Back to Intelligence

Cisco Edge Exploitation & SystemBC C2: UAT-8616, Interlock, and The Gentlemen Campaign Analysis

SA
Security Arsenal Team
May 18, 2026
6 min read

Recent OTX pulses indicate a surge in exploitation targeting edge infrastructure, specifically Cisco Catalyst SD-WAN, Firepower Management Center (FMC), and Fortinet appliances. Three distinct threat clusters are leveraging these vulnerabilities: UAT-8616, the Interlock Ransomware Group, and The Gentlemen RaaS operation.

  • UAT-8616 is actively exploiting CVE-2026-20128 (authentication bypass) to deploy webshells (XenShell, Godzilla, Behinder) and crypto-miners (XMRig). Their objective appears to be immediate resource monetization and persistence.
  • Interlock Ransomware Group has weaponized a zero-day (CVE-2026-20131) in Cisco FMC, deploying custom toolkits like GHOSTSABER and PlasmaLoader to facilitate encryption and lateral movement.
  • The Gentlemen are utilizing initial access vectors involving Fortinet (CVE-2024-55591) and Cisco flaws, employing SystemBC for proxying/C2 and NTLM relay attacks for credential theft following a recent database leak.

Collectively, these campaigns highlight a critical shift toward bypassing edge perimeter controls to establish C2 channels directly within network cores.

Threat Actor / Malware Profile

Adversary: UAT-8616

  • Malware/Families: XenShell, Godzilla, Behinder (Webshells); XMRig (Cryptominer); Sliver (C2 Framework).
  • Distribution: Exploits CVE-2026-20128 on Cisco Catalyst SD-WAN Manager to gain admin privileges.
  • Payload Behavior: Drops JSP/ASPX webshells for persistent web access. Deploys XMRig to hijack CPU resources.
  • C2 Communication: Uses Sliver and AdaptixC2; gsocket for tunneling.

Adversary: Interlock Ransomware Group

  • Malware/Families: GHOSTKNIFE, GHOSTSABER, GHOSTBLADE, PlasmaLoader, PLASMAGRID.
  • Distribution: Exploits CVE-2026-20131 (Zero-day deserialization) in Cisco FMC.
  • Payload Behavior: PlasmaLoader acts as an initial dropper, executing the Ghost* suite for disabling defenses and encrypting files.
  • Persistence: Service creation and scheduled tasks.

Adversary: The Gentlemen

  • Malware/Families: The Gentlemen RaaS, SystemBC (Proxy/C2).
  • Distribution: Leverages CVE-2024-55591 (Fortinet) and CVE-2025-32433 (Cisco). Initial access confirmed via leaked internal databases.
  • Payload Behavior: SystemBC creates a SOCKS5 proxy for traffic tunneling, obscuring attacker origin. NTLM relay used for domain domination.
  • C2 Communication: SystemBC uses HTTP/S for C2 check-in, often blending in with legitimate traffic.

IOC Analysis

The provided IOCs include:

  • File Hashes: SHA256, MD5, and SHA1 hashes for webshells (Godzilla/XenShell), loaders (SystemBC), and ransomware components.
  • CVE Identifiers: Critical focus on CVE-2026-20128, CVE-2026-20131, CVE-2024-55591, and CVE-2025-32433.
  • Network IP: 176.65.139.31 observed in UAT-8616 operations.

Operationalization:

  • SOC Teams: Immediately block IP 176.65.139.31 on perimeter firewalls.
  • EDR: Upload file hashes (e.g., d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa) to allowlist/blocklist configurations.
  • Vulnerability Management: Prioritize patching for the specific CVEs listed, specifically the Cisco SD-WAN and FMC flaws.

Detection Engineering

The following detection rules target the specific behaviors of webshell upload (Godzilla/XenShell), SystemBC proxy activity, and crypto-mining execution associated with these campaigns.

YAML
title: Potential Webshell Creation - Godzilla and XenShell
id: 55c8c44c-3b4f-4e5d-9f1a-4a3b7c1d2e3f
description: Detects the creation of files with names or extensions associated with Godzilla and XenShell webshells, often dropped after exploitation.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_create
detection:
    selection:
        TargetFilename|contains:
            - 'shell.aspx'
            - 'xen.jsp'
            - 'behinder.jsp'
            - 'godzilla.jsp'
            - 'debug.aspx'
    condition: selection
falsepositives:
    - Legitimate admin uploads (rare)
level: high
---
title: SystemBC Proxy Execution
id: 88a9d55e-5c6a-4f8b-b2c5-7d8e9f0a1b2c
description: Detects execution patterns associated with SystemBC proxy malware, often used by The Gentlemen group.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\systembc.exe'
            - '\svchost.exe'
    selection_cli:
        CommandLine|contains:
            - '-connect'
            - '-proxy'
            - 'socks5'
    condition: all of selection_*
falsepositives:
    - Legitimate proxy tools
level: high
---
title: UAT-8616 XMRig Cryptominer Execution
id: 11223344-5566-7788-99aa-bbccddeeff00
description: Detects the execution of XMRig or generic high-CPU mining processes often deployed by UAT-8616 after webshell access.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.impact
    - attack.t1496
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\xmrig.exe'
            - '\core.exe'
        CommandLine|contains:
            - '--donate-level'
            - '--url'
    condition: selection
falsepositives:
    - Authorized mining operations
level: critical


**KQL (Microsoft Sentinel)**
Hunt for network connections to the known IOCs and process creation events linked to the specific malware hashes.

kql
// Hunt for connection to malicious IP 176.65.139.31
DeviceNetworkEvents
| where RemoteIP == "176.65.139.31"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, RemoteUrl

// Hunt for SystemBC or XMRig process execution
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName in~ ("xmrig.exe", "SystemBC.exe") or 
  FileName in~ ("xmrig.exe", "SystemBC.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, SHA256

// Correlate File Hashes from Pulse 1 & 3
DeviceFileEvents
| where SHA256 in ("d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa", 
                     "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235", 
                     "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2") or
  MD5 in ("adf675ffc1acb357f2d9f1a94e016f52", "4200b46a93c6ab059e2b34ce200c4a5b")
| project Timestamp, DeviceName, FolderPath, SHA256, MD5


**PowerShell Hunt Script**
A script to scan the filesystem for the specific file hashes associated with XenShell, SystemBC, and the Gentlemen payloads.

powershell
# IOC Hunter for UAT-8616 and The Gentlemen Campaigns
# Scans C:\ drive for specific SHA256 and MD5 hashes found in OTX pulses.

$TargetHashes = @(
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa", # Pulse 1 SHA256
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235", # Pulse 3 SHA256
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"  # Pulse 3 SHA256
)

$TargetMD5s = @(
    "adf675ffc1acb357f2d9f1a94e016f52", # Pulse 3 MD5
    "4200b46a93c6ab059e2b34ce200c4a5b"   # Pulse 3 MD5
)

Write-Host "[+] Starting IOC Scan for UAT-8616 / The Gentlemen..." -ForegroundColor Cyan

# Scan C:\ Drive
$DrivesToScan = @("C:\")

foreach ($Drive in $DrivesToScan) {
    Write-Host "[+] Scanning $Drive..." -ForegroundColor Yellow
    
    # SHA256 Check
    $Files = Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer }
    foreach ($File in $Files) {
        $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $Hash) {
            Write-Host "[!] ALERT: Malicious SHA256 found: $($File.FullName)" -ForegroundColor Red
        }
    }

    # MD5 Check
    foreach ($File in $Files) {
        $Hash = (Get-FileHash -Path $File.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($TargetMD5s -contains $Hash) {
            Write-Host "[!] ALERT: Malicious MD5 found: $($File.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Scan Complete." -ForegroundColor Green

Response Priorities

  • Immediate:

    • Block IP 176.65.139.31 at the perimeter.
    • Isolate systems identified as processing the file hashes provided above.
    • Apply vendor patches for CVE-2026-20128 (Cisco SD-WAN) and CVE-2026-20131 (Cisco FMC) immediately.

  • 24h:

    • Conduct credential resets for accounts accessible via the compromised edge appliances (Cisco/Fortinet).
    • Review logs for NTLM relay attacks and suspicious PowerShell execution (SystemBC indicators).

  • 1 Week:

    • Audit external-facing management interfaces (SD-WAN/FMC) and enforce MFA/ZTNA access.
    • Implement network segmentation to limit lateral movement from edge devices to the internal core.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptsystembcransomwarewebshellscisco-exploitationuap-8616

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action