Back to Intelligence

Bumblebee Loader, RedLine Stealer, and RMM Exploitation: OTX Pulse Analysis — Credential Theft & Ransomware Campaigns

SA
Security Arsenal Team
July 2, 2026
6 min read

Recent OTX pulses indicate a surge in multi-vector credential theft campaigns serving as precursors to high-impact intrusions, including ransomware deployment and Business Email Compromise (BEC). Adversaries are actively exploiting trust in legitimate IT management tools via SEO poisoning (Bing searches) to deliver the Bumblebee loader, which subsequently drops the Akira ransomware. Simultaneously, a distinct cluster of activity involves the exploitation of RMM software (SimpleHelp) to deploy novel Node.js malware (TaskWeaver/Djinn Stealer). Additionally, RedLine Stealer infrastructure has been directly linked to maritime sector BEC operations, while the Ousaban banking Trojan continues geofenced attacks against the Iberian Peninsula. The collective objective across these pulses is the acquisition of valid credentials for lateral movement, financial fraud, and initial access for ransomware operations.

Threat Actor / Malware Profile

Bumblebee Loader (S1039) & Akira Ransomware

  • Distribution: SEO poisoning targeting IT administrators searching for tools like ManageEngine OpManager. Trojanized installers deliver the payload.
  • Behavior: Acts as a loader for Akira ransomware. Facilitates lateral movement using the privileged context of the admin user executing the installer.
  • C2 & Persistence: Uses AdaptixC2 for command and control. Employed credential dumping techniques to harvest credentials for network propagation.

RedLine Stealer (S1240) & Maritime BEC Infrastructure

  • Distribution: Initial access via generic infostealer campaigns, pivoting to targeted infrastructure.
  • Behavior: Harvests browser data and system credentials. The investigation revealed shared infrastructure used for Formbook, Metamorfo, and Casbaneiro, indicating a "malware-as-a-service" ecosystem feeding into targeted BEC.
  • C2 Communication: Observed communicating over non-standard ports (e.g., TCP 55615) to IPs like 194.156.79.122.

TaskWeaver & Djinn Stealer

  • Distribution: Exploitation of CVE-2026-48558, an auth bypass in SimpleHelp RMM software.
  • Behavior: TaskWeaver is a heavily obfuscated Node.js loader that delivers Djinn Stealer. Designed to steal credentials from development environments and AI tools.
  • Persistence: Established via unauthorized technician access granted by the RMM exploit.

Ousaban Banking Trojan

  • Distribution: Phishing PDFs targeting Spain and Portugal.
  • Behavior: Performs geofencing to ensure targets are within the Iberian Peninsula. Uses VBS scripts to download steganographic images containing the payload.

IOC Analysis

The provided indicators span multiple categories:

  • IPv4: C2 servers for Bumblebee (172.96.137.160), RedLine clusters (194.156.79.122, 85.17.40.98), and Langflow exploits (45.207.216.55). These should be blocked immediately at perimeter firewalls and EDR policies.
  • Domains: Typosquatted or malicious domains like angryipscanner.org and opmanager.pro used in SEO poisoning campaigns. Sinkhole these domains internally.
  • File Hashes: SHA256 and MD5 hashes for Bumblebee loaders, Ousaban droppers, and TaskWeaver components. Use EDR solutions to hunt for these specific files on disk.
  • CVEs: CVE-2026-48558 (SimpleHelp), CVE-2026-55255, and CVE-2026-33017 (Langflow). Vulnerability management teams must prioritize patching these specific flaws.
  • Operationalization: SOCs should ingest these IOCs into SIEM correlation engines to alert on network traffic to the listed IPs and execution of the listed file hashes. The RedLine C2 IP 194.156.79.122 is a critical pivot point for the maritime cluster.

Detection Engineering

Sigma Rules

YAML
title: Potential Bumblebee Loader via Trojanized IT Tool
id: 6b7f9d1e-2a4c-4f8d-9e1b-3c5a6d7e8f9a
description: Detects execution of suspicious processes often associated with trojanized IT tools like OpManager or AngryIP, followed by PowerShell or CMD activity typical of Bumblebee loader execution.
status: experimental
author: Security Arsenal
date: 2026/07/02
references:
    - https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/
tags:
    - attack.initial_access
    - attack.t1566.001
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\opmanager.exe'
            - '\ipscan.exe'
            - '\manageengine.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\mshta.exe'
    condition: all of them
falsepositives:
    - Legitimate administrative scripts run by IT staff
level: high
---
title: RedLine Stealer C2 Network Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects network connections to known RedLine Stealer infrastructure or the specific non-standard port 55615 associated with the maritime cluster.
status: experimental
author: Security Arsenal
date: 2026/07/02
references:
    - https://www.vmray.com/the-redline-thread-that-led-to-a-maritime-bec-infrastructure-cluster/
tags:
    - attack.c2
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection_ip:
        DestinationIp|contains:
            - '194.156.79.122'
            - '85.17.40.98'
            - '185.252.24.52'
    selection_port:
        DestinationPort: 55615
    condition: 1 of selection
falsepositives:
    - Legitimate traffic on port 55615 (rare)
level: critical
---
title: SimpleHelp RMM Exploitation and TaskWeaver Execution
id: f1e2d3c4-b5a6-7890-1234-567890abcdef
description: Detects exploitation of CVE-2026-48558 in SimpleHelp RMM, indicated by unusual child processes (Node.js) spawned by the RMM binary or service.
status: experimental
author: Security Arsenal
date: 2026/07/02
references:
    - https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/
tags:
    - attack.initial_access
    - attack.t1190
    - attack.execution
    - attack.t1059.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains: 'SimpleHelp'
    selection_child:
        Image|endswith:
            - '\node.exe'
            - '\taskweaver.exe'
    condition: all of them
falsepositives:
    - Legitimate administrative use of Node.js tools via RMM
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for RedLine C2 traffic and Bumblebee IOCs
let IoC_IPs = dynamic(["172.96.137.160", "194.156.79.122", "85.17.40.98", "185.252.24.52", "45.207.216.55"]);
let IoC_Hashes = dynamic(["a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2", "00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c"]);
// Network Connection Hunt
DeviceNetworkEvents
| where RemoteIP in (IoC_IPs) or RemotePort == 55615
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, RemoteUrl
| extend IoC_Type = "C2_Traffic"
| union (
    DeviceProcessEvents
    | where SHA256 in (IoC_Hashes) or ProcessVersionFileInfoOriginalFileName in ("opmanager.exe", "ipscan.exe")
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine, SHA256, FolderPath
    | extend IoC_Type = "Malware_Execution"
)
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for Bumblebee, RedLine, and RMM Exploitation indicators.
.DESCRIPTION
    Checks active network connections for malicious C2 IPs and scans for specific file hashes associated with recent OTX pulses.
#>

$MaliciousIPs = @(
    "172.96.137.160",
    "194.156.79.122",
    "85.17.40.98",
    "185.252.24.52",
    "45.207.216.55",
    "96.126.130.126"
)

$MaliciousHashes = @(
    "a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
    "00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c",
    "f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc",
    "d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3"
)

Write-Host "[*] Checking active network connections for known C2 IPs..."
$ActiveConnections = Get-NetTCPConnection -State Established
foreach ($IP in $MaliciousIPs) {
    $Matches = $ActiveConnections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Matches) {
        Write-Host "[!] ALERT: Connection to malicious IP $IP found (Owning PID: $($Matches.OwningProcess))" -ForegroundColor Red
        Get-Process -Id $Matches.OwningProcess | Select-Object ProcessName, Path
    }
}

Write-Host "[*] Scanning fixed drives for known malware hashes..."
$Drives = Get-PSDrive -PSProvider FileSystem
foreach ($Drive in $Drives) {
    Write-Host "Scanning $($Drive.Root)..."
    $Files = Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue -File
    foreach ($File in $Files) {
        $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($MaliciousHashes -contains $Hash) {
            Write-Host "[!] ALERT: Malware file found at $($File.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[*] Hunt complete."

Response Priorities

  • Immediate: Block all listed IPv4 indicators and domains (e.g., opmanager.pro) at the perimeter. Initiate a hunt for the file hashes provided in the Pulse data across all endpoints. Specifically, investigate processes spawned by opmanager.exe or similar IT tools.
  • 24 Hours: If RedLine Stealer or Ousaban is suspected, force a password reset and MFA re-enrollment for accounts accessible from the affected segments. Verify the integrity of South Korean maritime-related mailboxes if relevant to the organization.
  • 1 Week: Patch SimpleHelp RMM instances to address CVE-2026-48558. Review and restrict the use of SEO-poisoned keywords (e.g., "Angry IP Scanner download") in web proxy logs. Implement strict allow-listing for RMM tools.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsredline-stealerbumblebee-loaderransomwarecredential-theftrmm-exploitation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.