Recent OTX pulses indicate a convergence of high-impact threat campaigns targeting enterprise infrastructure and financial sectors. The intelligence highlights three distinct operations:
-
SEO Poisoning to Ransomware (Bumblebee/Akira): Threat actors are weaponizing search engine optimization (SEO) to distribute trojanized installers for legitimate IT management tools (e.g., ManageEngine OpManager). By compromising privileged administrators searching for these tools, actors facilitate rapid lateral movement and ransomware deployment via the Bumblebee loader and AdaptixC2.
-
The Gentlemen RaaS Expansion: A top-10 RaaS actor, "The Gentlemen," is actively exploiting internet-facing devices (VPNs/Firewalls). Their TTPs involve extensive reconnaissance using tools like SharpADWS and Advanced IP Scanner, followed by deployment of custom loaders (SharkLoader) and backdoors (MgBot, AppleSeed) via Group Policy Objects (GPO).
-
Regional Banking Theft (Ousaban): A resurgence of the Ousaban banking Trojan targets the Iberian Peninsula (Spain/Portugal) using geo-fencing. Attack chains utilize phishing PDFs that drop VBS scripts, which subsequently download steganographic payloads (malware hidden in images) to evade detection.
Threat Actor / Malware Profile
Bumblebee & Akira Ransomware
- Distribution Method: SEO Poisoning (Bing Search), Trojanized Installers (IT Admin Tools).
- Payload Behavior: Bumblebee loader grants initial access, performing credential dumping and facilitating lateral movement. It eventually delivers Akira ransomware.
- Persistence Mechanism: Exploits privileged context of IT admin tools; uses AdaptixC2 for command and control.
- C2 Communication: Utilizes AdaptixC2 infrastructure; known domains include
opmanager.proandangryipscanner.org.
The Gentlemen
- Distribution Method: Exploitation of vulnerabilities in internet-facing VPNs/Firewalls; Initial Access Broker (IAB) collaboration.
- Payload Behavior: Uses SharkLoader to drop diverse payloads including Cobalt Strike, ZiChatBot, MgBot, and CoolClient. Employs encryption tactics unique to their RaaS model.
- Persistence Mechanism: GPO deployment, vulnerable drivers to bypass security controls.
- C2 Communication: Custom protocols via MgBot and AppleSeed; extensive network traffic capture using
netsh.
Ousaban (Metamorfo Variant)
- Distribution Method: Phishing emails with PDF attachments.
- Payload Behavior: VBS scripts perform environment checks (geo-fencing for ES/PT) and download steganographic images containing the malicious payload.
- Persistence Mechanism: Registry modifications (common in Metamorfo variants) and scheduled tasks.
- C2 Communication: Connects to specific IPv4 ranges (e.g.,
162.33.179.46) to exfiltrate banking credentials.
IOC Analysis
The provided IOCs include a mix of network infrastructure and file artifacts:
- Domains (C2 & Fake Sites):
opmanager.pro,angryipscanner.org. SOC teams should immediately block these domains at the proxy/DNS level and investigate any historical DNS resolution logs. - IPv4 Addresses:
172.96.137.160,162.33.179.46,91.92.240.140. These represent C2 servers. Firewall logs should be queried for outbound connections to these IPs. - File Hashes: A significant volume of MD5, SHA1, and SHA256 hashes are provided for the trojanized installers and malware payloads. EDR solutions should be configured to quarantine or alert on these specific hashes.
Operationalizing IOCs:
- Tooling: Use SIEM (e.g., Splunk, Sentinel) to correlate firewall logs (IPs) with endpoint process creation (Hashes).
- Decoding: VBS scripts identified in the Ousaban campaign should be extracted from sandbox environments and analyzed for embedded URLs or steganography logic.
Detection Engineering
Sigma Rules
---
title: Potential Bumblebee Loader via Trojanized IT Tool
id: 2e88f8c6-1b5d-4c9e-9b3a-1c4d5e6f7a8b
description: Detects execution of processes resembling known IT management tools spawning suspicious shells or scripts, a behavior observed in the Bumblebee SEO poisoning campaign.
status: experimental
date: 2026/07/02
author: Security Arsenal
references:
- https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/
tags:
- attack.initial_access
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
Image|endswith:
- '\OpManager.exe'
- '\ManageEngine.exe'
- '\ AngryIPScanner.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate administration tasks by IT staff
level: high
---
title: The Gentlemen Reconnaissance Activity
date: 2026/07/02
id: f7a8b6c5-4d3e-2a1b-9c8d-0e1f2a3b4c5d
description: Detects reconnaissance tools utilized by The Gentlemen group, including SharpADWS and Advanced IP Scanner.
status: experimental
author: Security Arsenal
references:
- https://securelist.com/the-gentlemen-raas/120447/
tags:
- attack.discovery
- attack.t1018
- attack.t1016
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|contains:
- 'Advanced_IP_Scanner'
- 'sharpadws'
- 'netscan'
selection_cli:
CommandLine|contains:
- 'netsh trace'
- 'ldapsearch'
condition: 1 of selection_*
falsepositives:
- Authorized network administration
level: medium
---
title: Ousaban Banking Trojan Steganography Loader
date: 2026/07/02
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects wscript.exe or cscript.exe spawning PowerShell to download image files, a technique used by Ousaban to fetch steganographic payloads.
status: experimental
author: Security Arsenal
references:
- https://www.fortinet.com/blog/threat-research/analysis-of-ongoing-ousaban-attacks-targeting-the-iberian-peninsula
tags:
- attack.initial_access
- attack.t1204.002
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_parent:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\curl.exe'
selection_cmd:
CommandLine|contains:
- '.jpg'
- '.png'
- '.bmp'
- 'Invoke-WebRequest'
- 'DownloadFile'
condition: selection_parent and selection_child and selection_cmd
falsepositives:
- Rare legitimate script downloading images
level: high
KQL (Microsoft Sentinel)
// Hunt for The Gentlemen Recon and C2 IPs
let C2_IPs = dynamic(["172.96.137.160", "162.33.179.46", "91.92.240.140", "78.40.209.32"]);
let SuspiciousHashes = dynamic(["a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2", "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b"]);
// Network Connections to C2
DeviceNetworkEvents
| where RemoteIP in (C2_IPs)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| union (
DeviceProcessEvents
| where SHA256 in (SuspiciousHashes) or MD5 in (SuspiciousHashes)
| project Timestamp, DeviceName, FileName, SHA256, ProcessCommandLine
)
| union (
// Hunt for SharpADWS recon activity
DeviceProcessEvents
| where ProcessCommandLine contains "SharpADWS" or FileName contains "Advanced_IP_Scanner"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
)
PowerShell
<#
.SYNOPSIS
IOC Hunt Script for Bumblebee, The Gentlemen, and Ousaban Campaigns
.DESCRIPTION
Checks for file hashes, processes, and network connections associated with the OTX pulses.
#>
$IOCs = @{
Hashes = @(
"a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
"a746da514c90f26a187a294fda7edc1b",
"f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b",
"9321a61a25c7961d9f36852ecaa86f55",
"d4eb4ff02df659fdeec17d36b77084627469623bb3c7d16383d257404b52d1c3"
)
IPs = @(
"172.96.137.160",
"162.33.179.46",
"91.92.240.140",
"78.40.209.32"
)
Domains = @(
"opmanager.pro",
"angryipscanner.org"
)
}
Write-Host "[*] Scanning for malicious file hashes..."
$paths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")
foreach ($path in $paths) {
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Length -gt 0 } | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($IOCs.Hashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (SHA256: $hash)" -ForegroundColor Red
}
}
}
Write-Host "[*] Checking active network connections for C2 IPs..."
$netstat = netstat -ano | Select-String -Pattern $([string]::Join('|', $IOCs.IPs))
if ($netstat) {
Write-Host "[!] SUSPICIOUS CONNECTION DETECTED:`n$netstat" -ForegroundColor Yellow
} else {
Write-Host "[-] No active connections to known C2 IPs found."
}
Write-Host "[*] Checking for suspicious process execution (SharpADWS, Advanced IP Scanner)..."
$processes = @("SharpADWS", "Advanced_IP_Scanner", "mgbot", "appleseed")
foreach ($proc in $processes) {
if (Get-Process -Name $proc -ErrorAction SilentlyContinue) {
Write-Host "[!] SUSPICIOUS PROCESS RUNNING: $proc" -ForegroundColor Red
}
}
Response Priorities
-
Immediate:
- Block all listed IOCs (IPs, Domains, Hashes) at perimeter defenses (Firewall, Proxy, EDR).
- Isolate any endpoints identified as communicating with
172.96.137.160(Bumblebee C2) or162.33.179.46(Ousaban C2). - Scan user downloads folders for the identified file hashes associated with trojanized installers.
-
24 Hours:
- Initiate credential resets for privileged users who may have executed the trojanized IT management tools (Bumblebee/Akira vector).
- Review logs for evidence of GPO modifications or mass Reconnaissance activity indicative of "The Gentlemen".
- Analyze email gateways for PDF attachments matching the Ousaban campaign patterns.
-
1 Week:
- Patch and harden internet-facing VPN and Firewall appliances to prevent "The Gentlemen" initial access.
- Conduct security awareness training focused on SEO poisoning and the risks of downloading administrative tools from non-vendor sources.
- Implement application signing policies to prevent execution of unsigned trojanized software.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.