Recent OTX Pulse data indicates a convergence of sophisticated initial access vectors targeting enterprise and cryptocurrency sectors. Three distinct campaigns are active as of early July 2026:
-
SEO Poisoning & Ransomware (Bumblebee/Akira): Threat actors are exploiting search engine optimization (SEO) to distribute trojanized installers for legitimate IT tools (e.g., ManageEngine OpManager). This leads to Bumblebee loader infections, followed by AdaptixC2 deployment and ultimately Akira ransomware.
-
The Gentlemen RaaS: A top-10 ransomware-as-a-service actor is utilizing vulnerabilities in internet-facing infrastructure (VPNs/Firewalls) to gain access. They employ extensive reconnaissance tools like SharpADWS and Advanced IP Scanner before deploying custom backdoors (AppleSeed, CoolClient) and utilizing GPOs for lateral movement.
-
Dev Infrastructure Targeting (JINX-0164): A financially motivated actor is actively targeting cryptocurrency developers via LinkedIn social engineering and supply chain compromises (NPM trojans). They deliver custom macOS malware (AUDIOFIX, MINIRAT) to steal credentials and maintain persistence.
Collectively, these campaigns highlight a shift toward "trusted" vector abuse—poisoning search results for IT admin tools and recruiting platforms—to bypass standard email security filters.
Threat Actor / Malware Profile
| Actor / Malware | Distribution Method | Payload Behavior | C2 / Persistence | Anti-Analysis |
|---|---|---|---|---|
| Bumblebee (S1039) | SEO Poisoning; Trojanized IT installers (OpManager) | Loads subsequent payloads; credential dumping (LSASS); lateral movement | AdaptixC2 framework; Scheduled Tasks/Registry Run keys | Heavy obfuscation; process hollowing |
| n | Akira | Delivered via Bumblebee | Encrypts data; exfiltration; deletes shadow copies | HTTP/HTTPS C2 communication |
| The Gentlemen | Exploits vulns (VPN/Firewall); Initial Access Brokers | Reconnaissance (SharpADWS); GPO deployment; Ransomware encryption | Custom C2 domains; MgBot; Cobalt Strike Beacons | Uses vulnerable drivers to disable EDR; Netsh traffic capture |
| JINX-0164 | LinkedIn Phishing; NPM Supply Chain; CI/CD Hijacking | AUDIOFIX (Python Infostealer); MINIRAT (Go Backdoor) | C2 over non-standard ports; LaunchAgents (macOS) | Python bytecode compilation; memory-only execution where possible |
IOC Analysis
The provided Indicators of Compromise (IOCs) span multiple infrastructure types, requiring a layered defensive approach:
- Domains & Hostnames: Several indicators utilize typosquatting or highly credible-sounding names to trick users (e.g.,
opmanager.pro,login.teamicrosoft.com). SOC teams must prioritize these in DNS sinks and web proxy block lists.- Action: Block
angryipscanner.org,opmanager.pro,driver-updater.net,live.ong,login.teamicrosoft.com,rsat.activedirectory.ds-lds.tools.
- Action: Block
- IPv4 Addresses:
172.96.137.160is associated with the Bumblebee C2 infrastructure. These should be blocked at the perimeter. - File Hashes: A mix of MD5, SHA1, and SHA256 hashes are provided for the loaders and payloads (e.g., Bumblebee, SharkLoader).
- Action: Upload all hashes to EDR detection rules and initiate a retrospective hunt for execution history on endpoints.
- URLs: Specific script URLs (e.g.,
/troubleshoot/mac/install.sh) indicate automated post-exploitation setup.- Tooling: Use
curlor specific threat intelligence platforms (MISP, Anomali) to automate the ingestion of these IOCs into SIEM alerts.
- Tooling: Use
Detection Engineering
Sigma Rules
title: Potential Bumblebee C2 Infrastructure Connection
id: 4e8a9c1f-5a2b-4c8d-9e1f-1a2b3c4d5e6f
description: Detects network connections to known Bumblebee and AdaptixC2 infrastructure identified in OTX pulses.
status: experimental
date: 2026/07/02
author: Security Arsenal
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|contains:
- '172.96.137.160'
selection_domain:
DestinationHostname|contains:
- 'angryipscanner.org'
- 'opmanager.pro'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
---
title: The Gentlemen Reconnaissance Tool Execution
id: 5f9b0d2e-6b3c-4d9e-0f2a-2b3c4d5e6f70
description: Detects execution of reconnaissance tools associated with The Gentlemen ransomware group.
status: experimental
date: 2026/07/02
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection_recon:
Image|endswith:
- 'AdvancedIPScanner.exe'
- 'advanced_ip_scanner.exe'
- 'netsh.exe'
CommandLine|contains:
- 'trace start'
- 'capture'
selection_script:
Image|endswith:
- 'powershell.exe'
- 'cmd.exe'
CommandLine|contains:
- 'SharpADWS'
- 'NetScan'
condition: 1 of selection*
falsepositives:
- Legitimate network administration by IT staff
level: medium
---
title: JINX-0164 Typosquatting Domain Access
id: 6g0c1e3f-7c4d-5e0f-1g3b-3c4d5e6f7081
description: Detects DNS requests or HTTP connections to typosquatting domains used by JINX-0164 targeting crypto devs.
status: experimental
date: 2026/07/02
author: Security Arsenal
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|contains:
- 'login.teamicrosoft.com'
- 'teams.live.us.org'
- 'driver-updater.net'
- 'live.ong'
condition: selection
falsepositives:
- Low
level: critical
KQL (Microsoft Sentinel)
// Hunt for network connections to The Gentlemen and JINX-0164 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
"angryipscanner.org", "opmanager.pro",
"login.teamicrosoft.com", "teams.live.us.org",
"driver-updater.net", "live.ong",
"rsat.activedirectory.ds-lds.tools"
)
or RemoteIP == "172.96.137.160"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend AlertContext = pack_all()
PowerShell Hunt Script
# IOC Hunt for Bumblebee, The Gentlemen, and JINX-0164 Artifacts
# Requires Administrative Privileges
$MaliciousHashes = @(
"a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
"a746da514c90f26a187a294fda7edc1b",
"bcee0ab10b23f5999bcdb56c0b4a631a",
"9321a61a25c7961d9f36852ecaa86f55",
"f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b",
"5af1dae21425dda8311a2044209c308525135e1733eeff5dd20649946c6e054c"
)
$MaliciousDomains = @(
"opmanager.pro",
"angryipscanner.org",
"login.teamicrosoft.com",
"live.ong",
"driver-updater.net"
)
Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache
foreach ($domain in $MaliciousDomains) {
if ($DnsCache.Entry -like "*$domain*") {
Write-Host "[!] Suspicious DNS Entry found: $domain" -ForegroundColor Red
}
}
Write-Host "[+] Scanning common download directories for malicious file hashes..." -ForegroundColor Cyan
$Paths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\ProgramData")
foreach ($path in $Paths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $hash) {
Write-Host "[!] Malicious file detected: $($_.FullName)" -ForegroundColor Red
}
}
}
}
Write-Host "[+] Checking Hosts file for hijacked domains..." -ForegroundColor Cyan
$HostsFile = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsFile) {
Select-String -Path $HostsFile -Pattern ($MaliciousDomains -join '|') | ForEach-Object {
Write-Host "[!] Suspicious entry in Hosts file: $($_.Line.Trim())" -ForegroundColor Red
}
}
# Response Priorities
* **Immediate:**
* Block all identified domains and IPs (`172.96.137.160`, `opmanager.pro`, `login.teamicrosoft.com`, etc.) at the firewall and proxy level.
* Initiate a hunt for the specific file hashes provided in the IOC list across all endpoints.
* **24 Hours:**
* Conduct credential audits for privileged accounts that may have been exposed to the Bumblebee loader or The Gentlemen credential dumping tools.
* Verify the integrity of software downloads, specifically ManageEngine OpManager and NPM packages, by comparing hashes against vendor signatures.
* **1 Week:**
* Review and patch internet-facing VPN and firewall vulnerabilities to mitigate The Gentlemen's initial access vector.
* Implement strict allow-listing for IT management software installation and enforce code-signing requirements for developer tools.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.