Back to Intelligence

Cisco Edge Exploitation: UAT-8616, Interlock & The Gentlemen — Webshell & RaaS Tactics

SA
Security Arsenal Team
May 20, 2026
6 min read

Threat Summary

Recent OTX Pulse data indicates a converging wave of attacks targeting network edge infrastructure, specifically Cisco Catalyst SD-WAN and Fortinet appliances. Three distinct clusters—UAT-8616, the Interlock Ransomware Group, and The Gentlemen—are actively exploiting recent zero-days and high-severity CVEs (e.g., CVE-2026-20182, CVE-2026-20131, CVE-2024-55591) to gain initial access.

The collective attack chain involves bypassing authentication on edge devices to deploy webshells (Godzilla, Behinder, XenShell) and C2 frameworks (Sliver, AdaptixC2). UAT-8616 is focusing on cryptojacking (XMRig) and persistence, while Interlock and The Gentlemen are leveraging these access points for ransomware deployment (GhostSaber, PlasmaLoader) and data exfiltration via SystemBC proxies.

Threat Actor / Malware Profile

Adversaries

  • UAT-8616: A sophisticated cluster exploiting CVE-2026-20182 (Auth Bypass) to drop webshells and Sliver implants. Objective appears to be infrastructure hijacking for crypto-mining.
  • Interlock Ransomware Group: Exploiting Cisco FMC zero-day CVE-2026-20131. Deploys GHOSTKNIFE/GHOSTSABER ransomware via PlasmaLoader.
  • The Gentlemen: A RaaS operator utilizing leaked credentials and NTLM relay attacks on edge appliances. Uses SystemBC for C2 traffic obfuscation.

Malware Families

  • Webshells (XenShell, Godzilla, Behinder): Java-based or JSP shells uploaded to compromised management interfaces. They allow remote code execution (RCE) directly on the device.
  • Sliver / AdaptixC2: Cross-platform implant frameworks used for post-exploitation, generating beaconing traffic to C2 servers (e.g., 176.65.139.31).
  • SystemBC: A proxy malware used by The Gentlemen to route malicious traffic through infected hosts, masking the destination C2 servers and facilitating data exfiltration.
  • XMRig: Coinminer deployed by UAT-8616 to hijack system resources for Monero mining.

IOC Analysis

The provided pulses contain 185 total indicators, primarily File Hashes (SHA256, MD5, SHA1) and CVE identifiers.

  • Network Indicators: The IP 176.65.139.31 is explicitly linked to UAT-8616's SD-WAN exploitation. SOC teams should treat connections to this IP as critical alerts.
  • File Hashes: High-confidence hashes are available for the webshell droppers and SystemBC binaries.
    • d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa (SHA256)
    • 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235 (SHA256)
  • Operationalization: Load the IP and CVE lists into SIEM correlation rules. Use YARA rules matching the provided file hashes to scan perimeter management servers and user workstations for SystemBC.

Detection Engineering

Sigma Rules

YAML
title: Potential Cisco SD-WAN CVE-2026-20182 Exploitation Webshell Activity
id: 4628c8a0-1b92-4c2a-8e4e-3d9f1a5b6c7d
description: Detects potential webshell activity or exploitation attempts associated with UAT-8616 targeting Cisco Catalyst SD-WAN via specific process execution patterns.
status: experimental
date: 2026/05/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6655a3c82a23c2d56a0b4f56
logsource:
    category: web
    product: apache
detection:
    selection_uri:
        TargetUri|contains:
            - '/vpn/'
            - '/api/'
    selection_keywords:
        TargetUri|contains:
            - 'exec'
            - 'cmd.exe'
            - 'bash'
            - 'jmxremote'
    condition: selection_uri and selection_keywords
falsepositives:
    - Legitimate administrative API usage
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.20182
    - apt.uat-8616
---
title: SystemBC Proxy C2 Traffic Detection
description: Detects network connections characteristic of SystemBC malware usage, often associated with The Gentlemen RaaS.
id: 8a7b6c5d-4e3f-2a1b-9c8d-0e1f2a3b4c5d
status: experimental
date: 2026/05/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6655a3c82a23c2d56a0b4f58
logsource:
    category: network_connection
detection:
    selection_process:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\svchost.exe'
    selection_connection:
        DestinationPort:
            - 80
            - 443
            - 8080
        Initiated: 'true'
    filter:
        DestinationIp:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
            - '172.16.0.0/12'
    condition: selection_process and selection_connection and not filter
falsepositives:
    - Legitimate windows update traffic
    - Corporate proxy usage
level: high
tags:
    - attack.command_and_control
    - attack.t1071
    - malware.systembc
---
title: Sliver C2 Implant Execution - Linux
description: Detects execution of Sliver C2 implant often dropped by UAT-8616 on compromised edge appliances like Cisco SD-WAN.
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
date: 2026/05/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6655a3c82a23c2d56a0b4f56
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        ParentImage|endswith:
            - '/java'
            - '/bash'
        Image|endswith:
            - '/tmp/sliver'
            - '/var/tmp/.s'
        CommandLine|contains:
            - '-connect'
            - '-http'
    condition: selection
falsepositives:
    - Rare (unlikely legitimate use of /tmp/sliver)
level: critical
tags:
    - attack.execution
    - attack.t1059
    - malware.sliver

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for UAT-8616 and The Gentlemen IOCs
// 1. Network Connections to known malicious IP
DeviceNetworkEvents
| where RemoteIP == "176.65.139.31"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort
| extend RiskLevel = "Critical"

// 2. Process Creation with known Malicious Hashes
DeviceProcessEvents
| where SHA256 in (
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"
)
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, AccountName
| extend RiskLevel = "Critical"

// 3. Signs of SystemBC (Suspicious Rundll32 network activity)
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "rundll32.exe"
| where RemotePort in (80, 443, 8080)
| summarize Count = count() by DeviceName, InitiatingProcessCommandLine, RemoteIP
| where Count > 5

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunter for UAT-8616 and The Gentlemen Campaigns.
.DESCRIPTION
    Checks for the presence of specific file hashes and network connections.
#>

$MaliciousHashes = @(
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2",
    "ad2675ffc1acb357f2d9f1a94e016f52" # MD5 from Pulse 3
)

Write-Host "[+] Checking for malicious file hashes..."
foreach ($hash in $MaliciousHashes) {
    # This scan can be resource intensive; limiting to C:\ and common temp dirs for demo
    Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0 } | 
    ForEach-Object {
        $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($fileHash -eq $hash) {
            Write-Host "[!] ALERT: Malicious file found: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking for active connections to C2 IP 176.65.139.31..."
$netStat = netstat -ano | Select-String "176.65.139.31"
if ($netStat) {
    Write-Host "[!] ALERT: Active connection to UAT-8616 infrastructure found:" -ForegroundColor Red
    Write-Host $netStat
} else {
    Write-Host "[-] No connections to detected C2 IP."
}

Write-Host "[+] Checking for SystemBC proxy registry persistence..."
$regPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
$regItems = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
if ($regItems) {
    foreach ($prop in $regItems.PSObject.Properties) {
        if ($prop.Value -match "rundll32.exe" -and $prop.Value -match ".dll") {
            Write-Host "[!] SUSPICIOUS: Potential SystemBC persistence in Run key: $($prop.Name) = $($prop.Value)" -ForegroundColor Yellow
        }
    }
}

Response Priorities

Immediate

  1. Block Network IOCs: Block IP 176.65.139.31 at the perimeter firewall. n2. Patch Critical CVEs: Immediately apply patches for CVE-2026-20182 (Cisco SD-WAN), CVE-2026-20131 (Cisco FMC), and CVE-2024-55591 (Fortinet). If patches are unavailable, shut down external management interfaces or enforce strict VPN access.

24 Hours

  1. Credential Audit: Verify identity security; "The Gentlemen" utilized NTLM relay and credential logs. Force reset for administrative accounts on edge devices.
  2. IOC Hunt: Run the provided PowerShell script and KQL queries across the enterprise to identify webshells or SystemBC implants.

1 Week

  1. Architecture Hardening: Segment management planes of network devices. Disable NTLM authentication where possible in favor of Kerberos or certificate-based auth to mitigate relay attacks.
  2. Egress Filtering: Implement strict egress filtering to prevent C2 beacons (Sliver/SystemBC) from reaching the internet.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptwebshellsransomwareaptedge-exploitationsystembc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action