Recent OTX pulses indicate a converging threat landscape focused on credential theft to facilitate ransomware deployment and financial fraud. adversaries are leveraging diverse initial access vectors, including SEO poisoning (Bumblebee), RMM exploitation (TaskWeaver/Djinn), and targeted spear-phishing (RedLine/Ousaban).
The collective objective of these campaigns is twofold: 1) harvesting high-privileged credentials for lateral movement (Bumblebee/Akira) and 2) exfiltrating banking or corporate data for immediate monetization (RedLine, Ousaban). The emergence of Node.js loaders (TaskWeaver) and the exploitation of AI development tools (Langflow) highlights a shift toward targeting emerging technology stacks.
Threat Actor / Malware Profile
Bumblebee & Akira (Pulse 1)
- Distribution: SEO poisoning of Bing search results for IT tools (e.g., ManageEngine OpManager). Users download trojanized installers.
- Behavior: Bumblebee acts as a loader, granting initial access. It dumps credentials to facilitate lateral movement.
- C2: Uses AdaptixC2 infrastructure.
- Objective: Initial access leading to Akira Ransomware deployment.
RedLine Stealer Cluster (Pulse 2)
- Distribution: Spear-phishing and Business Email Compromise (BEC) targeting the South Korean maritime sector.
- Behavior: Info-stealer focusing on browser data, credentials, and cryptocurrency wallets. Pivots to infrastructure used by other malware families (Formbook, Metamorfo).
- C2: Direct HTTP connections to specific IP infrastructure (e.g., 194.156.79.122:55615).
TaskWeaver & Djinn Stealer (Pulse 3)
- Distribution: Exploitation of CVE-2026-48558 in SimpleHelp RMM software.
- Behavior: TaskWeaver is a Node.js loader that executes encrypted code and deploys Djinn Stealer. Targets AI development environments.
- Persistence: Exploits legitimate RMM tools for persistence.
Ousaban (Pulse 5)
- Distribution: Phishing PDFs with geofencing checks (Spain/Portugal).
- Behavior: VBS scripts download steganographic images hiding payloads. Banking Trojan functionality.
- Objective: Theft of banking credentials from Iberian Peninsula victims.
IOC Analysis
The provided indicators encompass C2 infrastructure, delivery mechanisms, and payload artifacts.
- IPv4 Addresses: Multiple C2 IPs (e.g., 172.96.137.160, 194.156.79.122, 96.126.130.126) should be blocked immediately at the perimeter.
- Domains: Typosquatted or attacker-owned domains (e.g., angryipscanner.org, opmanager.pro) associated with SEO poisoning campaigns.
- File Hashes: MD5, SHA1, and SHA256 hashes for trojanized installers (ManageEngine), Node.js loaders (TaskWeaver), and banking trojans (Ousaban).
- Operationalization: SOC teams should ingest these hashes into EDR solutions for immediate scanning. Network analytics tools should monitor for connections to the listed IPs on non-standard ports (e.g., 55615, 8084).
Detection Engineering
title: Potential Bumblebee Loader via SEO Poisoning
id: 1b9aa401-457d-4a05-8bcf-19cbf19a7028
status: experimental
description: Detects potential Bumblebee execution initiated via trojanized IT management tools often distributed via SEO poisoning.
references:
- https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/
author: Security Arsenal
date: 2026/07/02
tags:
- attack.initial_access
- attack.t1189
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\ManageEngine_OpManager.exe'
- '\opmanager.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\rundll32.exe'
condition: selection
falsepositives:
- Legitimate administration tasks
level: high
---
title: RedLine Stealer C2 Network Activity
id: f352cec8-9a56-e23d-ae20-cdd62df4d40b
status: experimental
description: Detects network connections to known RedLine Stealer C2 infrastructure observed in maritime targeting campaigns.
references:
- https://www.vmray.com/the-redline-thread-that-led-to-a-maritime-bec-infrastructure-cluster/
author: Security Arsenal
date: 2026/07/02
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|contains:
- '194.156.79.122'
- '85.17.40.98'
- '185.252.24.52'
DestinationPort:
- 55615
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Ousaban Banking Trojan VBS Execution
id: d4eb4ff0-2df6-59fd-ee17-d36b77084627
status: experimental
description: Detects VBS scripts spawned by document readers performing network activity, indicative of Ousaban infection chains.
references:
- https://www.fortinet.com/blog/threat-research/analysis-of-ongoing-ousaban-attacks-targeting-the-iberian-peninsula
author: Security Arsenal
date: 2026/07/02
tags:
- attack.execution
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains:
- '\AcroRd32.exe'
- '\chrome.exe'
- '\msedge.exe'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
CommandLine|contains:
- 'download'
- 'http'
condition: selection
falsepositives:
- Legitimate macro usage
level: medium
KQL (Microsoft Sentinel)
// Hunt for connections to known malicious IPs from this briefing
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("172.96.137.160", "194.156.79.122", "85.17.40.98", "185.252.24.52", "96.126.130.126", "45.207.216.55", "162.33.179.46", "91.92.240.140", "78.40.209.32")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl
| extend FullUrl = strcat(RemoteUrl, ":", RemotePort)
PowerShell Hunt Script
<#
.SYNOPSIS
IOC Hunt for Bumblebee, RedLine, and Ousaban Indicators.
.DESCRIPTION
Checks active network connections and recent file creations against known IOCs.
#>
$MaliciousIPs = @(
"172.96.137.160",
"194.156.79.122",
"85.17.40.98",
"96.126.130.126",
"45.207.216.55",
"162.33.179.46",
"91.92.240.140",
"78.40.209.32"
)
$MaliciousHashes = @(
"a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
"00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c",
"f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc",
"d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3"
)
Write-Host "Checking for active network connections to malicious IPs..." -ForegroundColor Yellow
Get-NetTCPConnection -State Established |
Where-Object { $MaliciousIPs -contains $_.RemoteAddress } |
ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[PSCustomObject]@{
Timestamp = Get-Date
RemoteIP = $_.RemoteAddress
RemotePort = $_.RemotePort
ProcessName = $proc.ProcessName
PID = $_.OwningProcess
}
}
Write-Host "Scanning for recent file creations matching malware hashes..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0kb -and $_.LastWriteTime -gt (Get-Date).AddDays(-7) } |
ForEach-Object {
$hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
if ($MaliciousHashes -contains $hash.Hash) {
Write-Host "MATCH FOUND: $($_.FullName)" -ForegroundColor Red
}
}
# Response Priorities
* **Immediate:** Block all listed IP addresses and domains at the firewall and proxy. Scan endpoints for the provided file hashes associated with Bumblebee, TaskWeaver, and Ousaban.
* **24h:** Initiate credential resets for privileged IT admin accounts, specifically those who may have downloaded trojanized tools (ManageEngine, AngryIP). Review logs for access to SimpleHelp RMM (CVE-2026-48558).
* **1 week:** Patch SimpleHelp RMM (CVE-2026-48558) and Langflow instances (CVE-2026-55255, CVE-2026-33017). Implement geofencing restrictions for sensitive banking tools if operating in the Iberian region.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.