Threat Summary
Recent OTX pulses indicate a surge in diverse delivery vectors targeting enterprise credentials and infrastructure. A sophisticated SEO poisoning campaign is trojanizing legitimate IT tools (e.g., ManageEngine OpManager) to deliver the Bumblebee loader, which facilitates AdaptixC2 communication and ultimately deploys Akira ransomware. Simultaneously, "The Gentlemen," a rising RaaS group, is exploiting internet-facing VPN and firewall vulnerabilities to deploy custom backdoors (SharkLoader, MgBot) alongside Cobalt Strike for widespread ransomware operations. Separately, the Ousaban banking trojan has re-emerged with geofencing capabilities, specifically targeting financial sectors in Spain and Portugal via phishing PDFs that drop VBS payloads and steganographic images.
Threat Actor / Malware Profile
Bumblebee & Akira (Pulse 1)
- Distribution: SEO poisoning of IT management keywords; trojanized installers of legitimate tools (e.g., OpManager).
- Behavior: Bumblebee acts as an initial access loader, utilizing AdaptixC2 for command and control. It performs credential dumping (likely via Mimikatz integration) to facilitate lateral movement.
- Objective: Deploy Akira ransomware to encrypt systems and extort payments.
The Gentlemen (Pulse 2)
- Distribution: Exploitation of vulnerabilities in VPNs and firewalls; collaboration with Initial Access Brokers (IABs).
- Behavior: Uses a "murder panoply" of tools including SharkLoader, ZiChatBot, and AppleSeed. Heavy reliance on reconnaissance tools like SharpADWS and Advanced IP Scanner. Employs vulnerable drivers to bypass security.
- Objective: Ransomware-as-a-Service operations targeting high-value industries (Manufacturing, Finance, Healthcare).
Ousaban (Pulse 3)
- Distribution: Phishing emails containing PDF attachments with embedded links; geofencing checks ensure targets are in Portugal or Spain.
- Behavior: Downloads VBS scripts that fetch steganographic images hiding malicious payloads. Focuses on banking credential theft and overlays.
- Objective: Financial theft via banking trojan (Metamorfo/Casbaneiro variants).
IOC Analysis
The provided IOCs span multiple critical infrastructure points:
- Network Infrastructure: IPv4 addresses (e.g.,
172.96.137.160,162.33.179.46) acting as C2 servers or distribution nodes. Domains likeopmanager.proare clear indicators of typo-squatting or fake technical support sites used in SEO poisoning. - File Artifacts: Numerous MD5, SHA1, and SHA256 hashes corresponding to malicious loaders (Bumblebee), tools (Cobalt Strike components), and phishing documents.
- Operationalization: SOC teams should immediately block the listed IPs and domains at perimeter firewalls and proxies. File hashes should be loaded into EDR detection rules to prevent execution. The domains
angryipscanner.organdopmanager.proshould be treated as high-fidelity alerts for administrative workstations.
Detection Engineering
Sigma Rules
---
title: Potential Trojanized Installer Execution - SEO Poisoning
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects execution of processes often spawned by trojanized installers mimicking IT tools, indicative of Bumblebee or similar loaders.
status: experimental
date: 2026/07/02
author: Security Arsenal
tags:
- attack.initial_access
- attack.t1189
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\setup.exe'
- '\install.exe'
- '\msiexec.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\regsvr32.exe'
CommandLine|contains:
- 'download'
- 'http://'
condition: selection
falsepositives:
- Legitimate software installations
level: high
---
title: Reconnaissance Tool Usage - The Gentlemen Tactics
id: b2c3d4e5-6789-01bc-def2-345678901234
description: Detects reconnaissance activity associated with The Gentlemen group using network scanners or AD enumeration tools.
status: experimental
date: 2026/07/02
author: Security Arsenal
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith:
- '\Advanced_IP_Scanner.exe'
- '\netsh.exe'
- '\nslookup.exe'
selection_netsh:
Image|endswith: '\netsh.exe'
CommandLine|contains: 'trace'
selection_sharpadws:
Image|contains: 'SharpADWS'
condition: 1 of selection*
falsepositives:
- System administration
level: medium
---
title: VBS Execution via PDF or Office - Ousaban Pattern
id: c3d4e5f6-7890-12cd-ef34-567890123456
description: Detects VBS scripts spawned by PDF readers or Office applications, a common pattern in Ousaban phishing campaigns.
status: experimental
date: 2026/07/02
author: Security Arsenal
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\AcroRd32.exe'
- '\winword.exe'
- '\excel.exe'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
condition: selection
falsepositives:
- Legitimate macro usage
level: high
KQL (Microsoft Sentinel)
// Hunt for network connections to known C2 IPs and suspicious domains
let IoC_IPs = pack_array("172.96.137.160", "162.33.179.46", "91.92.240.140", "78.40.209.32");
let IoC_Domains = pack_array("angryipscanner.org", "opmanager.pro", "rsat.activedirectory.ds-lds.tools");
DeviceNetworkEvents
| where RemoteIP in (IoC_IPs) or RemoteUrl has_any (IoC_Domains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| extend IoC_Type = iff(RemoteIP in (IoC_IPs), "IP_Address", "Domain")
PowerShell Hunt Script
# IOC Hunt Script for Bumblebee and Ousaban Activity
# Checks for network connections and file presence
$MaliciousIPs = @("172.96.137.160", "162.33.179.46", "91.92.240.140", "78.40.209.32")
$MaliciousHashes = @(
"a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
"d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3"
)
# Check Active Network Connections
Write-Host "Checking for active connections to malicious IPs..."
Get-NetTCPConnection -State Established | ForEach-Object {
$ip = $_.RemoteAddress
if ($MaliciousIPs -contains $ip) {
Write-Host "WARNING: Suspicious connection found to $ip (PID: $($_.OwningProcess))" -ForegroundColor Red
Get-Process -Id $_.OwningProcess | Select-Object ProcessName, Path
}
}
# Check Common Download Directories for Malicious Files
Write-Host "Scanning user downloads for malicious hashes..."
$Paths = @("C:\Users\*\Downloads", "C:\Windows\Temp")
foreach ($path in $Paths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $hash) {
Write-Host "WARNING: Malicious file found at $($_.FullName)" -ForegroundColor Red
}
}
}
}
Response Priorities
- Immediate: Block all listed IP addresses and domains at the perimeter. Isolate any endpoints with confirmed matches on the file hashes.
- 24h: Conduct credential audits and force password resets for privileged accounts, particularly those with access to IT management tools (Bumblebee targets) and banking systems (Ousaban targets).
- 1 Week: Patch internet-facing VPNs and firewalls to mitigate "The Gentlemen" exploitation vectors. Implement application allowlisting for administrative tools to prevent trojanized installer execution.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.