Back to Intelligence

DinDoor Backdoor, AdaptixC2 & The Gentlemen RaaS: Multi-Vector OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 24, 2026
5 min read

Recent OTX pulses indicate a surge in diverse threat activity ranging from state-aligned espionage to financially motivated ransomware. Security teams must contend with MuddyWater leveraging the DinDoor backdoor via Deno runtime abuse, Tropic Trooper deploying AdaptixC2 beacons through trojanized SumatraPDF installers, and the aggressive The Gentlemen RaaS operation utilizing sophisticated defense evasion.

Collectively, these campaigns highlight a trend toward "living-off-the-land" binaries (LOLBins) and abusing niche runtimes (Deno) to bypass detection. The objectives range from intelligence gathering (fingerprinting in DinDoor) to system enslavement (AdaptixC2) and extortion via file encryption (The Gentlemen). Financial and Transportation sectors are currently in the crosshairs.

Threat Actor / Malware Profile

MuddyWater (DinDoor)

  • Distribution: Malicious MSI files containing obfuscated JavaScript.
  • Payload Behavior: Exploits the Deno runtime (JavaScript/TypeScript) to execute backdoor logic. Variants either write JS to disk or run entirely in-memory.
  • C2 Communication: Connects to active domains such as ineracaspsl.site and justtalken.com for command execution.
  • Persistence: MSI installation logic ensures execution; unique victim IDs are generated via fingerprinting.

Tropic Trooper (AdaptixC2 Beacon)

  • Distribution: Trojanized SumatraPDF binaries distributed via ZIP archives with military-themed lures.
  • Payload Behavior: Shellcode loader deploys AdaptixC2 Beacon and installs a full instance of Visual Studio Code as a tool for lateral movement or staging.
  • C2 Communication: Beacons establish C2 channels; associated with Cobalt Strike beacons in some iterations.
  • Anti-Analysis: Uses shellcode obfuscation and loaders similar to known Tropic Trooper tooling (TOSHIS).

The Gentlemen (RaaS)

  • Distribution: Likely initial access via exploits (references CVE-2024-55591).
  • Payload Behavior: Ransomware-as-a-service; claims 400+ victims. Uses PowerShell for execution.
  • Persistence: Scheduled Tasks.
  • Defense Evasion: Aggressively clears Security, System, and Application Event Logs. Disables Microsoft Defender.

IOC Analysis

The provided indicators cover a broad spectrum of the attack chain:

  • Network IOCs: Domains (ineracaspsl.site, serialmenot.com) and IPv4 addresses (193.233.202.17, 77.110.122.137) should be blocked immediately on firewalls and proxies. DNS sinkholing is recommended for the DinDoor domains.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes are provided for the MSI payloads, trojanized PDFs, and ransomware binaries.
    • Action: Add these to EDR "block" lists and initiate a retrospective hunt for execution history.
  • CVE: CVE-2024-55591 is referenced in the Gentlemen pulse; patching associated infrastructure is critical.

Operationalization: SOC teams should import these STIX/JSON indicators into their SIEM (e.g., Splunk, Sentinel) to correlate against DeviceNetworkEvents and DeviceProcessEvents. Use threat intelligence platforms (TIPs) to automate the blocking of the Deno C2 domains.

Detection Engineering

YAML
title: Suspicious Deno Runtime Execution - DinDoor Indicator
description: Detects the execution of Deno runtime, often abused by the DinDoor backdoor, specifically when launched by MSI installers or suspicious parent processes.
status: experimental
date: 2026/05/25
references:
    - https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\deno.exe'
    condition: selection
falsepositives:
    - Legitimate developer usage of Deno runtime
level: high
tags:
    - attack.execution
    - attack.t1059.007
---
title: SumatraPDF Spawning VS Code or Shell - Tropic Trooper
description: Detects SumatraPDF spawning Visual Studio Code or command shells, indicative of the trojanized SumatraPDF campaign deploying AdaptixC2.
status: experimental
date: 2026/05/25
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\SumatraPDF.exe'
    selection_child:
        - Image|endswith: '\Code.exe'
        - Image|endswith: '\powershell.exe'
        - Image|endswith: '\cmd.exe'
    condition: all of selection_*
falsepositives:
    - Unlikely, SumatraPDF is a reader and should not spawn development tools.
level: critical
tags:
    - attack.initial_access
    - attack.t1204
---
title: Windows Event Log Clearing - Gentlemen Ransomware TTP
description: Detects attempts to clear Windows Event Logs, a defense evasion technique heavily utilized by The Gentlemen ransomware actors.
status: experimental
date: 2026/05/25
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 517
    condition: selection
falsepositives:
    - Administrative scripts or scheduled maintenance tasks (rare).
level: high
tags:
    - attack.defense_evasion
    - attack.t1070.001


kql
// Hunt for DinDoor C2 Domains and The Gentlemen IPs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("ineracaspsl.site", "serialmenot.com", "justtalken.com", "hngfbgfbfb.cyou", "agilemast3r.duckdns.org") 
   or RemoteIP in ("193.233.202.17", "77.110.122.137")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend IOCMatch = "OTX_DarkWeb_Intel"


powershell
# IOC Hunt Script for DinDoor and Gentlemen Artifacts
$TargetHashes = @(
    "2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5", 
    "f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8"
)

$TargetDomains = @(
    "ineracaspsl.site", "serialmenot.com", "justtalken.com"
)

Write-Host "Checking for malicious file hashes..."
foreach ($hash in $TargetHashes) {
    Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { (Get-FileHash $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash -eq $hash } | 
    Select-Object FullName, Length, LastWriteTime
}

Write-Host "Checking for active network connections to malicious domains..."
Get-NetTCPConnection | Where-Object {
    $OwningProcess = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    $OwningProcess.ProcessName -match "deno|code|sumatra" -or $_.RemoteAddress -in $TargetDomains
} | Select-Object LocalAddress, RemoteAddress, State, OwningProcess

Write-Host "Checking for Scheduled Tasks associated with The Gentlemen..."
Get-ScheduledTask | Where-Object { $_.Actions.Execute -match "powershell" -and $_.Actions.Arguments -match "-EncodedCommand" } | 
Select-Object TaskName, TaskPath, State


# Response Priorities

*   **Immediate**: Block all identified Domains and IPs at the perimeter. Hunt for processes named `deno.exe` or `SumatraPDF.exe` spawning child processes on endpoints.
*   **24h**: Validate the integrity of systems running SumatraPDF or with recent MSI installations. If credential theft is suspected (fingerprinting activity by DinDoor), force reset of privileged passwords.
*   **1 week**: Review and restrict the use of niche runtimes like Deno in production environments. Implement application signing policies to prevent the execution of trojanized binaries like SumatraPDF. Patch systems against CVE-2024-55591.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaredindoor-backdooradaptixc2-beacongentlemen-ransomwaremuddywaterdeno-runtime

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action