Back to Intelligence

Bumblebee Loader, The Gentlemen RaaS, and JINX-0164: OTX Pulse Analysis — Supply Chain & SEO Poisoning Wave

SA
Security Arsenal Team
July 1, 2026
6 min read

Recent OTX Pulse data indicates a convergence of sophisticated initial access vectors targeting enterprise and cryptocurrency sectors. Three distinct campaigns are active as of early July 2026:

  1. SEO Poisoning & Ransomware (Bumblebee/Akira): Threat actors are exploiting search engine optimization (SEO) to distribute trojanized installers for legitimate IT tools (e.g., ManageEngine OpManager). This leads to Bumblebee loader infections, followed by AdaptixC2 deployment and ultimately Akira ransomware.

  2. The Gentlemen RaaS: A top-10 ransomware-as-a-service actor is utilizing vulnerabilities in internet-facing infrastructure (VPNs/Firewalls) to gain access. They employ extensive reconnaissance tools like SharpADWS and Advanced IP Scanner before deploying custom backdoors (AppleSeed, CoolClient) and utilizing GPOs for lateral movement.

  3. Dev Infrastructure Targeting (JINX-0164): A financially motivated actor is actively targeting cryptocurrency developers via LinkedIn social engineering and supply chain compromises (NPM trojans). They deliver custom macOS malware (AUDIOFIX, MINIRAT) to steal credentials and maintain persistence.

Collectively, these campaigns highlight a shift toward "trusted" vector abuse—poisoning search results for IT admin tools and recruiting platforms—to bypass standard email security filters.

Threat Actor / Malware Profile

Actor / MalwareDistribution MethodPayload BehaviorC2 / PersistenceAnti-Analysis
Bumblebee (S1039)SEO Poisoning; Trojanized IT installers (OpManager)Loads subsequent payloads; credential dumping (LSASS); lateral movementAdaptixC2 framework; Scheduled Tasks/Registry Run keysHeavy obfuscation; process hollowing
nAkiraDelivered via BumblebeeEncrypts data; exfiltration; deletes shadow copiesHTTP/HTTPS C2 communication
The GentlemenExploits vulns (VPN/Firewall); Initial Access BrokersReconnaissance (SharpADWS); GPO deployment; Ransomware encryptionCustom C2 domains; MgBot; Cobalt Strike BeaconsUses vulnerable drivers to disable EDR; Netsh traffic capture
JINX-0164LinkedIn Phishing; NPM Supply Chain; CI/CD HijackingAUDIOFIX (Python Infostealer); MINIRAT (Go Backdoor)C2 over non-standard ports; LaunchAgents (macOS)Python bytecode compilation; memory-only execution where possible

IOC Analysis

The provided Indicators of Compromise (IOCs) span multiple infrastructure types, requiring a layered defensive approach:

  • Domains & Hostnames: Several indicators utilize typosquatting or highly credible-sounding names to trick users (e.g., opmanager.pro, login.teamicrosoft.com). SOC teams must prioritize these in DNS sinks and web proxy block lists.
    • Action: Block angryipscanner.org, opmanager.pro, driver-updater.net, live.ong, login.teamicrosoft.com, rsat.activedirectory.ds-lds.tools.
  • IPv4 Addresses: 172.96.137.160 is associated with the Bumblebee C2 infrastructure. These should be blocked at the perimeter.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes are provided for the loaders and payloads (e.g., Bumblebee, SharkLoader).
    • Action: Upload all hashes to EDR detection rules and initiate a retrospective hunt for execution history on endpoints.
  • URLs: Specific script URLs (e.g., /troubleshoot/mac/install.sh) indicate automated post-exploitation setup.
    • Tooling: Use curl or specific threat intelligence platforms (MISP, Anomali) to automate the ingestion of these IOCs into SIEM alerts.

Detection Engineering

Sigma Rules

YAML
title: Potential Bumblebee C2 Infrastructure Connection
id: 4e8a9c1f-5a2b-4c8d-9e1f-1a2b3c4d5e6f
description: Detects network connections to known Bumblebee and AdaptixC2 infrastructure identified in OTX pulses.
status: experimental
date: 2026/07/02
author: Security Arsenal
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|contains:
            - '172.96.137.160'
    selection_domain:
        DestinationHostname|contains:
            - 'angryipscanner.org'
            - 'opmanager.pro'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

---

title: The Gentlemen Reconnaissance Tool Execution
id: 5f9b0d2e-6b3c-4d9e-0f2a-2b3c4d5e6f70
description: Detects execution of reconnaissance tools associated with The Gentlemen ransomware group.
status: experimental
date: 2026/07/02
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_recon:
        Image|endswith:
            - 'AdvancedIPScanner.exe'
            - 'advanced_ip_scanner.exe'
            - 'netsh.exe'
        CommandLine|contains:
            - 'trace start'
            - 'capture'
    selection_script:
        Image|endswith:
            - 'powershell.exe'
            - 'cmd.exe'
        CommandLine|contains:
            - 'SharpADWS'
            - 'NetScan'
    condition: 1 of selection*
falsepositives:
    - Legitimate network administration by IT staff
level: medium

---

title: JINX-0164 Typosquatting Domain Access
id: 6g0c1e3f-7c4d-5e0f-1g3b-3c4d5e6f7081
description: Detects DNS requests or HTTP connections to typosquatting domains used by JINX-0164 targeting crypto devs.
status: experimental
date: 2026/07/02
author: Security Arsenal
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|contains:
            - 'login.teamicrosoft.com'
            - 'teams.live.us.org'
            - 'driver-updater.net'
            - 'live.ong'
    condition: selection
falsepositives:
    - Low
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to The Gentlemen and JINX-0164 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "angryipscanner.org", "opmanager.pro", 
    "login.teamicrosoft.com", "teams.live.us.org", 
    "driver-updater.net", "live.ong",
    "rsat.activedirectory.ds-lds.tools"
) 
or RemoteIP == "172.96.137.160"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend AlertContext = pack_all()

PowerShell Hunt Script

PowerShell
# IOC Hunt for Bumblebee, The Gentlemen, and JINX-0164 Artifacts
# Requires Administrative Privileges

$MaliciousHashes = @(
    "a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
    "a746da514c90f26a187a294fda7edc1b",
    "bcee0ab10b23f5999bcdb56c0b4a631a",
    "9321a61a25c7961d9f36852ecaa86f55",
    "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b",
    "5af1dae21425dda8311a2044209c308525135e1733eeff5dd20649946c6e054c"
)

$MaliciousDomains = @(
    "opmanager.pro",
    "angryipscanner.org",
    "login.teamicrosoft.com",
    "live.ong",
    "driver-updater.net"
)

Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache
foreach ($domain in $MaliciousDomains) {
    if ($DnsCache.Entry -like "*$domain*") {
        Write-Host "[!] Suspicious DNS Entry found: $domain" -ForegroundColor Red
    }
}

Write-Host "[+] Scanning common download directories for malicious file hashes..." -ForegroundColor Cyan
$Paths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\ProgramData")

foreach ($path in $Paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[!] Malicious file detected: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking Hosts file for hijacked domains..." -ForegroundColor Cyan
$HostsFile = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsFile) {
    Select-String -Path $HostsFile -Pattern ($MaliciousDomains -join '|') | ForEach-Object {
        Write-Host "[!] Suspicious entry in Hosts file: $($_.Line.Trim())" -ForegroundColor Red
    }
}


# Response Priorities

*   **Immediate:**
    *   Block all identified domains and IPs (`172.96.137.160`, `opmanager.pro`, `login.teamicrosoft.com`, etc.) at the firewall and proxy level.
    *   Initiate a hunt for the specific file hashes provided in the IOC list across all endpoints.

*   **24 Hours:**
    *   Conduct credential audits for privileged accounts that may have been exposed to the Bumblebee loader or The Gentlemen credential dumping tools.
    *   Verify the integrity of software downloads, specifically ManageEngine OpManager and NPM packages, by comparing hashes against vendor signatures.

*   **1 Week:**
    *   Review and patch internet-facing VPN and firewall vulnerabilities to mitigate The Gentlemen's initial access vector.
    *   Implement strict allow-listing for IT management software installation and enforce code-signing requirements for developer tools.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptbumblebeethe-gentlemenjinx-0164ransomwaresupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.