Back to Intelligence

The Gentlemen RaaS & Speagle Infostealer: FortiOS Exploits, Supply Chain Attacks, and ClickFix — OTX Pulse Analysis

SA
Security Arsenal Team
April 19, 2026
6 min read

Threat Summary

Current OTX Pulse data highlights three distinct, high-severity campaigns targeting enterprise infrastructure. The Gentlemen ransomware group is actively exploiting vulnerabilities in FortiOS and FortiProxy (CVE-2023-27532, CVE-2024-37085, CVE-2024-55591, CVE-2025-32463) to gain initial access, leveraging a database of compromised devices for deployment. Separately, the Runningcrab threat actor is conducting a sophisticated supply chain attack targeting users of legitimate security software Cobra DocGuard; the malware, Infostealer.Speagle, hijacks the software's process to exfiltrate data to a compromised command-and-control (C2) server. Finally, LeakNet, a ransomware operator, has pivoted from initial access brokers to direct operations utilizing ClickFix social engineering lures and a new Deno-based in-memory loader, followed by side-loading techniques using jli.dll and lateral movement via PsExec.

Threat Actor / Malware Profile

The Gentlemen (RaaS)

  • Malware Families: Babuk, Babyk, Vasa Locker, Qilin, LockBit 5.0, Medusa.
  • Distribution: Exploitation of public-facing applications (specifically Fortinet gear).
  • Behavior: Advanced defense evasion, maintenance of compromised device databases, data exfiltration prior to encryption.
  • Persistence: Standard ransomware persistence mechanisms (scheduled tasks, registry run keys).

Infostealer.Speagle (Runningcrab)

  • Malware Families: Infostealer.Speagle (associated with PlugX/Korplug variants).
  • Distribution: Supply chain compromise via hijacked Cobra DocGuard software updates/installers.
  • Behavior: Hijacks legitimate functionality to mask traffic; collects sensitive system information.
  • C2 Communication: Transmits stolen data to compromised legitimate servers via specific URI parameters (flag=syn_user_policy).

LeakNet

  • Malware Families: Ransomware (payload varies).
  • Distribution: "ClickFix" fake browser update campaigns on compromised websites.
  • Behavior: Utilizes a Deno-based runtime for in-memory payload execution to avoid disk-based detection.
  • Persistence/Lateral Movement: jli.dll side-loading and PsExec deployment.

IOC Analysis

The provided IOCs offer a mix of vulnerability identifiers, file hashes, and network infrastructure:

  1. CVEs (The Gentlemen): CVE-2023-27532, CVE-2024-37085, CVE-2024-55591, CVE-2025-32463.

    • Actionable Intel: These should be immediately cross-referenced with vulnerability scanner data (e.g., Tenable, Qualys) and asset inventory to identify unpatched Fortinet devices.

  2. File Hashes (The Gentlemen & Speagle): Multiple SHA256 hashes provided for Speagle and Gentlemen payloads.

    • Actionable Intel: Upload to EDR threat feeds to create block-lists. The Speagle hashes (e.g., 03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b) should be prioritized for scanning on endpoints with Cobra DocGuard installed.

  3. Network Indicators (Speagle & LeakNet):

    • Speagle: Specific URLs http://222.222.254.165:8090/... and http://60.30.147.18:8091/.... Note the specific path /CDGServer3/CDGClientDiagnostics?flag=syn_user_policy.
    • LeakNet: High entropy domains (e.g., okobojirent.com, crahdhduf.com).
    • Actionable Intel: Block these domains and IPs at the perimeter. Use SIEM correlation to hunt for the specific Speagle URL path in proxy logs, as standard domain blocking may miss traffic if the IP changes but the path remains consistent.

Detection Engineering

YAML
---
title: Potential Deno In-Memory Loader Execution
description: Detects the execution of Deno runtime often used by LeakNet for in-memory payloads.
status: experimental
date: 2026/04/19
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\deno.exe'
    CommandLine|contains:
      - 'eval'
      - 'compile'
  condition: selection
falsepositives:
  - Legitimate developer usage of Deno
level: high
tags:
  - attack.execution
  - attack.t1059.001
---
title: Suspicious Cobra DocGuard C2 Communication
description: Detects network connections to the specific URL pattern used by Infostealer.Speagle.
status: experimental
date: 2026/04/19
author: Security Arsenal
logsource:
  category: proxy
  product: suricata
detection:
  selection:
    request_uri|contains: 'CDGClientDiagnostics'
    request_uri|contains: 'flag=syn_user_policy'
  condition: selection
falsepositives:
  - Legitimate Cobra DocGuard traffic (verify destination IP)
level: critical
tags:
  - attack.exfiltration
  - attack.c2
---
title: Potential DLL Side-loading via jli.dll
description: Detects processes loading jli.dll from suspicious locations, associated with LeakNet activity.
status: experimental
date: 2026/04/19
author: Security Arsenal
logsource:
  category: image_load
  product: windows
detection:
  selection:
    ImageLoaded|contains: 'jli.dll'
  filter_legit_java:
    Image|contains:
      - '\Program Files\\Java'
      - '\Program Files (x86)\\Java'
  condition: selection and not filter_legit_java
level: medium
tags:
  - attack.defense_evasion
  - attack.t1574.002


kql
// Hunt for Speagle C2 Traffic and Deno Execution
// Union of Network and Process events to correlate potential LeakNet and Speagle activity
let SuspiciousDomains = dynamic(['okobojirent.com', 'mshealthmetrics.com', 'serialmenot.com', 'neremedysoft.com', 'cnoocim.com', 'apiclofront.com', 'crahdhduf.com', 'delhedghogeggs.com']);
DeviceNetworkEvents
| where RemoteUrl has 'CDGClientDiagnostics' or RemoteUrl in (SuspiciousDomains)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| union (DeviceProcessEvents
| where ProcessVersionInfoCompanyName == 'Deno Land Inc' or FileName == 'deno.exe'
| project Timestamp, DeviceName, FileName, ProcessCommandLine)
| order by Timestamp desc


powershell
# IOC Hunt Script: Speagle File Hashes and Registry Persistence
$SpeagleHashes = @(
    '03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b',
    'd7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877',
    'dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d',
    'fad8d0307db5328c8b9f283a2cc6f7e4f4333001623fef5bd5c32a1c094bf890'
)

$GentlemenHashes = @(
    '3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235',
    '51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2'
)

Write-Host 'Scanning for Speagle and Gentlemen IOC Hashes...'

# Scan C: drive for files matching hashes (This is a CPU intensive operation, restrict to specific paths in prod)
$TargetPath = 'C:\' 

$SpeagleHashes | ForEach-Object {
    $hash = $_
    Get-ChildItem -Path $TargetPath -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($fileHash -eq $hash) {
            Write-Host "[ALERT] Speagle Malware Found: $($_.FullName)" -ForegroundColor Red
        }
    }
}

$GentlemenHashes | ForEach-Object {
    $hash = $_
    Get-ChildItem -Path $TargetPath -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($fileHash -eq $hash) {
            Write-Host "[ALERT] The Gentlemen Malware Found: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host 'Checking DNS Cache for LeakNet Domains...'
$LeakNetDomains = @('okobojirent.com','mshealthmetrics.com','crahdhduf.com')
Get-DnsClientCache | Where-Object { $LeakNetDomains -contains $_.Entry } | ForEach-Object {
    Write-Host "[ALERT] Suspicious DNS Entry Found: $($_.Entry) - IP: $($_.Data)" -ForegroundColor Yellow
}

Response Priorities

  • Immediate:

    • Block all listed IP addresses and domains at the firewall and proxy level.
    • Patch FortiOS/FortiProxy devices against CVE-2024-37085 and CVE-2024-55591 immediately.
    • Scan endpoints for the specific SHA256 hashes associated with Infostealer.Speagle and The Gentlemen payloads.

  • 24 Hours:

    • Investigate systems running Cobra DocGuard software for signs of supply chain compromise (process trees, network connections to non-standard IPs).
    • Review web proxy logs for the specific CDGClientDiagnostics URI path to identify potential Speagle C2 beaconing.
    • Verify identity and session integrity for users in the Defense and Technology sectors (targets of Runningcrab) to ensure no credentials were stolen.

  • 1 Week:

    • Conduct architecture reviews for Fortinet edge devices to ensure strict segmentation and logging are enabled.
    • Implement application control policies to block Deno.exe execution in user environments unless explicitly approved.
    • Review software supply chain security and update verification processes for third-party security tools.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptransomwareinfostealersupply-chainclickfixfortinet

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action