Threat Summary
Recent OTX pulse data indicates a convergence of high-impact attack vectors targeting enterprise environments. Three distinct clusters of activity have been identified:
-
SEO Poisoning & Ransomware Delivery: Threat actors are leveraging SEO poisoning to distribute trojanized installers for legitimate IT tools (e.g., ManageEngine OpManager). These installers deliver Bumblebee loaders, which facilitate lateral movement and credential dumping before deploying Akira ransomware via AdaptixC2.
-
RaaS Expansion: The Gentlemen ransomware-as-a-service (RaaS) group has rapidly escalated operations, targeting multiple sectors (Manufacturing, Finance, Healthcare). They exploit internet-facing vulnerabilities in VPNs and firewalls to gain initial access, deploying SharkLoader and a suite of reconnaissance tools (SharpADWS, NetScan).
-
Software Supply Chain Compromise: A new actor, JINX-0164, is aggressively targeting the cryptocurrency and technology sectors. Through LinkedIn social engineering and trojanized NPM packages, they deliver macOS-native malware (AUDIOFIX, MINIRAT) designed to hijack CI/CD pipelines and steal developer credentials.
Collectively, these campaigns demonstrate a shift towards abusing trusted administrative tools, exploiting vulnerable perimeter infrastructure, and compromising software development supply chains for financial gain.
Threat Actor / Malware Profile
Bumblebee & AdaptixC2 (Akira Delivery)
- Distribution: SEO poisoning (Bing Search) leading to trojanized IT management software installers.
- Behavior: Bumblebee acts as a loader, establishing initial access on privileged hosts. It facilitates lateral movement and credential dumping.
- C2: Uses AdaptixC2 for command and control, allowing stealthy communication and payload staging.
- Objective: Initial access to facilitate double-extortion ransomware deployment (Akira).
The Gentlemen (RaaS)
- Distribution: Exploitation of vulnerabilities in internet-facing devices (VPNs, Firewalls) and collaboration with Initial Access Brokers (IABs).
- Payloads: SharkLoader (initial download), Cobalt Strike (post-exploitation), ZiChatBot, MgBot, ReverseSocks.
- Tactics: Heavy use of GPO deployment for encryption, traffic capture via
netsh, and network reconnaissance using SharpADWS and Advanced IP Scanner. - Persistence: Uses vulnerable drivers to bypass security controls and maintain persistence.
JINX-0164
- Distribution: LinkedIn social engineering (recruiting/business partner persona) and supply chain compromise (NPM trojan).
- Malware:
- AUDIOFIX: Python-based infostealer and RAT targeting macOS.
- MINIRAT: Lightweight Go backdoor for remote control.
- Targeting: Specifically focuses on cryptocurrency organizations and software developers to hijack CI/CD infrastructure.
IOC Analysis
The provided IOCs span multiple categories, requiring a layered defensive approach:
-
Network Indicators (IPv4/Domains):
172.96.137.160,angryipscanner.org,opmanager.pro(Bumblebee/C2).login.teamicrosoft.com,driver-updater.net,live.ong(JINX-0164 Phishing/Infrastructure).- Operationalization: Block these domains and IPs at the perimeter (Firewall/DNS Proxy). Configure SIEM to alert on outbound connections to these endpoints.
-
File Hashes (MD5, SHA1, SHA256):
- Hashes provided for Bumblebee loaders, SharkLoader payloads, and macOS malware (AUDIOFIX/MINIRAT).
- Operationalization: Upload to EDR solutions for immediate detection/quarantine. Use forensic tools (Velociraptor, KAPE) to scan historical file systems for these artifacts.
-
URLs & Hostnames:
- URLs pointing to trojanized install scripts (
http://89.36.224.5/troubleshoot/mac/install.sh). - Operationalization: Block the specific IPs and scan proxy logs for any GET requests to these paths.
- URLs pointing to trojanized install scripts (
Detection Engineering
Sigma Rules
---
title: Potential Bumblebee Loader via Trojanized Admin Tools
id: 8a9b2c1d-4e5f-6789-0123-456789abcdef
description: Detects potential Bumblebee execution initiated via trojanized installers distributed via SEO poisoning targeting IT admin tools.
status: stable
author: Security Arsenal
date: 2026/07/01
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains:
- 'OpManager'
- 'ManageEngine'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\rundll32.exe'
- '\regsvr32.exe'
condition: selection
falsepositives:
- Legitimate administrative scripting
level: high
---
title: The Gentlemen Reconnaissance Activity
description: Detects reconnaissance tools utilized by The Gentlemen group such as SharpADWS or Advanced IP Scanner.
status: stable
author: Security Arsenal
date: 2026/07/01
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith:
- '\Advanced_IP_Scanner.exe'
- '\netsh.exe'
selection_recon:
Image|endswith: '\SharpADWS.exe'
condition: 1 of selection*
falsepositives:
- Authorized network scanning
level: medium
---
title: JINX-0164 macOS Python C2 Activity
description: Detects Python processes on macOS establishing network connections associated with JINX-0164 tools like AUDIOFIX.
status: stable
author: Security Arsenal
date: 2026/07/01
logsource:
category: network_connection
product: macos
detection:
selection:
Image|endswith: '/python'
Initiated: 'true'
filter_legit_ports:
DestinationPort:
- 80
- 443
- 22
filter_legit_domains:
DestinationHostname|endswith:
- 'apple.com'
- 'github.com'
- 'microsoft.com'
condition: selection and not filter_legit_ports and not filter_legit_domains
falsepositives:
- Legitimate python development
level: high
KQL (Microsoft Sentinel)
// Hunt for IOCs from OTX Pulses (The Gentlemen, Bumblebee, JINX-0164)
let IoC_Domains = dynamic(["angryipscanner.org", "opmanager.pro", "driver-updater.net", "live.ong", "login.teamicrosoft.com"]);
let IoC_IPs = dynamic(["172.96.137.160", "89.36.224.5"]);
let IoC_Hashes = dynamic(["a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2", "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b", "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"]);
// Network Connection Hunt
DeviceNetworkEvents
| where RemoteUrl in (IoC_Domains) or RemoteIP in (IoC_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatContext = case(
RemoteUrl has "opmanager", "Bumblebee SEO Poisoning",
RemoteIP == "172.96.137.160", "Bumblebee/Akira C2",
RemoteUrl has "driver-updater", "JINX-0164 Infrastructure",
"Unknown Match"
)
// File Hash Hunt
| union (
DeviceProcessEvents
| where SHA256 in (IoC_Hashes) or MD5 in (IoC_Hashes) or SHA1 in (IoC_Hashes)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, SHA256, MD5
)
PowerShell Hunt Script
# Security Arsenal - IOC Hunt Script for OTX Pulses (Bumblebee, The Gentlemen, JINX-0164)
$TargetHashes = @(
"a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2", # Bumblebee/Akira
"a746da514c90f26a187a294fda7edc1b", # Bumblebee/Akira
"bcee0ab10b23f5999bcdb56c0b4a631a", # The Gentlemen
"9321a61a25c7961d9f36852ecaa86f55", # The Gentlemen
"b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17" # JINX-0164
)
$TargetDomains = @(
"angryipscanner.org",
"opmanager.pro",
"driver-updater.net",
"live.ong",
"login.teamicrosoft.com"
)
Write-Host "[+] Starting IOC Hunt for OTX Pulse Data..." -ForegroundColor Cyan
# 1. Check Processes for Malicious Hashes
Write-Host "[*] Scanning running processes..." -ForegroundColor Yellow
Get-Process | Where-Object { $_.Path -ne $null } | ForEach-Object {
try {
$hash = (Get-FileHash -Path $_.Path -Algorithm SHA256 -ErrorAction Stop).Hash
if ($TargetHashes -contains $hash) {
Write-Host "[!] ALERT: Malicious process detected - $($_.ProcessName) (PID: $($_.Id))" -ForegroundColor Red
}
} catch {}
}
# 2. Scan User Download Directories for Malicious Files
Write-Host "[*] Scanning user directories for malicious files..." -ForegroundColor Yellow
$Paths = @("C:\Users\Public", "$env:USERPROFILE\Downloads")
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
try {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
if ($TargetHashes -contains $hash) {
Write-Host "[!] ALERT: Malicious file found at $($_.FullName)" -ForegroundColor Red
}
} catch {}
}
}
}
# 3. Check DNS Cache for Indicator Domains
Write-Host "[*] Checking DNS Cache for malicious domains..." -ForegroundColor Yellow
Get-DnsClientCache | Where-Object { $TargetDomains -contains $_.Entry } | ForEach-Object {
Write-Host "[!] ALERT: Suspicious DNS entry resolved: $($_.Entry) -> $($_.Data)" -ForegroundColor Red
}
# 4. Check for established connections to Bumblebee C2 IP
Write-Host "[*] Checking network connections to 172.96.137.160..." -ForegroundColor Yellow
$connection = netstat -ano | Select-String "172.96.137.160"
if ($connection) {
Write-Host "[!] ALERT: Active connection to Bumblebee C2 detected." -ForegroundColor Red
Write-Host $connection
}
Write-Host "[+] Hunt Complete." -ForegroundColor Green
Response Priorities
-
Immediate (0-4h):
- Block all listed IP addresses and domains at the firewall and proxy level.
- Initiate a hunt for the specific file hashes provided across all endpoints using EDR.
- Isolate any systems showing signs of connectivity to
172.96.137.160orangryipscanner.org.
-
24 Hours:
- Conduct identity verification for users who may have interacted with LinkedIn recruitment messages (JINX-0164 context) and rotate credentials for developer accounts.
- Review VPN and firewall logs for signs of exploitation related to "The Gentlemen" (vulnerable driver loading).
- Audit software downloads from "ManageEngine" or "OpManager" sources to ensure they were not downloaded via SEO poisoning links.
-
1 Week:
- Implement stricter code signing policies and verification for downloaded software binaries.
- Enhance perimeter monitoring to detect SEO poisoning trends (monitoring DNS queries for newly registered domains similar to legitimate vendors).
- Review and restrict the use of high-privileged admin accounts for general web browsing to mitigate the impact of trojanized installers.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.