4BID Hacktivist Ops, Needle Crypto-Stealer, & The Gentlemen Ransomware: OTX Pulse Analysis

Excerpt: OTX pulses reveal active 4BID hacktivism via ProxyShell, Needle MaaS crypto-theft, and The Gentlemen ransomware targeting critical sectors.

Threat Summary

Recent OTX pulses indicate a convergence of politically motivated cyber-espionage, financially driven crypto-theft, and aggressive ransomware operations. The 4BID hacktivist collective is actively exploiting Microsoft Exchange vulnerabilities (ProxyShell) to deploy post-exploitation frameworks like Sliver and Havoc against critical infrastructure in Eastern Europe and the Middle East. Simultaneously, a modular Malware-as-a-Service (MaaS) platform named "Needle" is targeting cryptocurrency users via browser extension spoofers and Rust-based stealer agents. In the ransomware landscape, "The Gentlemen" operation has emerged as a high-volume threat utilizing SystemBC proxies and KillAV utilities to facilitate extortion. These campaigns highlight the commoditization of advanced tooling (Sliver, Havoc, RustyStealer) across diverse threat actor motivations.

Threat Actor / Malware Profile

4BID (Hacktivist)

Overview: A hacktivist group attributed to campaigns targeting Russia, Belarus, Kazakhstan, UAE, Syria, and Egypt. Affiliated with Hakerskii Kit and C.A.S.
Malware/Families: BlackReaperRAT, Warp RAT, Sliver, Havoc, Mythic Apollo, AdaptixC2, ValleyRAT.
Attack Vector: Exploits ProxyShell (Microsoft Exchange) to deploy fd.aspx web shells.
Behavior: Uses web shells for initial access, followed by the deployment of commercial/open-source post-exploitation frameworks (C2) for lateral movement and data exfiltration.

Needle (ThreatNeedle / RustyStealer)

Overview: A MaaS platform focused on cryptocurrency theft.
Malware/Families: ThreatNeedle (S0665), RustyStealer.
Attack Vector: Browser extension spoofers (MetaMask, Phantom, Trust Wallet) and fraudulent desktop applications (Impersonating Exodus, Trezor, Ledger).
Behavior: The Rust-based agent likely targets browser storage and clipboard data to intercept wallet credentials or replace transaction addresses. It utilizes modular C2 infrastructure.

The Gentlemen

Overview: A ransomware and extortion operation active since H2 2025, potentially linked to the Qilin ecosystem and Russian-speaking actor 'hastalamuerte'.
Malware/Families: The Gentlemen (Ransomware), SystemBC (Proxy), KillAV, PowerRun.
Attack Vector: Likely utilizes initial access brokers or phishing; leverages SystemBC for C2 traffic obfuscation and KillAV to disable security solutions.
Behavior: SystemBC acts as a SOCKS5 proxy to hide malicious traffic. KillAV terminates security processes. PowerRun is used to execute commands with elevated privileges (bypassing UAC).

IOC Analysis

The provided IOCs offer a mix of network and file-based indicators:

Network IOCs: The 4BID campaign provided 3 IPv4 addresses (e.g., 185.221.153.121, 45.112.194.82). These should be blocked immediately at perimeter firewalls and SIEM correlation engines.
File Hashes: A significant number of MD5, SHA1, and SHA256 hashes are provided across all three pulses (84 total for 4BID, 68 for The Gentlemen). These represent droppers, web shells, and payloads (RustyStealer, SystemBC).
CVEs: CVE-2023-44976 is explicitly referenced in the 4BID pulse, suggesting specific vulnerabilities in their tooling or targets.

Operational Guidance: SOC teams should ingest these hashes into EDR solutions for immediate scanning. The IP addresses should be added to threat intelligence feeds for automated blocking. The presence of fd.aspx on Exchange servers is a high-fidelity artifact for the 4BID campaign.

Detection Engineering

Sigma Rules

YAML

---
title: Potential Exchange ProxyShell Webshell Activity
id: 3a1b2c3d-4e5f-6789-0123-456789abcdef
description: Detects the creation of fd.aspx web shells often associated with ProxyShell exploitation and 4BID hacktivist campaigns.
status: experimental
date: 2026/06/14
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 11|13 # File created/Registry value set (for shell)
        TargetFilename|contains: '\\inetpub\\wwwroot\\'
        TargetFilename|endswith: '\\fd.aspx'
    condition: selection
falsepositives:
    - Legitimate administrative activity (rare for this specific filename)
level: critical
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2021.26855
    - cve.2021.27065
---
title: Suspicious Post-Exploitation Framework Execution
id: b4c5d6e7-f8a9-1011-1213-141516171819
description: Detects execution of known post-exploitation frameworks (Sliver, Havoc) used by 4BID and other threat actors.
status: experimental
date: 2026/06/14
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\\sliver.exe'
        - Image|endswith: '\\havoc.exe'
        - Image|endswith: '\\client.exe'
        - Image|endswith: '\\ implant.exe'
    selection_cli:
        CommandLine|contains:
            - 'generate http'
            - 'mtls'
            - 'smb '
            - 'http-proxy'
    condition: 1 of selection_*
falsepositives:
    - Legitimate security testing
level: high
tags:
    - attack.execution
    - attack.t1059
---
title: The Gentlemen Ransomware Support Tools
id: d8e9f0a1-2b3c-4d5e-6f7a-8b9c0d1e2f3a
description: Detects execution of SystemBC proxy and KillAV tools associated with The Gentlemen ransomware affiliates.
status: experimental
date: 2026/06/14
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_systembc:
        Image|contains: 'SystemBC'
        CommandLine|contains: '-host'
    selection_killav:
        Image|endswith:
            - '\\taskkill.exe'
            - '\\sc.exe'
        CommandLine|contains:
            - 'Defend'
            - 'MsMpEng'
            - 'Sophos'
            - 'MBAMService'
    condition: 1 of selection_
falsepositives:
    - Administrator terminating AV manually (unlikely in bulk)
level: critical
tags:
    - attack.defense_evasion
    - attack.t1562.001
    - attack.command_and_control
    - attack.t1071.001

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for 4BID Indicators (IPs and Hashes)
let IPs = dynamic(["185.221.153.121", "45.112.194.82", "138.226.236.52"]);
let Hashes = pack_array(
    "008cd423ca45134d3343f66cced1d104", "038cab0c60c53cf12f048272014024c0", // 4BID
    "0d681bd160db1b1df5db321a6d2dd9ae81b2609b", // Needle
    "a88daa62751c212b7579a57f1f4ae8f8", "408dd6ade80f2ebbc2e5470a1fb506f1", "4200b46a93c6ab059e2b34ce200c4a5b" // The Gentlemen
);
// Network Connections to C2
DeviceNetworkEvents
| where RemoteIP in (IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort
| union (
    // File Artifacts
    DeviceProcessEvents
    | where SHA256 in (Hashes) or MD5 in (Hashes) or SHA1 in (Hashes)
    | project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
)

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    IOC Hunt for 4BID, Needle, and The Gentlemen campaigns.
.DESCRIPTION
    Scans the file system for specific malware hashes and checks for webshell artifacts.
#>

$TargetHashes = @(
    "008cd423ca45134d3343f66cced1d104", "038cab0c60c53cf12f048272014024c0", "06bed0a0906e52c764b3b7016d6a4428",
    "08c069f133ac27cbc02a0ed79e4e87ba", "0d681bd160db1b1df5db321a6d2dd9ae81b2609b",
    "a88daa62751c212b7579a57f1f4ae8f8", "c0979ec20b87084317d1bfa50405f7149c3b5c5f",
    "7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09", "408dd6ade80f2ebbc2e5470a1fb506f1",
    "e00293ce0eb534874efd615ae590cf6aa3858ba4", "4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235", "4200b46a93c6ab059e2b34ce200c4a5b"
)

Write-Host "[+] Starting IOC Scan..." -ForegroundColor Cyan

# Check for Webshell artifacts in IIS directories
$IISPaths = @("C:\inetpub\wwwroot", "C:\inetpub\temp\appPool")
foreach ($Path in $IISPaths) {
    if (Test-Path $Path) {
        Write-Host "[+] Scanning $Path for fd.aspx webshells..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -Filter "fd.aspx" -ErrorAction SilentlyContinue | Select-Object FullName, CreationTime, LastWriteTime
    }
}

# Scan common malware drop locations for hashes
$Drives = @("C:\", "D:\")
$Extensions = @("*.exe", "*.dll", "*.aspx", "*.ps1")

Write-Host "[+] Scanning for file hashes (this may take time)..." -ForegroundColor Yellow

foreach ($Drive in $Drives) {
    if (Test-Path $Drive) {
        foreach ($Ext in $Extensions) {
            Get-ChildItem -Path $Drive -Recurse -Filter $Ext -ErrorAction SilentlyContinue | ForEach-Object {
                $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
                if ($TargetHashes -contains $Hash) {
                    Write-Host "[!] MALWARE FOUND: $($_.FullName) (MD5: $Hash)" -ForegroundColor Red
                }
            }
        }
    }
}

# Check for SystemBC/KillAV related processes (The Gentlemen)
Write-Host "[+] Checking for active malicious processes..." -ForegroundColor Yellow
$MaliciousProcesses = @("SystemBC", "KillAV", "PowerRun")
Get-Process | Where-Object { $MaliciousProcesses -contains $_.ProcessName } | Select-Object ProcessName, Id, Path

Write-Host "[+] Scan Complete." -ForegroundColor Green

Response Priorities

Immediate:
- Block the 4BID C2 IP addresses (185.221.153.121, 45.112.194.82, 138.226.236.52) at the perimeter.
- Scan all Exchange servers for fd.aspx files and signs of ProxyShell exploitation.
- Isolate endpoints matching the provided file hashes (Needle/RustyStealer, SystemBC, The Gentlemen).
24 Hours:
- Conduct credential resets for accounts with access to the identified Exchange servers or systems where crypto-stealers (Needle) were detected.
- Verify the integrity of cryptocurrency wallets and browser extensions on impacted user machines.
- Hunt for persistence mechanisms associated with Sliver/Havoc (Scheduled Tasks, Services) and SystemBC.
1 Week:
- Patch Microsoft Exchange servers against all ProxyShell related CVEs if not already completed.
- Review RDP and external access logs to identify potential initial access vectors for The Gentlemen ransomware.
- Implement application control (AppLocker) to block unsigned binaries and common ransomware tool paths.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub