Back to Intelligence

The Gentlemen RaaS & Void Dokkaebi Supply Chain: OTX Pulse Analysis — Multi-Vector Credential Theft

SA
Security Arsenal Team
April 21, 2026
6 min read

Executive Summary

Recent OTX pulses reveal a convergence of high-impact threat activities targeting enterprise infrastructure and software supply chains. We are observing the "Gentlemen" ransomware-as-a-service (RaaS) group actively exploiting FortiOS vulnerabilities (CVE-2024-37085, CVE-2025-32463) for initial access and data exfiltration. Simultaneously, the North Korean-aligned "Void Dokkaebi" (WageMole) has evolved into a self-propagating supply chain threat, using fake job interviews to distribute the DEV#POPPER RAT and BeaverTail via poisoned Git repositories.

Parallel to these targeted attacks is a broad "ClickFix" campaign deploying AppleScript-based stealers on macOS to harvest browser sessions and cryptocurrency wallets, alongside the emergence of the AdaptixC2 framework being utilized for post-exploitation. The collective objective across these campaigns is credential theft, financial extortion via ransomware, and the theft of digital assets.

Threat Actor / Malware Profile

The Gentlemen (RaaS)

  • Malware Families: Babuk (S0638), Babyk, Vasa Locker, Qilin, LockBit 5.0, Medusa.
  • TTPs: Exploits public-facing applications (specifically FortiOS/FortiProxy), maintains a database of compromised devices, and employs advanced defense evasion.
  • Objective: Data exfiltration followed by double-extortion ransomware.

Void Dokkaebi (WageMole)

  • Malware Families: DEV#POPPER RAT, InvisibleFerret, OtterCookie, OmniStealer, BeaverTail.
  • Distribution: Supply chain attack via malicious Git repositories and fake job interviews targeting software developers.
  • Mechanism: Uses malicious VS Code task configurations (tasks.) to execute payloads automatically upon project opening. Also employs Git history tampering and worm propagation.

ClickFix (macOS Infostealer)

  • Platform: macOS (and Windows).
  • Distribution: Social engineering via fake CAPTCHA pages.
  • Payload: AppleScript-based infostealer targeting 12+ browsers, 200+ extensions, and 16 crypto wallets. Keychains and session cookies are primary targets.

AdaptixC2

  • Type: Post-exploitation framework (Open Source).
  • Capabilities: Modular BOFs (Beacon Object Files), supports Windows/macOS/Linux. C2 channels include HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption.

IOC Analysis

The provided pulses offer a mix of infrastructure and file-based indicators:

  • CVE Identifiers: CVE-2023-27532, CVE-2024-37085, CVE-2024-55591, CVE-2025-32463. These should be prioritized for patch management, specifically for Fortinet and VMware products.
  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes associated with The Gentlemen ransomware payloads and the AdaptixC2 agents.
  • Network Infrastructure: Void Dokkaebi operates a vast IP infrastructure (e.g., 166.88.4.2, 85.239.62.36) used for C2 and payload delivery. The ClickFix campaign uses specific domains like bull-run.fun and spot-wave.fun.
  • Domains: StepDrainer infrastructure (moonscan.live, scanclaw.live) and crypto-draining endpoints.

Operational Guidance: SOC teams should immediately block the listed Void Dokkaebi IPs and ClickFix domains at the perimeter. File hashes should be uploaded to EDR solutions for memory scanning and hunt operations. Vulnerability management must validate patches for CVE-2024-37085 and CVE-2025-32463 on all FortiGate appliances.

Detection Engineering

YAML
---
title: Potential VS Code Supply Chain Compromise - Void Dokkaebi
id: 4e8f9a2b-1c3d-4f5e-8b7a-0d9e1f2a3b4c
description: Detects the execution of suspicious VS Code tasks often used by Void Dokkaebi to execute malware via poisoned repository tasks..
status: experimental
date: 2026/04/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624b1c5f4b3e8d1b1e1e1e1/
tags:
    - attack.supply_chain
    - attack.execution
    - detection.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Code.exe'
        Image|endswith: '\cmd.exe' # or powershell.exe
        CommandLine|contains: '.vscode/tasks.'
    condition: selection
falsepositives:
    - Legitimate developer build tasks using npm scripts or similar.
level: high
---
title: macOS ClickFix AppleScript Network Connection
id: 5f9g0b3c-2d4e-5g6f-9c8b-1e0f2g3h4i5j
description: Detects the osascript utility establishing network connections, a common behavior in the ClickFix campaign to download stealers or exfiltrate data.
status: experimental
date: 2026/04/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624b1c5f4b3e8d1b1e1e1e2/
tags:
    - attack.execution
    - attack.collection
    - macos
logsource:
    category: network_connection
    product: macos
detection:
    selection:
        Image|endswith: '/usr/bin/osascript'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate automation scripts requiring network access.
level: medium
---
title: AdaptixC2 Framework Suspicious Process Patterns
id: 6a0h1c4d-3e5f-6h7i-0d9c-2f1g3h4i5j6k
description: Detects potential AdaptixC2 agent activity based on typical process execution patterns involving Go or C++ binaries with network and child process anomalies.
status: experimental
date: 2026/04/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624b1c5f4b3e8d1b1e1e1e3/
tags:
    - attack.command_and_control
    - attack.defense_evasion
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_go:
        Image|endswith: '.exe'
        Company: ''
        CommandLine|contains: '-c2' # Typical flag usage for C2 frameworks
    selection_net:
        CommandLine|contains:
            - 'https://'
            - 'dns://'
    condition: all of selection_*
falsepositives:
    - Unsigned legitimate network tools.
level: high

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Void Dokkaebi C2 IPs and suspicious network activity
let IoC_IPs = dynamic(["166.88.4.2", "85.239.62.36", "23.27.20.143", "23.27.202.27", "23.27.120.142", "154.91.0.196", "198.105.127.210", "83.168.68.219", "172.94.9.250"]);
let IoC_Domains = dynamic(["bull-run.fun", "spot-wave.fun", "moonscan.live", "scanclaw.live"]);
DeviceNetworkEvents
| where RemoteIP in (IoC_IPs) or RemoteUrl has_any (IoC_Domains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt for Void Dokkaebi artifacts and malicious VS Code tasks.
.DESCRIPTION
    Scans user directories for .vscode/tasks. files and checks for specific IOCs.
#>

# Define Void Dokkaebi IP patterns (simplified for script)
$MaliciousIPs = @("166.88.4.2","85.239.62.36","23.27.20.143")

# Check for VS Code tasks. files in user profiles
Write-Host "[+] Scanning for VS Code task configurations..."
$Users = Get-ChildItem -Path "C:\Users\" -Directory
foreach ($User in $Users) {
    $VSCodePath = Join-Path -Path $User.FullName -ChildPath ".vscode\tasks."
    if (Test-Path $VSCodePath) {
        Write-Host "[!] Found tasks. at: $VSCodePath" -ForegroundColor Yellow
        # Basic keyword check for suspicious commands (e.g., certutil, powershell encoded)
        $Content = Get-Content $VSCodePath -Raw -ErrorAction SilentlyContinue
        if ($Content -match "certutil|powershell.*-e|IEX") {
            Write-Host "[ALERT] Suspicious command pattern detected in $VSCodePath" -ForegroundColor Red
        }
    }
}

# Check active network connections for C2 IPs
Write-Host "[+] Checking active network connections..."
$ActiveConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($Conn in $ActiveConnections) {
    $RemoteIP = $Conn.RemoteAddress
    if ($MaliciousIPs -contains $RemoteIP) {
        $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[ALERT] Connection to malicious IP $RemoteIP found via process: $($Process.ProcessName) (PID: $($Process.Id))" -ForegroundColor Red
    }
}
Write-Host "[*] Hunt complete."

Response Priorities

Immediate

  • Block IOCs: Implement blocks on perimeter firewalls and proxies for all Void Dokkaebi C2 IPs and ClickFix/StepDrainer domains.
  • Hunt for Artifacts: Execute the provided PowerShell script across endpoints to identify compromised VS Code environments and active C2 connections.

24 Hours

  • Identity Verification: If credential-stealing malware (BeaverTail/OmniStealer/ClickFix) is suspected, force-reset passwords for developers and privileged users who may have interacted with untrusted repositories.
  • FortiOS Audit: Review Fortinet logs for exploitation attempts on CVE-2024-37085 and CVE-2025-32463.

1 Week

  • Architecture Hardening: Enforce strict policies for VS Code workspace trust to prevent automatic task execution. Update FortiOS firmware to the latest available version to mitigate RaaS access vectors.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsransomwaresupply-chaininfostealermac-malwareapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action