Back to Intelligence

The Gentlemen RaaS, AdaptixC2 Framework & Speagle Infostealer: OTX Pulse Analysis

SA
Security Arsenal Team
April 20, 2026
6 min read

The latest OTX pulses reveal a converging threat landscape where credential theft, ransomware-as-a-service (RaaS), and advanced post-exploitation frameworks are increasingly utilizing supply chain vectors and known edge vulnerabilities.

Key Findings:

  • The Gentlemen (RaaS): A sophisticated ransomware group actively exploiting FortiOS/FortiProxy vulnerabilities (CVE-2024-37085, CVE-2024-55591) to gain initial access. They employ defense evasion techniques and utilize a database of compromised devices to deploy payloads like LockBit 5.0, Medusa, and Babuk.
  • AdaptixC2 Framework: An emerging open-source post-exploitation framework written in Go and C++ is being adopted by APT groups. It supports multi-platform C2 (HTTP/S, DNS, DoH, SMB) with RC4 encryption, making detection difficult.
  • Infostealer.Speagle: A novel infostealer targeting the Defense and Technology sectors in China and Hong Kong. It hijacks legitimate "Cobra DocGuard" software to exfiltrate sensitive data to attacker-controlled infrastructure, masquerading as standard policy synchronization traffic.
  • UNC1945 (LightBasin): A threat actor compromising MSPs to attack the financial sector, leveraging custom VMs and exploiting CVE-2020-14871 (Oracle Solaris) and CVE-2019-0708 (BlueKeep).
  • Nexcorium (Mirai Variant): A vulnerability-driven IoT botnet exploiting TBK DVR devices (CVE-2024-3721) to build DDoS botnets across ARM, MIPS, and x86 architectures.

Collectively, these campaigns indicate a shift toward "Living off the Land" (LotL) techniques blended with zero-day exploitation of edge devices and supply chain software to harvest credentials and maintain persistence.

Threat Actor / Malware Profile

The Gentlemen

  • Type: Ransomware-as-a-Service (RaaS)
  • Distribution: Exploitation of public-facing applications (FortiOS), compromised device databases.
  • Payloads: LockBit 5.0, Medusa, Babuk, Vasa Locker.
  • C2/Tactics: Data exfiltration prior to encryption; heavy focus on defense evasion.

Infostealer.Speagle

  • Type: Supply Chain Infostealer
  • Target: Users of Cobra DocGuard software (Defense/Tech sectors).
  • Mechanism: Hijacks DocGuard functionality to send harvested data to C2.
  • C2 Communication: HTTP traffic to compromised servers mimicking syn_user_policy requests.

AdaptixC2

  • Type: Post-Exploitation Framework
  • Language: Go and C++.
  • Capabilities: BOF (Beacon Object Files) execution, process injection.
  • C2 Channels: HTTP/S, TCP, mTLS, DNS, DoH, SMB.

UNC1945 (LightBasin)

  • Type: APT / Financial Targeting
  • Vector: MSP compromise, custom VM tools.
  • Exploits: CVE-2019-0708 (RDP), CVE-2020-14871 (Oracle Solaris).

IOC Analysis

The provided pulses offer a mix of vulnerability indicators and forensic artifacts:

  • CVEs: High-priority vulnerabilities in FortiOS (CVE-2024-37085), Oracle Solaris (CVE-2020-14871), and TBK DVRs (CVE-2024-3721). These require immediate patching or network segmentation.
  • File Hashes (MD5/SHA1/SHA256): Specific signatures for AdaptixC2 agents, Nexcorium binaries, and Speagle components. These should be loaded into EDR solutions for immediate blocking.
  • IPs & URLs: Specific infrastructure used by the Nexcorium botnet (176.65.148.186) and Speagle infostealer (http://222.222.254.165, http://60.30.147.18). These must be blocked at the perimeter.

Operationalization: SOC teams should prioritize the CVEs for vulnerability management and feed the file hashes into EDR quarantine rules. The URLs associated with Speagle are critical detection signatures for supply chain attacks.

Detection Engineering

Sigma Rules

YAML
title: Potential AdaptixC2 Agent Execution
id: 4e8f3a21-1b6c-4d6e-9c5f-3a2b1c9d8e7f
description: Detects potential execution of AdaptixC2 agent based on characteristics described in threat intel (Go binaries with network activity and specific process injection patterns).
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6604a9e8f2e6f4542345f234
logsource:
    category: process_creation
    product: windows
detection:
    selection_go:
        Image|endswith: ".exe"
        Company|contains: "Go"
    selection_network:
        CommandLine|contains:
            - "-connect"
            - "-server"
    condition: all of selection_*
falsepositives:
    - Legitimate Go applications accessing network resources
level: high
tags:
    - attack.execution
    - attack.c2
    - adaptixc2

---

title: Speagle Infostealer C2 Communication
id: 5b9g4b32-2c7d-5e7f-0d6g-4b3c2d0e9f8a
description: Detects network connections to known Speagle Infostealer C2 infrastructure masquerading as Cobra DocGuard updates.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6604a9e8f2e6f4542345f999
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - "222.222.254.165"
            - "60.30.147.18"
        DestinationPort:
            - "8090"
            - "8091"
        RequestUri|contains: "CDGClientDiagnostics?flag=syn_user_policy"
    condition: selection
falsepositives:
    - Legitimate Cobra DocGuard traffic (verify IP ownership)
level: critical
tags:
    - attack.exfiltration
    - attack.c2
    - speagle

---

title: Nexcorium Mirai Variant Botnet Exploitation Attempt
id: 6c0h5c43-3d8e-6f0g-1e7h-5c4d3e0f0a9b
description: Detects exploitation attempts against TBK DVR devices (CVE-2024-3721) associated with the Nexcorium Mirai botnet.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6604a9e8f2e6f4542345f888
logsource:
    category: webserver
    product: apache
detection:
    selection_uri:
        cs-uri-query|contains:
            - "/DVR/config"
            - "/live/channels"
    selection_header:
        cs-user-agent|contains: "Nexcorium"
    condition: 1 of selection*
falsepositives:
    - Uncommon
criticality: high
tags:
    - attack.initial_access
    - attack.exploitation
    - nexcorium
    - mirai

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Speagle Infostealer C2 Traffic
DeviceNetworkEvents
| where RemoteUrl has "CDGClientDiagnostics" 
| where RemoteUrl has "flag=syn_user_policy"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend URLHash = hash_sha256(tostring(RemoteUrl))
| join kind=inner ( 
    dynamic IOCs = pack_array(
        pack("hash", "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b"), 
        pack("hash", "d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877")
    )
) on $left.URLHash == $right.hash
| summarize Count=count() by DeviceName, RemoteIP

PowerShell Hunt Script

PowerShell
# IOC Hunter for Gentlemen, Speagle, and AdaptixC2
# Requires Admin Privileges

$TargetHashes = @( 
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235", # Gentlemen
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2", # Gentlemen
    "f212fd00d9ffc0f3d868845f7f4215cb", # AdaptixC2
    "89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400"  # Nexcorium
)

Write-Host "[+] Scanning for known malicious file hashes..." -ForegroundColor Cyan

# Scan C:\ drive (adjust as needed)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb -and $_.Length -lt 100MB } | 
    ForEach-Object { 
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            Write-Host "    Hash: $hash" -ForegroundColor Red
        }
    }

# Network Connection Check for Speagle
Write-Host "[+] Checking for active Speagle C2 connections..." -ForegroundColor Cyan
$SpeagleIPs = @("222.222.254.165", "60.30.147.18")
$connections = Get-NetTCPConnection -ErrorAction SilentlyContinue | 
                Where-Object { $SpeagleIPs -contains $_.RemoteAddress } 

if ($connections) {
    foreach ($conn in $connections) {
        $proc = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[!] Suspicious connection detected to $($conn.RemoteAddress):$($conn.RemotePort)" -ForegroundColor Red
        Write-Host "    Process: $($proc.ProcessName) (PID: $($proc.Id))" -ForegroundColor Red
    }
} else {
    Write-Host "[-] No active Speagle C2 connections found." -ForegroundColor Green
}


---

Response Priorities

  • Immediate: Block the IOCs listed above, specifically the Speagle C2 IPs (222.222.254.165, 60.30.147.18) and the Nexcorium C2 (176.65.148.186). Initiate hunts for the SHA256 hashes provided in the pulses.
  • 24 Hours: Verify identity and session integrity for users in the Defense and Technology sectors who utilize Cobra DocGuard software, as credentials may be compromised via Speagle.
  • 1 Week: Conduct a thorough architecture review of all FortiOS/FortiProxy devices to patch CVE-2024-37085 and CVE-2024-55591. Isolate TBK DVR devices and patch CVE-2024-3721 to mitigate the Nexcorium botnet.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsgentlemen-ransomwareadaptixc2speagle-infostealerunc1945nexcorium-botnet

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action