Back to Intelligence

Credential Harvesting & Ransomware Delivery: Bumblebee, RedLine, and Ousaban Campaigns — OTX Pulse Analysis

SA
Security Arsenal Team
July 2, 2026
5 min read

Recent OTX pulses indicate a converging threat landscape focused on credential theft to facilitate ransomware deployment and financial fraud. adversaries are leveraging diverse initial access vectors, including SEO poisoning (Bumblebee), RMM exploitation (TaskWeaver/Djinn), and targeted spear-phishing (RedLine/Ousaban).

The collective objective of these campaigns is twofold: 1) harvesting high-privileged credentials for lateral movement (Bumblebee/Akira) and 2) exfiltrating banking or corporate data for immediate monetization (RedLine, Ousaban). The emergence of Node.js loaders (TaskWeaver) and the exploitation of AI development tools (Langflow) highlights a shift toward targeting emerging technology stacks.

Threat Actor / Malware Profile

Bumblebee & Akira (Pulse 1)

  • Distribution: SEO poisoning of Bing search results for IT tools (e.g., ManageEngine OpManager). Users download trojanized installers.
  • Behavior: Bumblebee acts as a loader, granting initial access. It dumps credentials to facilitate lateral movement.
  • C2: Uses AdaptixC2 infrastructure.
  • Objective: Initial access leading to Akira Ransomware deployment.

RedLine Stealer Cluster (Pulse 2)

  • Distribution: Spear-phishing and Business Email Compromise (BEC) targeting the South Korean maritime sector.
  • Behavior: Info-stealer focusing on browser data, credentials, and cryptocurrency wallets. Pivots to infrastructure used by other malware families (Formbook, Metamorfo).
  • C2: Direct HTTP connections to specific IP infrastructure (e.g., 194.156.79.122:55615).

TaskWeaver & Djinn Stealer (Pulse 3)

  • Distribution: Exploitation of CVE-2026-48558 in SimpleHelp RMM software.
  • Behavior: TaskWeaver is a Node.js loader that executes encrypted code and deploys Djinn Stealer. Targets AI development environments.
  • Persistence: Exploits legitimate RMM tools for persistence.

Ousaban (Pulse 5)

  • Distribution: Phishing PDFs with geofencing checks (Spain/Portugal).
  • Behavior: VBS scripts download steganographic images hiding payloads. Banking Trojan functionality.
  • Objective: Theft of banking credentials from Iberian Peninsula victims.

IOC Analysis

The provided indicators encompass C2 infrastructure, delivery mechanisms, and payload artifacts.

  • IPv4 Addresses: Multiple C2 IPs (e.g., 172.96.137.160, 194.156.79.122, 96.126.130.126) should be blocked immediately at the perimeter.
  • Domains: Typosquatted or attacker-owned domains (e.g., angryipscanner.org, opmanager.pro) associated with SEO poisoning campaigns.
  • File Hashes: MD5, SHA1, and SHA256 hashes for trojanized installers (ManageEngine), Node.js loaders (TaskWeaver), and banking trojans (Ousaban).
  • Operationalization: SOC teams should ingest these hashes into EDR solutions for immediate scanning. Network analytics tools should monitor for connections to the listed IPs on non-standard ports (e.g., 55615, 8084).

Detection Engineering

YAML
title: Potential Bumblebee Loader via SEO Poisoning
id: 1b9aa401-457d-4a05-8bcf-19cbf19a7028
status: experimental
description: Detects potential Bumblebee execution initiated via trojanized IT management tools often distributed via SEO poisoning.
references:
    - https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/
author: Security Arsenal
date: 2026/07/02
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\ManageEngine_OpManager.exe'
            - '\opmanager.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\rundll32.exe'
    condition: selection
falsepositives:
    - Legitimate administration tasks
level: high
---
title: RedLine Stealer C2 Network Activity
id: f352cec8-9a56-e23d-ae20-cdd62df4d40b
status: experimental
description: Detects network connections to known RedLine Stealer C2 infrastructure observed in maritime targeting campaigns.
references:
    - https://www.vmray.com/the-redline-thread-that-led-to-a-maritime-bec-infrastructure-cluster/
author: Security Arsenal
date: 2026/07/02
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|contains:
            - '194.156.79.122'
            - '85.17.40.98'
            - '185.252.24.52'
        DestinationPort:
            - 55615
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Ousaban Banking Trojan VBS Execution
id: d4eb4ff0-2df6-59fd-ee17-d36b77084627
status: experimental
description: Detects VBS scripts spawned by document readers performing network activity, indicative of Ousaban infection chains.
references:
    - https://www.fortinet.com/blog/threat-research/analysis-of-ongoing-ousaban-attacks-targeting-the-iberian-peninsula
author: Security Arsenal
date: 2026/07/02
tags:
    - attack.execution
    - attack.t1059.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains:
            - '\AcroRd32.exe'
            - '\chrome.exe'
            - '\msedge.exe'
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        CommandLine|contains:
            - 'download'
            - 'http'
    condition: selection
falsepositives:
    - Legitimate macro usage
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to known malicious IPs from this briefing
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("172.96.137.160", "194.156.79.122", "85.17.40.98", "185.252.24.52", "96.126.130.126", "45.207.216.55", "162.33.179.46", "91.92.240.140", "78.40.209.32")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl
| extend FullUrl = strcat(RemoteUrl, ":", RemotePort)

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt for Bumblebee, RedLine, and Ousaban Indicators.
.DESCRIPTION
    Checks active network connections and recent file creations against known IOCs.
#>

$MaliciousIPs = @(
    "172.96.137.160",
    "194.156.79.122",
    "85.17.40.98",
    "96.126.130.126",
    "45.207.216.55",
    "162.33.179.46",
    "91.92.240.140",
    "78.40.209.32"
)

$MaliciousHashes = @(
    "a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
    "00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c",
    "f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc",
    "d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3"
)

Write-Host "Checking for active network connections to malicious IPs..." -ForegroundColor Yellow
Get-NetTCPConnection -State Established | 
    Where-Object { $MaliciousIPs -contains $_.RemoteAddress } | 
    ForEach-Object {
        $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        [PSCustomObject]@{
            Timestamp = Get-Date
            RemoteIP = $_.RemoteAddress
            RemotePort = $_.RemotePort
            ProcessName = $proc.ProcessName
            PID = $_.OwningProcess
        }
    }

Write-Host "Scanning for recent file creations matching malware hashes..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb -and $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
    ForEach-Object {
        $hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
        if ($MaliciousHashes -contains $hash.Hash) {
            Write-Host "MATCH FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }


# Response Priorities

*   **Immediate:** Block all listed IP addresses and domains at the firewall and proxy. Scan endpoints for the provided file hashes associated with Bumblebee, TaskWeaver, and Ousaban.
*   **24h:** Initiate credential resets for privileged IT admin accounts, specifically those who may have downloaded trojanized tools (ManageEngine, AngryIP). Review logs for access to SimpleHelp RMM (CVE-2026-48558).
*   **1 week:** Patch SimpleHelp RMM (CVE-2026-48558) and Langflow instances (CVE-2026-55255, CVE-2026-33017). Implement geofencing restrictions for sensitive banking tools if operating in the Iberian region.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsbumblebeeredline-stealerousabanransomwarecredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.