Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003.003NTDS
99%
“0. 0. 1 \ c $ \ programdata \ - include " : c : \ windows \ ntds \ ntds. dit, c : \ windows \ system32 \ config \ system, c : \ windows \ system32 \ config \ security " - quiet for persistence and re - entry, the threat actor installed the rustdesk remote access tool on several h…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
99%
“same time, the threat actor installed filezilla on a file server and exfiltrated data via sftp to 185. 174. 100 [. ] 203. they performed lsass memory dumping on multiple workstations using rundll32. exe with comsvcs. dll using a combination of remote services and wmi. the threat …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1218.007Msiexec
98%
“##ger site, we identified two additional websites that appear to be distributing trojanized installers for axis camera tools and angry ip scanner. refer to the ioc section for further details. detection engineering and threat hunting ( death ) - hunt for msi installations from us…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003.001LSASS Memory
96%
“tasklist enumeration : cmd. exe / q / c for / f " tokens = 1, 2 delims = " % % a in ( ' " tasklist / fi " imagename eq lsass. exe " | find " lsass " " ' ) do rundll32. exe c : \ windows \ system32 \ comsvcs. dll, # + 000024 % % b \ windows \ temp \ *. * full - detect lsass dumps …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
92%
“dumped credentials, installed persistent remote access tools, and exfiltrated data using an sftp client. the intrusion culminated in the deployment of akira ransomware across the root domain. the threat actor returned two days later to repeat the process, encrypting systems withi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003.003NTDS
89%
“credentials " - monitor wbadmin abuse for ntds. dit / hive dumping : wbadmin start backup - backuptarget : \ \ 127. 0. 0. 1 \ c $ \ programdata \ - include : " c : \ windows \ ntds \ ntds. dit, c : \ windows \ system32 \ config \ system, c : \ windows \ system32 \ config \ securi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003OS Credential Dumping
88%
“dumped credentials, installed persistent remote access tools, and exfiltrated data using an sftp client. the intrusion culminated in the deployment of akira ransomware across the root domain. the threat actor returned two days later to repeat the process, encrypting systems withi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1608.006SEO Poisoning
86%
“from bing search to ransomware : bumblebee and adaptixc2 deliver akira from bing search to ransomware : bumblebee and adaptixc2 deliver akira overview bumblebee malware has been an initial access tool used by threat actors since late 2021. in 2023 the malware was first reported a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
81%
“- private sigma ruleset : features 170 + sigma rules derived from 50 + cases, mapped to att & ck with test examples. - dfir labs : offers cloud - based, hands - on learning experiences, using real data, from real intrusions. interactive labs are available with different difficult…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003.003NTDS
77%
“and software in both our intrusion and the one observed by swisscom b2b csirt, the users executing the malware were highly privileged it administrator accounts within active directory. this provided easy privileged access to the threat actors for their next actions. approximately…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1080Taint Shared Content
70%
“same time, the threat actor installed filezilla on a file server and exfiltrated data via sftp to 185. 174. 100 [. ] 203. they performed lsass memory dumping on multiple workstations using rundll32. exe with comsvcs. dll using a combination of remote services and wmi. the threat …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1572Protocol Tunneling
67%
“followed by ssh tunneling activity from the same network segment indicators of compromise ( iocs ) domains : ev2sirbd269o5j. org ( bumblebee dga domain ) 2rxyt9urhq0bgj. org ( bumblebee dga domain ) dfir report : opmanager [. ] pro ( malicious site for trojanized installer ) angr…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1482Domain Trust Discovery
67%
“credentials " - monitor wbadmin abuse for ntds. dit / hive dumping : wbadmin start backup - backuptarget : \ \ 127. 0. 0. 1 \ c $ \ programdata \ - include : " c : \ windows \ ntds \ ntds. dit, c : \ windows \ system32 \ config \ system, c : \ windows \ system32 \ config \ securi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1176.001Browser Extensions
66%
“from bing search to ransomware : bumblebee and adaptixc2 deliver akira from bing search to ransomware : bumblebee and adaptixc2 deliver akira overview bumblebee malware has been an initial access tool used by threat actors since late 2021. in 2023 the malware was first reported a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1136.002Domain Account
59%
“and software in both our intrusion and the one observed by swisscom b2b csirt, the users executing the malware were highly privileged it administrator accounts within active directory. this provided easy privileged access to the threat actors for their next actions. approximately…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1583.001Domains
43%
“followed by ssh tunneling activity from the same network segment indicators of compromise ( iocs ) domains : ev2sirbd269o5j. org ( bumblebee dga domain ) 2rxyt9urhq0bgj. org ( bumblebee dga domain ) dfir report : opmanager [. ] pro ( malicious site for trojanized installer ) angr…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1555.003Credentials from Web Browsers
38%
“from bing search to ransomware : bumblebee and adaptixc2 deliver akira from bing search to ransomware : bumblebee and adaptixc2 deliver akira overview bumblebee malware has been an initial access tool used by threat actors since late 2021. in 2023 the malware was first reported a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Overview Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery mechanism. Recently in May of 2025 Cyjax reported on a campaign using this method again, impersonating various IT tools. We observed a similar campaign in […]