The Gentlemen RaaS & AI Supply Chain Poisoning: SystemBC, AMOS Stealer, and CVE-2024-55591 Exploitation

Recent OTX pulse data reveals a dual-front threat landscape dominated by the aggressive "The Gentlemen" Ransomware-as-a-Service (RaaS) operation (tracked as Storm-2697) and a rising wave of AI supply chain attacks. The Gentlemen group, having split from the Qilin ecosystem, has rapidly escalated operations using high-speed Go-based ransomware binaries and established tooling like SystemBC for C2 communications and Cobalt Strike for lateral movement. They are actively exploiting CVE-2024-55591 to gain initial access. Simultaneously, threat actors are weaponizing AI development platforms (Hugging Face, OpenClaw), embedding AMOS Stealer and cryptominers within trojanized models and datasets to compromise enterprise environments. This convergence of RaaS agility and supply chain subversion requires immediate defensive pivots.

Threat Actor / Malware Profile

The Gentlemen (Storm-2697)

Type: Ransomware-as-a-Service (RaaS) / Extortion.
Origins: Emerged mid-2025 following a split from Qilin; linked to Russian-speaking actor 'hastalamuerte'.
Tooling: Custom Go-language ransomware binaries (fast encryption), SystemBC (C2/Proxy), Cobalt Strike, AnyDesk (Lateral Movement), PowerRun (UAC Bypass).
Modus Operandi: The group utilizes a double-extortion model. Initial access is frequently gained via vulnerabilities (e.g., CVE-2024-55591) followed by disabling AV (KillAV) and establishing persistence through legitimate remote administration tools (AnyDesk) to blend in with normal traffic before deploying the ransomware payload.

AMOS Stealer (AI Supply Chain Vector)

Type: Info-stealer / Trojan.
Vector: "Poisoning the well" via trojanized AI skills and models on Hugging Face and OpenClaw.
Behavior: Once executed via a compromised AI model download, it steals credentials, wallet data, and system information, sending it to C2 servers (e.g., 91.92.242.30).

IOC Analysis

The provided indicators paint a clear picture of the infrastructure supporting these campaigns:

File Hashes: A distinct cluster of MD5 and SHA256 hashes corresponds to the Gentlemen ransomware binaries (Go compiled) and associated loaders (e.g., 7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09). Other hashes link to AMOS Stealer payloads (f0a54f2b44e557854b0a5001c4e10185884af945814786f78b86539014f78a16). SOC teams should immediately hash-check application whitelists and endpoint logs.
Network Infrastructure: The Onion domain tezwsse5czllksjb7cwp65rvnk4oobmzti2nn42i43bjdfd2prqqkad.onion serves as the leak site for The Gentlemen. The IP 91.92.242.30 and domain install.app-distribution.net are delivery nodes for the AI supply chain malware. These must be blocked at the perimeter and proxy level.
CVE: The active exploitation of CVE-2024-55591 suggests unpatched Veeam instances are primary entry points. While not a file hash, this vulnerability ID acts as a critical behavioral hunt trigger.

Detection Engineering

Sigma Rules

YAML

title: Potential The Gentlemen Ransomware Activity - PowerRun Execution
id: c9a4b5c6-7d8e-4f9a-a1b2-c3d4e5f6a7b8
description: Detects the execution of PowerRun, a tool frequently used by The Gentlemen affiliates to bypass UAC and execute code with SYSTEM privileges.
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/LBIOC-20260071
tags:
    - attack.privilege_escalation
    - attack.t1548.002
    - detection.emerging_threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\PowerRun.exe'
            - '\powerrun.exe'
    condition: selection
falsepositives:
    - Legitimate administration usage
level: high
---
title: SystemBC Proxy/C2 Traffic Pattern
id: b1c2d3e4-f5a6-4b7c-8d9e-0f1a2b3c4d5e
description: Detects potential network traffic patterns associated with SystemBC, a C2/proxy tool used by The Gentlemen and Qilin ransomware actors. SystemBC often uses specific SSL configurations or non-standard ports.
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/LBIOC-20260071
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 80
            - 443
            - 8080
    filter_legit:
        DestinationHostname|contains:
            - 'microsoft.com'
            - 'windowsupdate.com'
            - 'google.com'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate web browsing
level: medium
---
title: AI Supply Chain Malware Delivery - Suspicious Installer
id: e5f6a7b8-c9d0-4e1f-8a2b-3c4d5e6f7a8b
description: Detects execution of payloads from 'install.app-distribution.net', a domain observed in trojanized AI model attacks delivering AMOS Stealer.
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66327a73b2e07b76b99054b5
tags:
    - attack.initial_access
    - attack.t1191
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'install.app-distribution.net'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for The Gentlemen IOCs - File Hashes and Network Indicators
let FileHashes = dynamic(["a88daa62751c212b7579a57f1f4ae8f8", "7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09", "4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71", "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944437b5fbe5c5c9235", "f0a54f2b44e557854b0a5001c4e10185884af945814786f78b86539014f78a16"]);
let MaliciousDomains = dynamic(["tezwsse5czllksjb7cwp65rvnk4oobmzti2nn42i43bjdfd2prqqkad.onion", "install.app-distribution.net", "velvet-parrot.com"]);
let MaliciousIPs = dynamic(["91.92.242.30"]);
// 1. Check for malicious file hashes via DeviceProcessEvents (SHA1/MD5 fields vary by schema, checking generic)
DeviceProcessEvents
| where SHA256 in~ FileHashes or MD5 in~ FileHashes 
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath, SHA256, InitiatingProcessFileName
| union (
    DeviceNetworkEvents
    | where RemoteUrl in~ MaliciousDomains or RemoteIP in~ MaliciousIPs
    | project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
)
| union (
    // Hunt for CVE-2024-55591 exploitation attempts in web logs or proxy logs
    DeviceNetworkEvents
    | where RemotePort == 9398 and ActionType == "NetworkConnectionAccepted" // Veeam default port, broad hunt
    | summarize Count() by DeviceName, RemoteIP, InitiatingProcessFileName
)

PowerShell Hunt Script

PowerShell

# The Gentlemen & AMOS Stealer IOC Hunter
# Checks for specific file hashes and malicious network connections

$TargetHashes = @(
    "7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09",
    "4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944437b5fbe5c5c9235",
    "f0a54f2b44e557854b0a5001c4e10185884af945814786f78b86539014f78a16"
)

$MaliciousDomains = @(
    "tezwsse5czllksjb7cwp65rvnk4oobmzti2nn42i43bjdfd2prqqkad.onion",
    "install.app-distribution.net",
    "velvet-parrot.com"
)

Write-Host "[+] Initiating Hunt for The Gentlemen and AI Supply Chain IOCs..." -ForegroundColor Cyan

# 1. Scan running processes for known malicious hashes
Write-Host "[*] Checking running processes..." -ForegroundColor Yellow
$Processes = Get-Process -IncludeUserName | Select-Object Id, ProcessName, Path, UserName
foreach ($Proc in $Processes) {
    if ($Proc.Path -and (Test-Path $Proc.Path)) {
        $Hash = (Get-FileHash -Path $Proc.Path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($Hash -in $TargetHashes) {
            Write-Host "[!] ALERT: Malicious process detected! PID: $($Proc.Id) Name: $($Proc.ProcessName) User: $($Proc.UserName)" -ForegroundColor Red
        }
    }
}

# 2. Check for established network connections to malicious domains
Write-Host "[*] Checking active network connections..." -ForegroundColor Yellow
$TCPConnections = Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
foreach ($Conn in $TCPConnections) {
    try {
        $RemoteHostName = [System.Net.Dns]::GetHostEntry($Conn.RemoteAddress).HostName
        foreach ($Domain in $MaliciousDomains) {
            if ($RemoteHostName -like "*$Domain*") {
                $ProcName = (Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue).ProcessName
                Write-Host "[!] ALERT: C2 Traffic Detected to $Domain on PID $($Conn.OwningProcess) ($ProcName)" -ForegroundColor Red
            }
        }
    } catch {
        # DNS resolution failed, ignore
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

Immediate:
- Block all listed IOCs at the firewall, proxy, and EDR levels.
- Patch CVE-2024-55591 (Veeam Backup & Replication) immediately across the environment.
- Isolate any endpoints where The Gentlemen file hashes are detected.
24 Hours:
- Conduct credential resets for accounts utilized on endpoints flagged for AI model downloads or potential AMOS Stealer infections.
- Hunt for unsigned Go binaries executed in the last 7 days, particularly those invoking PowerShell or LolBins (Living off the Land Binaries).
- Review Veeam logs for exploitation attempts of CVE-2024-55591.
1 Week:
- Implement strict controls on AI model repositories (Hugging Face, OpenClaw). Sandbox all model downloads before execution in dev environments.
- Review and restrict the use of remote administration tools (AnyDesk, PowerRun) to only approved change management tickets.
- Enhance EDR policies to detect and block high-frequency file encryption patterns typical of Go-based ransomware.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub