Back to Intelligence

The Gentlemen RaaS, AdaptixC2 Framework & UNC1945 Solaris Attacks: OTX Pulse Analysis

SA
Security Arsenal Team
April 20, 2026
6 min read

OTX Pulse analysis reveals active exploitation of Fortinet by The Gentlemen, AdaptixC2 framework adoption, and UNC1945 targeting finance via MSPs. Urgent patching required.

Threat Summary

Recent intelligence from AlienVault OTX highlights a convergence of sophisticated threat activities targeting enterprise infrastructure. The primary threats include The Gentlemen, a RaaS operation aggressively exploiting FortiOS/FortiProxy vulnerabilities for initial access; the widespread adoption of the AdaptixC2 post-exploitation framework by APT groups due to its cross-platform support and stealthy C2 channels; and UNC1945 (LightBasin), which continues to leverage compromised Managed Service Providers (MSPs) to infiltrate the financial sector. Collectively, these pulses indicate a trend toward exploiting edge devices (Fortinet), leveraging legitimate-but-compromised third-party access (MSPs), and utilizing highly modular, open-source C2 frameworks to evade detection.

Threat Actor / Malware Profile

The Gentlemen (RaaS)

  • Profile: A sophisticated ransomware group operating as a Ransomware-as-a-Service model. They maintain a database of compromised devices to facilitate rapid deployment.
  • Malware Families: Babuk, Babyk, Vasa Locker, Qilin, LockBit 5.0, Medusa.
  • Distribution/TTPs: Exploits public-facing applications, specifically targeting FortiOS and FortiProxy vulnerabilities (e.g., CVE-2024-37085, CVE-2025-32463). They utilize advanced defense evasion techniques and employ a "double-extortion" model involving data exfiltration.

AdaptixC2 (Framework)

  • Profile: An emerging open-source post-exploitation framework written in Go and C++. It is rapidly being adopted by various threat actors for its flexibility.
  • Associated Malware: MgBot, CoolClient, ToneShell, VBShower, VBCloud, PowerShower, CloudAtlas.
  • C2 & Capabilities: Supports extensive modularity via Beacon Object Files (BOFs). C2 channels include HTTP/S, TCP, mTLS, DNS, DoH, and SMB, all utilizing RC4 encryption. It supports Windows, macOS, and Linux.

UNC1945 / LightBasin

  • Profile: A threat actor focused on the telecommunications and financial sectors. They specialize in compromising MSPs to gain third-party access to high-value targets.
  • Malware Families: SLAPSTICK, EVILSUN, LEMONSTICK, STEELCORGI, LOGBLEACH, PUPYRAT, TINYSHELL, OKSOLO, OPENSHACKLE, ROLLCOAST.
  • TTPs: Uses custom virtual machines pre-loaded with post-exploitation tools. Demonstrates advanced capabilities across Oracle Solaris, Windows, and Linux, exploiting zero-days like CVE-2020-14871.

IOC Analysis

The provided pulses consist primarily of File Hashes (MD5, SHA1, SHA256) and CVEs.

  • Operationalizing Hashes: SOC teams should immediately load the provided hashes into EDR alerting rules and SIEM correlation engines. The SHA256 hashes are critical for identifying payloads on disk and in memory.
  • CVE Management: The presence of CVE-2024-37085 (ESXi), CVE-2025-32463 (Fortinet - Future/Zero-day context), CVE-2024-55591, and CVE-2020-14871 (Solaris) suggests a focus on infrastructure and virtualization layers. Vulnerability scanners must be configured to flag these specific CVEs for immediate patching.
  • Tooling: Use tools like virustotal, hashmyfiles, or native EDR capabilities to hunt for these specific hashes on endpoints.

Detection Engineering

Sigma Rules

YAML
---
title: Potential The Gentlemen RaaS Fortinet Exploitation
id: 4b2e1a2f-8c9d-4e5f-9a1b-2c3d4e5f6a7b
description: Detects potential exploitation attempts of FortiOS vulnerabilities associated with The Gentlemen activity, focusing on critical CVEs and administrative access anomalies.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624e1f2a3b1c4d5e6f7a8b9
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2024.37085
    - cve.2025.32463
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/remote/login'
            - '/api/v2/cmdb/system/admin'
    filter:
        sc-status: 200
    condition: selection | count() > 10
falsepositives:
    - Legitimate administrative access from internal network ranges
level: high
---
title: AdaptixC2 Framework Process Execution
id: 5c3f2b3a-9d0e-5f6a-0b2c-3d4e5f6a7b8c
description: Detects execution of known AdaptixC2 associated malware families and suspicious Go binaries behaving like post-exploitation frameworks.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624e1f2a3b1c4d5e6f7a8c0
tags:
    - attack.execution
    - attack.t1059
    - malware.adaptixc2
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
            - '\mgbot.exe'
            - '\coolclient.exe'
            - '\toneshell.exe'
            - '\vbcloud.exe'
    selection_go:
        Image|endswith: '.exe'
        Company|contains: 'Go'
        CommandLine|contains:
            - '-enc'
            - 'rc4'
    condition: 1 of selection*
falsepositives:
    - Legitimate Go applications
level: critical
---
title: UNC1945 LightBasin Custom Tooling
id: 6d4g3h4j-5k6l-7m8n-9o0p-1q2r3s4t5u6v
description: Detects the execution of custom malware tools associated with UNC1945 (LightBasin) targeting Solaris, Windows, and Linux systems within financial sectors.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624e1f2a3b1c4d5e6f7a8c1
tags:
    - attack.persistence
    - attack.t1543
    - apt.unc1945
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - 'slapstick'
            - 'evilsun'
            - 'lemonstick'
            - 'steelcorgi'
            - 'logbleach'
            - 'pupyrat'
            - 'oksh' # OKSOLO reference
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL Hunt Query

KQL — Microsoft Sentinel / Defender
// Hunt for The Gentlemen and UNC1945 File Hashes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2",
    "632be2363c7a13be6d5ce0dca11e387bd0a072cc962b004f0dcf3c1f78982a5a"
    ) or MD5 in (
    "adf675ffc1acb357f2d9f1a94e016f52",
    "f212fd00d9ffc0f3d868845f7f4215cb",
    "6983f7001de10f4d19fc2d794c3eb534",
    "d505533ae75f89f98554765aaf2a330a",
    "2eff2273d423a7ae6c68e3ddd96604bc",
    "0845835e18a3ed4057498250d30a11b1",
    "abaf1d04982449e0f7ee8a34577fe8af"
    )
| project DeviceName, AccountName, FolderPath, ProcessCommandLine, SHA256, MD5

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for The Gentlemen, AdaptixC2, and UNC1945 Malware Hashes.
.DESCRIPTION
    Scans specific directories for known malicious file hashes associated with recent OTX pulses.
#>

$TargetPaths = @("C:\Windows\Temp\", "C:\Users\Public\", "C:\ProgramData\", "$env:USERPROFILE\Downloads\")

$KnownHashes = @{
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235" = "The Gentlemen Payload"
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2" = "Babuk Variant"
    "f212fd00d9ffc0f3d868845f7f4215cb" = "AdaptixC2 Agent"
    "6983f7001de10f4d19fc2d794c3eb534" = "UNC1945 SLAPSTICK"
    "632be2363c7a13be6d5ce0dca11e387bd0a072cc962b004f0dcf3c1f78982a5a" = "UNC1945 EVILSUN"
}

foreach ($Path in $TargetPaths) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path..." -ForegroundColor Cyan
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($KnownHashes.ContainsKey($FileHash)) {
                Write-Host "[MATCH] Malicious file found: $($_.FullName)" -ForegroundColor Red
                Write-Host "  Identity: $($KnownHashes[$FileHash])" -ForegroundColor Red
            }
        }
    }
}
Write-Host "Scan Complete."

Response Priorities

Immediate (0-24h):

  • Block all IOCs at the perimeter (firewalls, proxies) and endpoints (EDR).
  • Initiate a hunt for the specific file hashes provided in the pulses across all endpoints, focusing on C:\Windows\Temp and user download directories.
  • Isolate any systems returning positive matches for AdaptixC2 or UNC1945 malware signatures.

24h - 48h:

  • Verify identity and access logs for all MSP accounts connected to the network (UNC1945 vector).
  • Audit FortiOS/FortiProxy and VMware ESXi logs for signs of exploitation related to CVE-2024-37085 and CVE-2025-32463.

1 Week:**

  • Apply patches for CVE-2024-37085, CVE-2024-55591, and CVE-2020-14871 immediately upon vendor release.
  • Implement network segmentation to restrict lateral movement from internet-facing edge devices (Fortinet) to the internal core.
  • Review and update MSP access controls, enforcing Zero Trust principles for third-party remote access.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptthe-gentlemenadaptixc2unc1945lightbasinransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action