Back to Intelligence

Bumblebee Loader & Akira Ransomware: SEO Poisoning and Supply Chain Attack Vector Analysis — Detection Engineering Pack

SA
Security Arsenal Team
July 1, 2026
5 min read

Threat Summary

The latest OTX pulses reveal a coordinated surge in cyber-activity focusing on credential theft as a primary precursor to ransomware deployment. Three distinct campaigns have been identified:

  1. SEO Poisoning to Ransomware: Threat actors are leveraging SEO poisoning to distribute trojanized installers for IT tools (e.g., ManageEngine). These installers deliver Bumblebee, which establishes AdaptixC2 communication for lateral movement and ultimate deployment of Akira ransomware.
  2. RMM Exploitation: A critical vulnerability (CVE-2026-48558) in SimpleHelp RMM is being exploited to gain unauthorized technician access. Attackers are deploying TaskWeaver, a Node.js loader, and Djinn Stealer, focusing on credential extraction from technology sectors.
  3. Event-Based Phishing (GHOST STADIUM): The GHOST STADIUM actor is aggressively targeting the 2026 FIFA World Cup with over 4,300 fraudulent domains (e.g., fifa.gold), utilizing Vidar and Lumma stealers to harvest credentials via pixel-perfect phishing sites.

Collectively, these campaigns demonstrate a shift towards abusing trusted management tools and high-traffic events to bypass perimeter defenses.

Threat Actor / Malware Profile

Bumblebee (S1039) & AdaptixC2

  • Distribution: SEO poisoning of legitimate IT software keywords (e.g., Angry IP Scanner, ManageEngine).
  • Behavior: Acts as a loader; establishes C2 via AdaptixC2. Facilitates lateral movement, often leading to ransomware (Akira).
  • Persistence: Uses scheduled tasks and service creation.

TaskWeaver & Djinn Stealer

  • Distribution: Exploitation of CVE-2026-48558 in SimpleHelp RMM.
  • Behavior: TaskWeaver is a heavily obfuscated Node.js loader that decrypts and executes payloads. Djinn Stealer targets browser data and system credentials.
  • C2: Encrypted communications with C2 infrastructure (e.g., a.dev-tunnels.com).

GHOST STADIUM

  • Distribution: Facebook ads and fraudulent domains impersonating FIFA.
  • Payloads: Vidar and Lumma Stealers.
  • Objective: Mass credential harvesting for fraud and secondary infection.

JINX-0164

  • Target: Cryptocurrency and Software Development infrastructure.
  • Malware: AUDIOFIX (Python RAT) and MINIRAT (Go backdoor) for macOS.
  • Vector: LinkedIn social engineering and npm trojan packages.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple vectors, requiring immediate ingestion into SIEM, EDR, and Firewall systems:

  • Domains & URLs: A significant number of typosquatted domains (e.g., fifa.gold, angryipscanner.org) and C2 domains (opmanager.pro). These should be blocked at the DNS layer.
  • IP Addresses: Key C2 IPs include 172.96.137.160 (Bumblebee) and 96.126.130.126 (TaskWeaver).
  • File Hashes: Multiple SHA256 and MD5 hashes for trojanized installers and malware loaders (e.g., a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2).
  • CVEs: CVE-2026-48558 (SimpleHelp Auth Bypass) and CVE-2026-55255 (Langflow IDOR).

Detection Engineering

Sigma Rules

YAML
---
title: Potential Bumblebee Loader Activity via AdaptixC2
id: 3487a1c9-5a2f-4b1c-9e8d-1d2f3a4b5c6d
description: Detects potential Bumblebee loader execution patterns and C2 communication associated with AdaptixC2 infrastructure observed in recent campaigns.
status: experimental
date: 2026/07/01
author: Security Arsenal
references:
    - https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\explorer.exe'
            - '\chrome.exe'
            - '\msedge.exe'
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
        CommandLine|contains:
            - 'javascript'
            - '.dll'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: RMM Software Spawning Node.js - TaskWeaver/Djinn
id: b2c3d4e5-6f7g-8h9i-0j1k-2l3m4n5o6p7q
description: Detects SimpleHelp RMM or similar management tools spawning Node.js processes, indicative of TaskWeaver or Djinn Stealer deployment exploiting CVE-2026-48558.
status: experimental
date: 2026/07/01
author: Security Arsenal
references:
    - https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains:
            - 'SimpleHelp'
            - 'RemoteSupport'
    selection_child:
        Image|endswith:
            - '\node.exe'
        CommandLine|contains:
            - '-e'
            - 'eval'
    condition: all of selection_*
falsepositives:
    - Legitimate administrators using Node.js via RMM
level: critical
---
title: GHOST STADIUM Phishing Domain Connection
id: d4e5f6g7-8h9i-0j1k-2l3m-4n5o6p7q8r9s
description: Detects network connections to known GHOST STADIUM fraudulent domains targeting FIFA World Cup 2026 credential theft.
status: experimental
date: 2026/07/01
author: Security Arsenal
references:
    - https://www.group-ib.com/blog/ghost-stadium-football-fraud/
tags:
    - attack.initial_access
    - attack.credential_phishing
    - attack.t1566.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'fifa.gold'
            - 'fifa.black'
            - 'fifa.tax'
            - 'fifaweb.com'
            - 'fifa.red'
            - 'fifa.fund'
            - 'fifa-com.shop'
            - 'fifa-com.site'
    condition: selection
falsepositives:
    - None
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Bumblebee and TaskWeaver IOCs
let IOCs = dynamic([
    "172.96.137.160", "96.126.130.126", "45.207.216.55",
    "angryipscanner.org", "opmanager.pro", "a.dev-tunnels.ms", "fifa.gold", "fifa.black"
]);
DeviceNetworkEvents
| where RemoteIP in (IOCs) or RemoteUrl has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, ActionType
| extend TimeGenerated = Timestamp
| order by TimeGenerated desc

PowerShell Hunt Script

PowerShell
# Hunt for specific file hashes associated with Bumblebee, Djinn, and JINX-0164 malware
$TargetHashes = @(
    "a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
    "00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c",
    "f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp\")

Write-Host "Scanning for malware IOCs..."

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[MALICIOUS] Detected: $($_.FullName) | Hash: $Hash" -ForegroundColor Red
            }
        }
    }
}
Write-Host "Scan complete."

Response Priorities

  • Immediate: Block all listed IOCs (IPs, Domains) at the firewall and proxy. Initiate a hunt for the specific file hashes provided in the pulse data on all endpoints.
  • 24h: If credential-stealing malware (Djinn, Vidar, Lumma) is suspected, force a password reset for privileged accounts and review authentication logs for anomalies from unusual geolocations.
  • 1 Week: Patch SimpleHelp RMM instances to address CVE-2026-48558. Review and restrict administrative rights for users downloading software from the internet to mitigate SEO poisoning impact.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerbumblebeeakiraransomwaresupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.