Back to Intelligence

The Gentlemen RaaS, LeakNet ClickFix, and Runningcrab Supply Chain: OTX Pulse Analysis

SA
Security Arsenal Team
April 19, 2026
6 min read

Recent OTX pulses indicate a surge in sophisticated adversary activity ranging from Ransomware-as-a-Service (RaaS) operations to targeted supply chain compromises. Three distinct clusters have been identified:

  1. The Gentlemen (RaaS): Active exploitation of FortiOS/FortiProxy vulnerabilities (CVE-2024-37085, CVE-2025-32463) to deploy payloads including LockBit 5.0, Babuk, and Medusa. The actor maintains a database of compromised devices to facilitate re-entry and defense evasion.
  2. Runningcrab (APT/Supply Chain): A stealthy campaign utilizing "Infostealer.Speagle" to hijack legitimate security software "Cobra DocGuard". The malware exfiltrates data via compromised infrastructure, masking traffic as legitimate diagnostics. Tooling overlaps with known APT families (PlugX, Sogu, Korplug).
  3. LeakNet (Ransomware): A shift toward "ClickFix" social engineering lures and a novel "Deno"-based in-memory loader for initial access, followed by traditional lateral movement via PsExec and side-loading of jli.dll.

Collectively, these actors demonstrate a trend toward diversifying initial access vectors—moving from pure exploits to supply chain hijacking and social engineering—while standardizing post-exploitation tooling for data theft and encryption.

Threat Actor / Malware Profile

The Gentlemen

  • Type: Ransomware-as-a-Service (RaaS)
  • Malware: Babuk, Babyk, Vasa Locker, Qilin, LockBit 5.0, Medusa.
  • Distribution: Exploitation of public-facing applications, specifically FortiOS/FortiProxy edge devices.
  • TTPs: Maintains a database of compromised devices for persistence; employs advanced defense evasion. Exploits CVE-2024-37085 (VMware ESXi) and CVE-2025-32463 (FortiOS).

Runningcrab / Speagle

  • Type: Targeted Infostealer / Supply Chain Attack
  • Malware: Infostealer.Speagle (Primary), PlugX, Sogu, Korplug (Associated).
  • Distribution: Supply chain compromise of Cobra DocGuard software.
  • Behavior: Hijacks the legitimate functionality of Cobra DocGuard to collect sensitive info. Exfiltration occurs over HTTP to IPs hardcoded in the malware, disguised as software diagnostics (flag=syn_user_policy).

LeakNet

  • Type: Ransomware Operator
  • Malware: Custom Deno-based in-memory loader.
  • Distribution: "ClickFix" lures (fake browser update prompts) on compromised websites.
  • TTPs: In-memory execution to avoid disk signatures; jli.dll side-loading; lateral movement using PsExec; data exfiltration via S3 buckets.

IOC Analysis

The provided intelligence encompasses a variety of indicator types requiring different operational postures:

  • CVEs (CVE-2024-37085, CVE-2025-32463, etc.): These are vulnerability indicators. SOC teams must prioritize patch management and vulnerability scanning of edge infrastructure (FortiGate, ESXi). Tooling: Tenable, Qualys, or FortiScanner.
  • File Hashes (SHA256/MD5/SHA1): Specific payloads for Speagle and The Gentlemen variants. These should be blocked in EDR solutions and used to scan historical file systems. Tooling: CrowdStrike Falcon, Microsoft Defender for Endpoint, Velociraptor.
  • Network Domains: 8 domains associated with LeakNet’s ClickFix infrastructure. These should be added to DNS Sinkholes and Firewall blocklists immediately. Tooling: Palo Alto Firewalls, Cisco Umbrella.
  • URLs/IPs: Specific IP addresses (222.222.254.165, 60.30.147.18) and URI paths (/CDGServer3/CDGClientDiagnostics) used by the Runningcrab Speagle malware. These are critical for Snort/Suricata signatures. Tooling: Zeek, Wireshark.

Detection Engineering

Sigma Rules

YAML
title: Potential Deno Runtime Execution - LeakNet Loader
id: 88c9b1c0-7a9e-4e1a-9f0d-3b1c5d4e6f7a
description: Detects the execution of Deno runtime, which is utilized by LeakNet for in-memory loading of payloads, a deviation from standard enterprise admin tooling.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624b8d75d7a5c0d0e5f6c7a
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\deno.exe'
            - '\deno'
        CommandLine|contains:
            - 'eval'
            - 'fetch'
    condition: selection
falsepositives:
    - Legitimate developer usage of Deno runtime
level: high
---
title: Suspicious Cobra DocGuard Network Connection - Speagle Infostealer
id: 99d0c2d1-8b0f-5f2b-0e1e-4c2d6e7f0a8b
description: Detects Cobra DocGuard process initiating network connections to non-standard ports or external IPs associated with the Speagle infostealer campaign.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624b8d75d7a5c0d0e5f6c7b
tags:
    - attack.exfiltration
    - attack.t1041
logsource:
    category: network_connection
    product: windows
detection:
    selection_img:
        Image|contains:
            - 'DocGuard'
            - 'CDGClient'
    selection_port:
        DestinationPort:
            - 8090
            - 8091
    selection_uri:
        DestinationUrl|contains:
            - 'CDGClientDiagnostics'
            - 'flag=syn_user_policy'
    condition: all of selection_*
falsepositives:
    - Legitimate updates to Cobra DocGuard software
level: critical
---
title: PsExec Lateral Movement - LeakNet Post-Exploitation
id: 00e1d3e2-9c1g-6g3c-1f2f-5d3e7f0g1b9c
description: Detects the use of PsExec for lateral movement, a consistent post-exploitation technique observed in the LeakNet campaign following initial access via ClickFix.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624b8d75d7a5c0d0e5f6c7c
tags:
    - attack.lateral_movement
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
        CommandLine|contains:
            - '\\'
    condition: selection
falsepositives:
    - Administrative IT maintenance tasks
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for LeakNet Deno Loader Execution
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName has "deno.exe" or ProcessVersionInfoOriginalFileName has "deno"
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName

// Hunt for Runningcrab Speagle C2 Communication
DeviceNetworkEvents
| where Timestamp >= ago(7d)
| where RemotePort in (8090, 8091)
| where RemoteUrl contains "CDGClientDiagnostics" or InitiatingProcessFileName contains "DocGuard"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort

// Hunt for LeakNet ClickFix Domains
DeviceNetworkEvents
| where Timestamp >= ago(7d)
| where RemoteUrl has_any ("okobojirent.com", "mshealthmetrics.com", "serialmenot.com", "neremedysoft.com", "cnoocim.com", "apiclofront.com", "crahdhduf.com", "delhedghogeggs.com")
| summarize Count() by DeviceName, RemoteUrl

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for Speagle File Hashes and Runningcrab Network Artifacts.
    Checks for presence of IOCs from the Runningcrab and LeakNet pulses.
#>

$TargetHashes = @(
    "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b",
    "d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877",
    "dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d",
    "fad8d0307db5328c8b9f283a2cc6f7e4f4333001623fef5bd5c32a1c094bf890",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"
)

$MaliciousIPs = @(
    "222.222.254.165",
    "60.30.147.18"
)

Write-Host "[*] Scanning for Speagle/Runningcrab File Hashes..." -ForegroundColor Cyan
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Drive in $Drives) {
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Where-Object { 
        !$_.PSIsContainer -and $_.Length -gt 0kb -and $_.Length -lt 50mb 
    } | ForEach-Object {
        $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $Hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (Hash: $Hash)" -ForegroundColor Red
        }
    }
}

Write-Host "[*] Checking active network connections for Runningcrab C2 IPs..." -ForegroundColor Cyan
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($IP in $MaliciousIPs) {
    $Found = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Found) {
        Write-Host "[!] SUSPICIOUS CONNECTION to $IP detected on PID: $($Found.OwningProcess)" -ForegroundColor Red
        Get-Process -Id $Found.OwningProcess | Select-Object ProcessName, Path
    }
}

Write-Host "[*] Hunt Complete."


# Response Priorities

Immediate

  • Block IOCs: Add all LeakNet domains and Runningcrab IP addresses to firewall blocklists and secure web gateways.
  • Patch FortiOS: Immediately apply patches for CVE-2024-37085 and CVE-2025-32463 to all FortiGate/FortiProxy devices.
  • Scan for Hashes: Run EDR scans for the SHA256 hashes associated with Infostealer.Speagle and The Gentlemen.

24h

  • Identity Verification: Given the infostealer nature of Speagle and the credential theft capabilities of PlugX/Sogu, conduct a review of privileged account usage and consider forced password resets for accounts on compromised segments.
  • Network Analysis: Hunt for historical connections to the /CDGServer3/CDGClientDiagnostics URI path to identify potential scope of the Runningcrab supply chain compromise.

1 Week

  • Architecture Hardening: Review the necessity of Cobra DocGuard software and restrict its outbound network access to known vendor endpoints only.
  • ClickFix Awareness: Conduct security awareness training specifically regarding "Fake Browser Update" (ClickFix) social engineering lures.
  • Proxy/Edge Security: Implement stricter SSL inspection and anomaly detection on edge proxy devices to detect Deno-based loaders or obfuscated script execution.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptthe-gentlemenleaknetrunningcrabransomwaresupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action