Back to Intelligence

Gh0st RAT Adware Bundles, The Gentlemen RaaS & LightBasin APT: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 21, 2026
5 min read

Recent OTX pulses illuminate a diverse and high-risk threat landscape converging on enterprise infrastructure. Intelligence indicates three distinct but active campaigns:

  1. Commodity to RAT: Adware bundles, specifically "CloverPlus", are being used as a delivery vector for Gh0st RAT. This campaign uses obfuscated loaders to drop encrypted payloads, executing them via rundll32.exe to establish persistence and keylogging capabilities.
  2. RaaS Expansion: The Gentlemen RaaS operation has scaled aggressively, utilizing SystemBC proxy malware to facilitate covert C2 tunneling and lateral movement. This group is deploying multi-platform lockers targeting Windows, Linux, and ESXi environments.
  3. APT Supply Chain: The LightBasin (UNC1945) group continues targeting the financial sector by compromising Managed Service Providers (MSPs). They employ custom "Bring Your Own Island" tooling, including SLAPSTICK and EVILSUN, often deployed from custom VMs to exploit CVE-2020-14871 on Solaris and Linux systems.

Threat Actor / Malware Profile

Gh0st RAT (via CloverPlus)

  • Distribution: Malicious adware bundles masquerading as legitimate software installers.
  • Behavior: Drops encrypted payloads from resource sections; executes via rundll32.exe. Implements DNS hijacking and keylogging.
  • Persistence: Registry Run keys, Windows services.
  • Targeting: Broad, utilizing the "annoyance" factor of adware to hide the more dangerous RAT payload.

The Gentlemen & SystemBC

  • Actor: The Gentlemen (RaaS Affiliate Program).
  • Behavior: SystemBC acts as a proxy/socks5 tunnel to hide C2 traffic for Cobalt Strike beacons and ransomware payloads. Utilizes PsExec for lateral movement and AnyDesk for remote access.
  • Impact: Encrypts ESXi, NAS, and BSD systems alongside standard Windows file servers.

LightBasin (UNC1945)

  • Actor: State-aligned threat group targeting telecommunications and finance.
  • Behavior: Leverages third-party access (MSP compromise). Uses custom Linux/Solaris implants (e.g., EVILSUN, SLAPSTICK).
  • Exploits: Heavily exploits CVE-2019-0708 (BlueKeep) and CVE-2020-14871 (Oracle WebLogic).

IOC Analysis

The provided pulses contain:

  • File Hashes (MD5, SHA1, SHA256): Essential for blocking on endpoints (EDR) and scanning network shares.
  • CVEs (CVE-2023-27350, CVE-2019-0708, CVE-2020-14871): Critical for vulnerability management and patch prioritization.
  • Operationalization: SOC teams should immediately load the SHA256 hashes into EDR allowlist/blocklist engines. The CVEs indicate the need for patch validation against the specific exploits used by LightBasin and the Gh0st loaders.

Detection Engineering

YAML
title: Potential Gh0st RAT Execution via Rundll32
id: 0e8b3c1a-1a2b-3c4d-5e6f-7a8b9c0d1e2f
description: Detects execution patterns associated with Gh0st RAT delivery via adware bundles using rundll32.exe.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/618b4567-1234-5678-9abc-def123456789
tags:
    - attack.execution
    - attack.t1059.001
    - attack.persistence
    - attack.t1547.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: '.dll'
    selection_paths:
        CommandLine|contains:
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
    condition: selection and selection_paths
falsepositives:
    - Legitimate software installers
level: high
---
title: SystemBC Proxy Malware Network Connection
id: 1f9c4d2b-2c3d-4e5f-6a7b-8c9d0e1f2a3b
description: Detects potential network connections initiated by SystemBC proxy malware often used by The Gentlemen affiliates.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/628c5678-2345-6789-bcdf-0123456789ab
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\SystemBC.exe'
            - '\svchost.exe' # Often masquerades or injects
    filter_legit:
        DestinationPort|notin:
            - '80'
            - '443'
            - '8080'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate proxy usage
level: critical
---
title: UNC1945 Exploitation Attempt CVE-2020-14871
id: 2a0d5e3c-3d4e-5f6a-7b8c-9d0e1f2a3b4c
description: Detects exploitation attempts of Oracle WebLogic Server CVE-2020-14871 associated with LightBasin/UNC1945.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/639d6789-3456-7890-cdef-123456789abc
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: webserver
    product: oracle
detection:
    selection_uri:
        UriPath|contains: '/console/'
    selection_payload:
        RequestBody|contains:
            - 'T3Protocol'
            - 'IIOP'
    condition: all of selection_*
falsepositives:
    - Rare legitimate administration
level: critical


kql
// Hunt for Gh0st RAT and The Gentlemen Indicators
// Check for specific file hashes mentioned in the pulses
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where SHA256 in (
    "ebba8f4342b65faccdd2a48be9f2654d3fa523360f17ff68d5498a453f76c205", 
    "fda9864b1aa230b60d0c736559415ac9c79e240cce411daed5da2facb9ced87c",
    "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "632be2363c7a13be6d5ce0dca11e387bd0a072cc962b004f0dcf3c1f78982a5a"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FolderPath, SHA256
| extend AlertMessage = "Suspicious process detected based on OTX Pulse IOCs"
;
// Hunt for SystemBC network patterns
DeviceNetworkEvents
| where Timestamp >= ago(7d)
| where RemotePort in (80, 443, 8080)
| where InitiatingProcessFileName =~ "cmd.exe" or InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessParentFileName !in ("explorer.exe", "services.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort


powershell
# Gh0st RAT & The Gentlemen Persistence Hunt
# Check Registry Run Keys for suspicious entries related to the pulses

$RunKeys = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

$SuspiciousPatterns = @("rundll32", ".dll", "Temp", "AppData")

foreach ($Key in $RunKeys) {
    if (Test-Path $Key) {
        Get-ItemProperty $Key -ErrorAction SilentlyContinue | 
        Get-Member -MemberType NoteProperty | 
        Where-Object { $_.Name -ne "PSPath" -and $_.Name -ne "PSChildName" } | 
        ForEach-Object {
            $Value = (Get-ItemProperty $Key).$_.Name
            $Name = $_.Name
            if ($Value -match $SuspiciousPatterns) {
                Write-Host "[!] Suspicious persistence found in $Key" -ForegroundColor Red
                Write-Host "    Name: $Name"
                Write-Host "    Value: $Value"
            }
        }
    }
}

# Check for specific IOCs on file system
$IOCPaths = @("C:\Windows\Temp\", "$env:APPDATA\", "$env:LOCALAPPDATA\Temp\")
$IOCHashes = @(
    "04c3c443f6ad7582b6e61d0480594d83", # MD5 Gh0st
    "44118d8fb41634b3d8d8b1c6fdf9c421"  # MD5 SystemBC
)

foreach ($Path in $IOCPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | 
        ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($IOCHashes -contains $Hash) {
                Write-Host "[!] IOC Match Found: $($_.FullName)" -ForegroundColor Yellow
            }
        }
    }
}


# Response Priorities

*   **Immediate:** Block all identified file hashes on endpoints. Hunt for `rundll32.exe` executing from user profile directories. Isolate hosts showing signs of SystemBC network activity or ESXi encryption.
*   **24h:** Validate patch status for CVE-2023-27350, CVE-2019-0708, and CVE-2020-14871 across all internet-facing assets, specifically Oracle WebLogic and RDP services. Conduct credential audits for MSPs if in the financial sector.
*   **1 week:** Review MSP access controls and implement strict segmentation to prevent "Island Hopping" attacks. Update adware blocklists to include CloverPlus variants.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaregh0st-ratthe-gentlemensystembclightbasinransomware-as-a-service

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action