Recent OTX pulses highlight a convergence of sophisticated Ransomware-as-a-Service (RaaS) operations, broad-spectrum infostealing campaigns, and the adoption of advanced post-exploitation frameworks by APT groups.
Key intelligence identifies The Gentlemen ransomware group actively exploiting FortiOS vulnerabilities (CVE-2024-37085, CVE-2025-32463) to deploy payloads including Babuk and LockBit 5.0. Simultaneously, a macOS ClickFix campaign is utilizing fake CAPTCHA pages to distribute AppleScript-based stealers targeting cryptocurrency wallets and browser data. Finally, the AdaptixC2 framework—associated with threat actors like CloudAtlas—is seeing increased adoption for its modular capabilities and encrypted C2 channels (DNS, DoH, SMB).
The collective objective spans financial extortion (The Gentlemen), credential and asset theft (ClickFix), and persistent stealthy access (AdaptixC2).
Threat Actor / Malware Profile
The Gentlemen (RaaS)
- Distribution: Primarily exploits vulnerabilities in public-facing applications, specifically FortiOS and FortiProxy devices. The group maintains a database of compromised devices to facilitate re-entry.
- Payload Behavior: Utilizes a suite of ransomware families including Babuk (Babyk), Vasa Locker, Qilin, LockBit 5.0, and Medusa.
- TTPs: Employs advanced defense evasion techniques. Initial access is often gained through unpatched CVEs (CVE-2024-37085, CVE-2023-27532).
macOS ClickFix (Infostealer)
- Distribution: Social engineering via "ClickFix" fake CAPTCHA pages, tricking users into running terminal commands.
- Payload Behavior: AppleScript-based infostealer capable of harvesting keychain databases, credentials, and session cookies.
- Scope: Targets 12 specific browsers, over 200 browser extensions, and 16 cryptocurrency wallets.
AdaptixC2 (Post-Exploitation Framework)
- Actors: Linked to campaigns involving MgBot, CoolClient, ToneShell, and CloudAtlas.
- Capabilities: Written in Go and C++; supports Windows, macOS, and Linux. Uses Beacon Object Files (BOFs) for modularity.
- C2 Communication: Supports HTTP/S, TCP, mTLS, DNS, DoH, and SMB pipes with RC4 encryption.
IOC Analysis
The provided indicators offer immediate value for network defense and host hunting:
- Network Infrastructure:
- IP:
172.94.9.250(Voxility LLP, DE) – Identified as C2 for the ClickFix campaign. - Domains:
bull-run.fun,spot-wave.fun– Used for payload delivery and C2.
- IP:
- File Hashes: Multiple MD5, SHA1, and SHA256 hashes provided for the Gentlemen payloads, ClickFix stealers, and AdaptixC2 agents. These should be blocked in EDR solutions and used to scan historical logs.
- CVEs:
- CVE-2024-37085: VMware ESXi authentication bypass (often used in conjunction with ransomware).
- CVE-2025-32463: Fortinet vulnerability.
- CVE-2024-55591: Fortinet vulnerability.
Operational Guidance: SOC teams should immediately ingest the domains and IPs into firewall blocklists. The file hashes should be used to run retrospective hunts in EDR (Endpoint Detection and Response) to identify potential dormant infections or "patient zero" events from the last 30 days.
Detection Engineering
Detection strategies focus on the specific execution patterns of the AppleScript stealer, the process names associated with AdaptixC2, and the ransomware payloads.
title: Potential macOS ClickFix AppleScript Execution
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
description: Detects execution of osascript often used in ClickFix campaigns to steal browser data and keychains.
status: experimental
references:
- https://www.netskope.com/blog/macos-clickfix-campaign-applescript-stealers-new-terminal-protections
author: Security Arsenal
date: 2026/04/21
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/osascript'
CommandLine|contains:
- 'AppleScript'
- 'keystore'
- 'chrome'
condition: selection
falsepositives:
- Legitimate administration tasks
level: high
---
title: AdaptixC2 / MgBot Process Execution
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
description: Detects execution of processes associated with the AdaptixC2 framework or related malware like MgBot and VBShower.
status: experimental
references:
- https://securelist.com/tr/adaptixc2-network-and-host-detection/119424/
author: Security Arsenal
date: 2026/04/21
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\MgBot.exe'
- '\CoolClient.exe'
- '\ToneShell.exe'
- '\VBShower.exe'
- '\VBCloud.exe'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: The Gentlemen Ransomware Activity
id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
description: Detects potential activity of The Gentlemen ransomware group via known process names or specific payload hashes.
status: experimental
references:
- https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/
author: Security Arsenal
date: 2026/04/21
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\vasa.exe'
- '\medusa.exe'
- '\babyk.exe'
selection_hash:
sha256|contains:
- '3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235'
- '51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
kql
// Hunt for ClickFix and AdaptixC2 Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("bull-run.fun", "spot-wave.fun")
or RemoteIP == "172.94.9.250"
| extend Info = pack("RemoteUrl", RemoteUrl, "RemoteIP", RemoteIP, "InitiatingProcess", InitiatingProcessFileName)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, Info
powershell
# IOC Hunt Script for AdaptixC2 and Gentlemen Hashes
$TargetHashes = @(
"3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
"51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2",
"f212fd00d9ffc0f3d868845f7f4215cb"
)
$Processes = Get-Process -IncludeUserName -ErrorAction SilentlyContinue
foreach ($Proc in $Processes) {
$FilePath = $Proc.Path
if ($FilePath -and (Test-Path $FilePath)) {
$FileHash = (Get-FileHash -Path $FilePath -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($TargetHashes -contains $FileHash) {
Write-Host "[MATCH] Malicious Process Found: $($Proc.ProcessName) (Path: $FilePath) User: $($Proc.UserName)" -ForegroundColor Red
}
}
}
# Check for network connections to known bad IPs (Requires Admin)
$TargetIPs = @("172.94.9.250")
$TCPConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($Conn in $TCPConnections) {
$RemoteIP = ($Conn.RemoteAddress).ToString()
if ($TargetIPs -contains $RemoteIP) {
$OwningProcess = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
Write-Host "[MATCH] C2 Connection Detected to $RemoteIP owned by process: $($OwningProcess.ProcessName) PID: $($Conn.OwningProcess)" -ForegroundColor Yellow
}
}
Response Priorities
- Immediate:
- Block network indicators:
172.94.9.250,bull-run.fun,spot-wave.funon firewalls and proxies. - Initiate a hunt for the SHA256 file hashes provided in the IOC Analysis section across all endpoints.
- Block network indicators:
- 24 Hours:
- If macOS ClickFix infection is suspected, force-reset passwords for sensitive accounts (crypto wallets, email) and audit browser extension logs on macOS devices.
- Review VPN and remote access logs for signs of FortiOS exploitation (The Gentlemen vector).
- 1 Week:
- Patch Management: Prioritize patching for CVE-2024-37085, CVE-2025-32463, and CVE-2024-55591 on all Fortinet and VMware infrastructure.
- Implement stricter application allowlisting for
osascripton macOS endpoints to prevent ClickFix execution.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.