SimpleHelp RMM instances to mitigate CVE-2026-48558.
- Update Langflow instances to address CVE-2026-55255 and CVE-2026-33017.
- Implement stricter software download policies to prevent SEO poisoning infections.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.