Back to Intelligence

The Gentlemen RaaS & AdaptixC2 Framework: Multi-Platform Extortion — OTX Pulse Analysis

SA
Security Arsenal Team
April 20, 2026
5 min read

Date: 2026-04-21 Intel Source: AlienVault OTX Pulse Aggregation TLP: White

Threat Summary

Recent OTX pulses reveal a convergence between the aggressive The Gentlemen RaaS operation and the emerging AdaptixC2 post-exploitation framework. The Gentlemen actor has rapidly expanded victimology (320+ victims) by exploiting critical vulnerabilities in FortiOS (CVE-2024-55591, CVE-2025-32463) and VMware ESXi (CVE-2024-37085).

The attack chain involves weaponizing public-facing appliances for initial access, deploying SystemBC for covert tunneling, and utilizing AdaptixC2 (specifically modules like MgBot and CoolClient) for modular command-and-control. The ultimate objective is multi-platform data exfiltration and encryption (Windows, Linux, NAS, ESXi) using derivatives of LockBit 5.0, Medusa, and Babuk.

Threat Actor / Malware Profile

The Gentlemen (RaaS)

  • Distribution: Exploitation of CVE-2024-37085 (ESXi), CVE-2024-55591 & CVE-2025-32463 (FortiOS), and compromised credentials.
  • Payload Behavior: Deploy multi-platform lockers. Utilizes SystemBC as a proxy to hide malicious traffic and Cobalt Strike for lateral movement.
  • C2 Communication: SystemBC establishes a SOCKS5 proxy tunnel; traffic often routed through compromised infrastructure.
  • Persistence: Scheduled tasks, service installation, and ESXi persistence mechanisms.
  • Anti-Analysis: Employs defense evasion techniques common to Babuk and LockBit families, including process hollowing and API masquerading.

AdaptixC2 Framework

  • Description: An open-source, modular C2 framework written in Go and C++, increasingly adopted by APT groups.
  • Modules: MgBot, CoolClient, ToneShell, VBShower.
  • C2 Channels: Supports HTTP/S, TCP, mTLS, DNS, DoH, and SMB. Traffic is encrypted using RC4.
  • Capabilities: Process injection, Beacon Object Files (BOFs) execution, and lateral movement.

IOC Analysis

The provided IOCs include File Hashes (MD5, SHA1, SHA256) and CVE Identifiers.

  • File Hashes: Payloads for SystemBC, AdaptixC2 agents, and ransomware encryptors (e.g., 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235).
    • Action: Block execution on endpoints; scan EDR logs for process creation events matching these hashes.
  • CVEs:
    • CVE-2024-37085 (VMware ESXi authentication bypass)
    • CVE-2024-55591 & CVE-2025-32463 (FortiOS SSL-VPN/Proxy vulnerabilities)
    • Action: Immediate patching or vulnerability scanning is required on the perimeter.

Detection Engineering

YAML
---
title: Potential SystemBC Proxy Execution
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects execution patterns associated with SystemBC proxy malware often used by The Gentlemen. Looks for processes establishing proxy connections or specific command line arguments.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624a5a5e9f0861e3c8b4567
tags:
    - attack.command_and_control
    - attack.proxy
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\systembc.exe'
            - '\sbclient.exe'
    selection_cli:
        CommandLine|contains:
            - '-proxy'
            - '-connect'
            - 'socks'
    condition: 1 of selection
falsepositives:
    - Legitimate proxy software usage
level: high
---
title: AdaptixC2 Framework Module Execution
id: b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e
description: Detects the execution of known AdaptixC2 modules (MgBot, CoolClient) or the main agent process characteristics mentioned in OTX Pulse analysis.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624a5a5e9f0861e3c8b4568
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|contains:
            - 'mgbot'
            - 'coolclient'
            - 'toneshell'
    selection_cli:
        CommandLine|contains:
            - 'beacon'
            - 'rc4'
            - 'bof'
    condition: 1 of selection
falsepositives:
    - Rare, potential development tools
level: critical
---
title: The Gentlemen Lateral Movement Tools
id: c3d4e5f6-a7b8-6c7d-0e1f-2a3b4c5d6e7f
description: Detects the use of PsExec and AnyDesk, which are frequently used by The Gentlemen affiliates for lateral movement and remote control during ransomware operations.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624a5a5e9f0861e3c8b4569
tags:
    - attack.lateral_movement
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_psexec:
        Image|endswith: '\psexec.exe'
        CommandLine|contains: '\\'
    selection_anydesk:
        Image|endswith: '\anydesk.exe'
        CommandLine|contains: 
            - 'start'
            - 'close'
    condition: 1 of selection
falsepositives:
    - Administrative activity
level: medium


kql
// Hunt for specific SHA256 hashes associated with The Gentlemen and AdaptixC2
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where SHA256 in (
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2",
    "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e"
)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256, InitiatingProcessFileName
| extend ThreatContext = case(
    SHA256 == "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235", "The Gentlemen/SystemBC Payload",
    SHA256 == "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e", "The Gentlemen/SystemBC Variant",
    "Unknown Threat Hash"
);


powershell
# IOC Hunt Script: The Gentlemen & AdaptixC2
# Checks for the presence of specific file hashes and registry keys associated with SystemBC

function Test-FileHashMatch {
    param (
        [string]$Path,
        [string]$ExpectedHash
    )
    if (-not (Test-Path $Path)) { return $false }
    
    $fileHash = Get-FileHash -Path $Path -Algorithm SHA256 -ErrorAction SilentlyContinue
    return ($fileHash.Hash -eq $ExpectedHash)
}

# Known IOCs from Pulse Data
$targetHashes = @(
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"
)

# Search common execution paths
$pathsToScan = @(
    "$env:TEMP",
    "$env:APPDATA",
    "C:\Windows\Temp",
    "C:\ProgramData"
)

Write-Host "[+] Scanning for The Gentlemen / AdaptixC2 IOCs..."

foreach ($path in $pathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($targetHashes -contains $hash) {
                Write-Host "[!] MATCH FOUND: $($_.FullName) | Hash: $hash" -ForegroundColor Red
            }
        }
    }
}

# Check for SystemBC Registry Persistence
$regPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
if (Test-Path $regPath) {
    Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue | ForEach-Object {
        if ($_.PSObject.Properties -match "SystemBC" -or $_.PSObject.Properties.Value -match "systembc") {
            Write-Host "[!] SUSPICIOUS PERSISTENCE FOUND IN RUN KEY: $($_.PSObject.Properties)" -ForegroundColor Yellow
        }
    }
}

Response Priorities

  • Immediate:

    • Patch Critical Vulnerabilities: Immediately address CVE-2024-37085 (ESXi), CVE-2024-55591, and CVE-2025-32463 (FortiOS) on all internet-facing assets.
    • Block IOCs: Load the provided SHA256 hashes into EDR blocklists and firewall deny lists.
    • Hunt for SystemBC: Execute the provided PowerShell script across endpoints to identify SystemBC installations or artifacts.

  • 24 Hours:

    • Credential Audit: Since Mimikatz and AnyDesk are used in the attack chain, force a password reset for privileged accounts and review remote access logs for unauthorized AnyDesk sessions.
    • Network Segmentation: Isolate ESXi hosts from the general network to prevent the spread of ransomware via SystemBC tunneling.

  • 1 Week:

    • Architecture Hardening: Implement strict Zero Trust access controls for FortiGate and vCenter/ESXi management interfaces.
    • ESXi Hardening: Disable the SLCP (Service Location Protocol) on ESXi hosts if not required, and review ESXi firewall rules.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptthe-gentlemenransomware-as-a-serviceadaptixc2systembcc2-framework

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action