Back to Intelligence

The Gentlemen & notnullOSX Stealers: Multi-Vector Infostealer Campaign Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 18, 2026
7 min read

Threat Summary

OTX Pulse data reveals a concerning convergence of credential theft and ransomware operations, with multiple threat actors targeting enterprise assets through sophisticated supply chain attacks and infrastructure exploitation. The Gentlemen ransomware group is leveraging CVE-2024-37085 (VMware ESXi) and CVE-2025-32463 (FortiOS) for initial access before deploying LockBit 5.0, Medusa, and Qilin ransomware families. Simultaneously, notnullOSX and NWHStealer campaigns are targeting high-value cryptocurrency wallets through fake software distribution and social engineering.

The collective attack chain demonstrates a clear pivot toward credential harvesting as a precursor to ransomware deployment. Attackers are exploiting legitimate security software (Cobra DocGuard), popular VPN services (Proton VPN), and developer platforms (HuggingFace) to establish initial footholds before pivoting to credential theft and lateral movement.

Threat Actor / Malware Profile

The Gentlemen

Distribution Method: Exploitation of FortiOS/FortiProxy vulnerabilities (CVE-2024-55591, CVE-2025-32463) and public-facing applications

Payload Behavior: Ransomware-as-a-Service (RaaS) model with data exfiltration prior to encryption. Targets Babuk, Babyk, Vasa Locker, Qilin, LockBit 5.0, and Medusa variants

C2 Communication: Maintains database of compromised devices; uses encrypted HTTPs channels with randomized domains

Persistence Mechanism: Scheduled tasks, registry run keys, and WMI event consumers for defense evasion

Anti-Analysis Techniques: Process hollowing, API hooking, and AMSI bypass techniques

notnullOSX

Threat Actor: alh1mik (formerly 0xFFF)

Distribution Method: ClickFix social engineering, malicious DMG files disguised as legitimate applications

Payload Behavior: Go-written modular stealer targeting macOS users with $10K+ cryptocurrency holdings. Collects browser data, wallet credentials, and 2FA codes

C2 Communication: HTTPS with domain coockie[.]pro and IP 83.217.209.88

Persistence Mechanism: LaunchAgents and LaunchDaemons persistence via plist files

Anti-Analysis Techniques: Anti-VM detection and anti-debugging techniques

NWHStealer

Distribution Method: Fake Proton VPN download sites, hardware utilities, gaming mods on GitHub/GitLab

Payload Behavior: Collects browser data, saved passwords, and cryptocurrency wallet information

C2 Communication: HTTP to domains get-proton-vpn[.]com, vpn-proton-setup[.]com, and newworld-helloworld[.]icu

Persistence Mechanism: Registry startup keys and scheduled tasks

Infostealer.Speagle

Threat Actor: Runningcrab

Distribution Method: Hijacks Cobra DocGuard security software functionality

Payload Behavior: Collects sensitive information and transmits to compromised Cobra DocGuard server

C2 Communication: Data exfiltration masked as legitimate communications to CDGServer endpoints

IOC Analysis

The intelligence collection includes multiple indicator types requiring different operational approaches:

  • FileHash-SHA256: 24 unique hashes across all campaigns. SOC teams should block these at perimeter and scan endpoints using EDR threat intelligence feeds. Hash-based detection requires EDR integration with YARA rules for proactive hunting.

  • Domains: 5 distinct domains including coockie[.]pro (notnullOSX C2), get-proton-vpn[.]com (NWHStealer distribution), and HuggingFace-related infrastructure. Implement DNS sinkholing and blocklist these at recursive resolvers.

  • IPv4 Addresses: 5 IPs including 83.217.209.88 (notnullOSX C2) and infrastructure used in the marimo/HuggingFace campaign. Network devices should block inbound/outbound connections to these IPs.

  • CVEs: 8 CVEs including CVE-2024-37085 (VMware ESXi), CVE-2024-55591 (FortiOS), and CVE-2026-39987 (marimo). Prioritize patching based on CVSS scores and asset exposure.

  • URLs: Specific endpoints including CDGClientDiagnostics endpoints used by Infostealer.Speagle. Block at proxy and CASB layers.

Detection Engineering

YAML
---
title: Potential The Gentlemen Ransomware Initial Access via FortiOS Exploitation
id: 5b7a8d9e-1c3f-4a2b-9e8d-1f3c4a2b9e8d
description: Detects potential exploitation of FortiOS vulnerabilities associated with The Gentlemen ransomware group
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6651a7d8c72d0d2c5b6e7f9a
date: 2026/04/19
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: firewall
definition: 'TODO: Set field to appropriate log source'
detection:
    selection:
        cve:
            - 'CVE-2024-37085'
            - 'CVE-2024-55591'
            - 'CVE-2025-32463'
        dest_port|startswith: '443'
    filter:
        user_agent|contains:
            - 'fortiOS'
            - 'fortiproxy'
    condition: selection and not filter
falsepositives:
    - Legitimate FortiOS management traffic
level: high

---
title: Suspicious macOS Persistence via LaunchAgents - notnullOSX Detection
id: 7c8b9e0f-2d4e-5b3f-0f9e-2d4e5b3f0f9e
description: Detects potential persistence mechanisms used by notnullOSX stealer on macOS systems
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6651a7d8c72d0d2c5b6e7f9b
date: 2026/04/19
tags:
    - attack.persistence
    - attack.t1543.001
logsource:
    product: macos
category: process_creation
detection:
    selection:
        Image|endswith:
            - '/launchctl'
            - '/open'
        CommandLine|contains:
            - 'Library/LaunchAgents/'
            - 'Library/LaunchDaemons/'
    selection_file:
        CommandLine|contains:
            - '.plist'
            - '.app/Contents/MacOS/'
    condition: selection and selection_file
falsepositives:
    - Legitimate software installations
level: high

---
title: NWHStealer Fake Proton VPN Download Detection
id: 8d9c0f1e-3e5f-6c4g-1g0f-3e5f6c4g1g0f
description: Detects potential connection to NWHStealer distribution sites impersonating Proton VPN
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6651a7d8c72d0d2c5b6e7f9c
date: 2026/04/19
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: proxy
definition: 'TODO: Set field to appropriate log source'
detection:
    selection:
        c-uri:
            - 'get-proton-vpn.com'
            - 'vpn-proton-setup.com'
        c-uri|contains:
            - '.exe'
            - '.msi'
            - '.dmg'
    condition: selection
falsepositives:
    - Legitimate Proton VPN downloads (verify official domain)
level: high


kql
// Hunt for potential Cobra DocGuard compromise - Infostealer.Speagle indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "222.222.254.165",
    "60.30.147.18"
) 
| where RemoteUrl contains "CDGClientDiagnostics"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

// Hunt for macOS connections to notnullOSX C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "coockie.pro" or RemoteIP == "83.217.209.88"
| where DeviceType == "Mac"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

// Hunt for FortIOS exploitation indicators
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
    "CVE-2024-37085",
    "CVE-2024-55591", 
    "CVE-2025-32463"
)
| project Timestamp, DeviceName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


powershell
# PowerShell IOC Hunt Script for NWHStealer and Infostealer.Speagle
# Requires Administrator privileges

# NWHStealer IOC Hunt
$NWHHashes = @(
    "5cb3b902ae5993ae4e502f1c29cfb4e0",
    "8ef6bcde887786d1a96497fa9aa04fd4e1eb02b0",
    "2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3",
    "e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3"
)

$InfostealerSpeagleHashes = @(
    "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b",
    "d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877",
    "dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d",
    "fad8d0307db532c8b9f283a2cc6f7e4f4333001623fef5bd5c32a1c094bf890"
)

# Check file system for known malicious hashes
Write-Host "[+] Scanning for NWHStealer file hashes..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
    if ($NWHHashes -contains $hash) {
        Write-Host "[!] Found NWHStealer file: $($_.FullName)" -ForegroundColor Red
    }
    $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($InfostealerSpeagleHashes -contains $hash) {
        Write-Host "[!] Found Infostealer.Speagle file: $($_.FullName)" -ForegroundColor Red
    }
}

# Check for Cobra DocGuard connections
Write-Host "[+] Checking DNS cache for Infostealer.Speagle C2 domains..." -ForegroundColor Yellow
$DNSCache = Get-DnsClientCache -ErrorAction SilentlyContinue
$maliciousDNS = $DNSCache | Where-Object { $_.Entry -like "*222.222.254.165*" -or $_.Entry -like "*60.30.147.18*" }
if ($maliciousDNS) {
    Write-Host "[!] Found potentially malicious DNS entries:" -ForegroundColor Red
    $maliciousDNS | Format-Table Entry, Data, Type
}

# Check for scheduled tasks persistence
Write-Host "[+] Checking scheduled tasks for suspicious persistence..." -ForegroundColor Yellow
$SuspiciousTasks = Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*powershell*" -and $_.Actions.Arguments -like "*http*" }
if ($SuspiciousTasks) {
    Write-Host "[!] Found suspicious scheduled tasks:" -ForegroundColor Red
    $SuspiciousTasks | Format-List TaskName, Actions
}

Response Priorities

Immediate Actions

  • Block all domains and IPs listed in the IOC section at network perimeter and DNS resolvers
  • Deploy EDR signatures for all 24 file hashes across the endpoint fleet
  • Isolate any systems with confirmed malware presence
  • Block access to non-approved HuggingFace Spaces from corporate networks
  • Implement network segmentation to contain potential lateral movement

Within 24 Hours

  • Verify identity of all users who may have accessed fake VPN download sites
  • Reset credentials for any accounts associated with compromised endpoints
  • Review VPN authentication logs for anomalous activity
  • Conduct vulnerability scan for CVE-2024-37085, CVE-2024-55591, and CVE-2025-32463 exposure
  • Analyze network traffic logs for connections to known C2 infrastructure

Within 1 Week

  • Patch all FortiOS/FortiProxy appliances for CVE-2024-55591 and CVE-2025-32463
  • Implement application control policies blocking execution of unsigned binaries
  • Deploy browser extensions to detect credential theft attempts
  • Conduct security awareness training focused on social engineering and fake software distribution
  • Review and harden web-facing applications against initial access vectors

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerransomwarefortios-exploitsmacos-stealerthe-gentlemen

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
The Gentlemen & notnullOSX Stealers: Multi-Vector Infostealer Campaign Analysis — Enterprise Detection Pack | Security Arsenal | Security Arsenal