Back to Intelligence

The Gentlemen RaaS & AI-Powered Infostealers: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 14, 2026
6 min read

Recent OTX pulses indicate a convergence of credential theft and ransomware-as-a-service (RaaS) operations heavily leveraging software supply chain compromises. Threat actors are exploiting the trust in developer ecosystems (GitHub, npm) to distribute complex infostealers like LummaStealer, Vidar, and OtterCookie. These initial access vectors often serve as precursors to more severe intrusions, including the deployment of The Gentlemen ransomware via the EtherRAT and TukTuk frameworks. Notably, actors are utilizing AI-generated lure content to enhance social engineering effectiveness and are employing novel techniques such as EtherHiding (using the Ethereum blockchain for C2 configuration). The data reveals a specific focus on technology sectors, developers, and gamers, with initial access frequently achieved through trojanized repositories or malicious package dependencies.

Threat Actor / Malware Profile

1. TroyDen (Lure Factory)

  • Malware: LuaJIT-based infostealers (Redline, LummaStealer).
  • Distribution: GitHub repositories hosting over 300 delivery packages.
  • Lures: AI-generated biological taxonomy and medical terminology targeting developers, Roblox players, and crypto users.
  • Behavior: Two-component payload design; credential theft from browsers and crypto wallets.

2. FAMOUS CHOLLIMA (North Korean)

  • Malware: OtterCookie, BeaverTail, InvisibleFerret.
  • Distribution: Malicious npm packages employing a "two-layer" strategy (benign wrapper pulling malicious dependencies).
  • Behavior: Clones legitimate libraries (e.g., big.js); establishes SSH backdoors; exfiltrates data via Vercel C2.

3. The Gentlemen RaaS

  • Malware: SystemBC, The Gentlemen Ransomware, EtherRAT, TukTuk.
  • Distribution: Initial access via exploits on edge appliances (Fortinet CVE-2024-55591, Cisco CVE-2025-32433) and trojanized Sysinternals tools (MSI installers).
  • Behavior: Uses NTLM relay for credential theft; utilizes Ethereum blockchain for dynamic C2 config (EtherHiding); performs DLL sideloading for persistence.

4. Opportunistic Campaigns (Claude Code Leak)

  • Malware: Vidar, GhostSocks, TradeDownloader.
  • Distribution: Trojanized GitHub repositories posing as leaked Anthropic Claude source code.
  • Behavior: Standard infostealer capabilities (cookies, passwords, wallet data).

IOC Analysis

The provided pulses yield a mix of network and file-based indicators:

  • IPv4 Addresses (TroyDen, GhostSocks): Key C2 infrastructure IPs (e.g., 89.169.12.241, 94.228.161.88). SOC teams should immediately block these at the perimeter and firewall level and retroactively hunt for logs showing connections to these endpoints.
  • File Hashes (MD5, SHA1, SHA256): prevalent across all pulses, specifically for malicious MSI installers (EtherRAT) and stealers (Vidar, Lumma). These should be integrated into EDR blocking rules and used to scan developer workstations and build servers.
  • CVEs: Critical vulnerabilities in Fortinet (CVE-2024-55591, CVE-2025-32433) and other edge devices serve as entry points for The Gentlemen. Patch management is the primary mitigation.
  • Domains/URLs: trycloudflare.com tunnels (TukTuk C2) and hardcoded IP URLs in Vidar payloads.

Operationalization: Decoding requires EDR solutions capable of correlating process execution with network connections (e.g., msiexec.exe reaching out to non-Microsoft IPs). SIEM correlation is needed to link the CVE exploitation attempts to subsequent commodity malware execution.

Detection Engineering

YAML
title: Suspicious PowerShell GitHub Download - AI Lure Factory
description: Detects PowerShell scripts downloading potentially malicious files from GitHub, often associated with AI-generated lure campaigns like TroyDen or Claude Code leaks.
status: experimental
date: 2026/05/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6641e5a50d983e42b23d87f8/
tags:
    - attack.initial_access
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_cmd:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IWR'
            - 'DownloadString'
    selection_github:
        CommandLine|contains:
            - 'github.com'
            - 'raw.githubusercontent.com'
    selection_params:
        CommandLine|contains:
            - 'OutFile'
            - 'o '
            - 'move'
    condition: all of selection_*
falsepositives:
    - Legitimate developer scripts
level: high
---
title: Trojanized Sysinternals or MSI Installer Execution
status: experimental
description: Detects execution of MSI installers with names or behaviors resembling Sysinternals tools, a tactic used by EtherRAT operators to deploy TukTuk and The Gentlemen ransomware.
date: 2026/05/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66420bf00d983e42b23d8a78/
tags:
    - attack.defense_evasion
    - attack.initial_access
logsource:
    product: windows
    category: process_creation
detection:
    selection_msi:
        Image|endswith: '\msiexec.exe'
    selection_suspicious:
        CommandLine|contains:
            - '/i'
            - '/package'
    selection_keywords:
        CommandLine|contains:
            - 'Sysinternals'
            - 'psexec'
            - 'autoruns'
    condition: all of selection_*
falsepositives:
    - Legitimate installation of Sysinternals Suite (rarely via MSI)
level: critical
---
title: Npm Process Spawning Shell or Network Tools - OtterCookie
description: Detects npm or node.exe processes spawning cmd, powershell, or making network connections, indicative of malicious npm packages like OtterCookie executing payloads.
date: 2026/05/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6643b39c0d983e42b23d8f49/
tags:
    - attack.execution
    - attack.persistence
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith:
            - '\node.exe'
            - '\npm.cmd'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\bash.exe'
            - '\curl.exe'
            - '\wget.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate build scripts
level: medium


kql
// Hunt for connections to known TroyDen C2 IPs and GhostSocks infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118", "147.45.197.92", "94.228.161.88")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemotePort
| extend IOCPulse = "TroyDen / GhostSocks"


powershell
# IOC Hunt Script for The Gentlemen / EtherRAT related hashes
$TargetHashes = @(
    "adf675ffc1acb357f2d9f1a94e016f52", # MD5
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235", # SHA256
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2", # SHA256
    "73ce2438d4ed475e03727b7b000d2794", # MD5 (EtherRAT MSI)
    "77fbe265fd65c7f7b6d323fb6de6a4fd", # MD5
    "b188fbc6ff5557767e73e4c883a553a3"  # MD5
)

Write-Host "Scanning for malicious IOCs related to The Gentlemen and Infostealers..."

# Check C:
$Drives = @("C:\")
foreach ($Drive in $Drives) {
    Write-Host "Scanning $Drive - this may take time..."
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer } | ForEach-Object {
        $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
        if ($TargetHashes -contains $Hash) {
            Write-Host "[MATCH] Malicious file found: $($_.FullName)" -ForegroundColor Red
        }
    }
}

# Check for Scheduled Tasks related to SystemBC (Common persistence for The Gentlemen)
Write-Host "Checking for Suspicious Scheduled Tasks..."
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*" } | Select-Object TaskName, TaskPath, Actions | Format-Table


# Response Priorities

*   **Immediate:**
    *   Block all identified IPv4 C2 indicators at the firewall.
    *   Apply patches for **CVE-2024-55591** (Fortinet) and **CVE-2025-32433** (Cisco) on all edge appliances immediately.
    *   Hunt for MSI installers executing in the last 48 hours that do not have valid digital signatures.

*   **24 Hours:**
    *   Initiate credential resets for developer and service accounts if credential theft (Redline, Vidar, OtterCookie) is suspected.
    *   Audit GitHub and npm repositories used by the organization for typosquatting or unauthorized forks (specifically looking for "big.js" variants or AI-lure repositories).

*   **1 Week:**
    *   Implement strict allow-listing for build environments and developer workstations regarding script execution.
    *   Harden software supply chain pipelines to require package signing and dependency verification.
    *   Review perimeter logs for NTLM relay attempts associated with The Gentlemen activity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealerthe-gentlemenottercookievidar-stealersupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action