Recent OTX pulses indicate a convergence of credential theft and ransomware operations exploiting supply chain vectors and AI-generated lures. Key adversaries include TroyDen, FAMOUS CHOLLIMA (North Korean-linked), and the The Gentlemen RaaS group.
The attack landscape is defined by:
- Supply Chain Compromise: Malicious packages on npm (OtterCookie) and GitHub repositories (LuaJIT-based loaders) targeting developers and crypto users.
- AI-Enhanced Social Engineering: The use of AI-generated biological taxonomy to lure victims in the TroyDen campaign.
- RaaS Evolution: The Gentlemen group leveraging leaked internal data and NTLM relay attacks on edge appliances (Fortinet/Cisco) to deploy SystemBC and ransomware.
- Opportunistic Exploitation: Abuse of the "Claude Code" leak to distribute Vidar and GhostSocks via trojanized repositories.
Collectively, these campaigns aim to harvest credentials for initial access, facilitate lateral movement via tools like NetExec and TukTuk, and ultimately exfiltrate data or encrypt endpoints for extortion.
Threat Actor / Malware Profile
| Actor / Malware | Description & Behavior |
|---|---|
| TroyDen | Distribution: GitHub repositories with AI-generated lure names. Payload: LuaJIT-based loaders delivering Redline and LummaStealer. Technique: Two-component payload design using Prometheus obfuscator. |
| FAMOUS CHOLLIMA | Distribution: Malicious npm packages (e.g., variants of OtterCookie) using benign wrappers to hide malicious dependencies. Payload: OtterCookie, BeaverTail, InvisibleFerret. Objective: Credential theft and SSH backdoor establishment. |
| The Gentlemen | Distribution: Exploits CVE-2024-55591 & CVE-2025-32433 on Fortinet/Cisco; Malicious MSI installers. Payload: SystemBC (C2/Proxy), The Gentlemen Ransomware. Technique: NTLM relay, Kerberoasting, and credential logging from leaked DBs. |
| EtherRAT / TukTuk | Vector: Disguised as Sysinternals tools via MSI. C2: Uses EtherHiding (Ethereum blockchain) for dynamic configuration updates. Behavior: Reconnaissance followed by DLL sideloading. |
IOC Analysis
The provided indicators reveal a multi-faceted infrastructure:
- IPv4 Addresses: A cluster of IPs (e.g.,
89.169.12.241,213.176.73.80) serve as C2 nodes for TroyDen operations. Immediate blocking is required. - CVEs:
CVE-2024-55591,CVE-2025-32433, andCVE-2025-55182are critical for perimeter hardening against The Gentlemen and TukTuk initial access. - File Hashes: Numerous MD5 and SHA256 hashes correspond to malicious MSI installers (disguised Sysinternals tools) and payloads (Vidar, GhostSocks).
- Operationalization: SOC teams should ingest hashes into EDR. The CVEs require immediate patch management verification. Network traffic to the listed IPs and domains (
g8way.io) must be blocked.
Detection Engineering
YAML
title: Suspicious Sysinternals MSI Installer Execution
id: 8a1c2b3c-4d5e-6f7g-8h9i-0j1k2l3m4n5o
status: experimental
description: Detects execution of MSI installers that drop Sysinternals tools or binaries in temp folders, indicative of EtherRAT or TukTuk campaigns disguising malware as legitimate utilities.
references:
- https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.defense_evasion
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection_msi:
Image|endswith: '\msiexec.exe'
selection_suspicious_child:
Image|contains:
- '\Temp\'
- '\AppData\Local\Temp\'
Image|endswith:
- '.exe'
- '.dll'
condition: selection_msi and selection_suspicious_child
falsepositives:
- Legitimate software installers updating in temp directories
level: high
---
title: LuaJIT Interpreter Execution via GitHub Delivery
id: 9b2c3d4e-5f6g-7h8i-9j0k-1l2m3n4o5p6q
status: experimental
description: Detects execution of LuaJIT interpreters often used by Redline and Lumma stealers distributed via GitHub AI-generated lures.
references:
- https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
author: Security Arsenal
date: 2026/05/15
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\luajit.exe'
- '\wluajit.exe'
- '\lua51.dll'
selection_context:
CommandLine|contains:
- 'github'
- 'C:\Users\Public\'
- '\Downloads\'
condition: selection_img and selection_context
falsepositives:
- Legitimate developer usage of Lua
level: medium
---
title: SystemBC Proxy C2 Pattern
id: 0c3d4e5f-6g7h-8i9j-0k1l-2m3n4o5p6q7r
status: experimental
description: Detects command line patterns associated with SystemBC malware often used by The Gentlemen group for C2 communication.
references:
- https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- 'proxy'
- 'socks'
- '-enc' # Base64 encoded commands often used for C2 setup
condition: selection
falsepositives:
- Legitimate admin proxy configuration
level: medium
kql
// Hunt for The Gentlemen C2 Infrastructure and Malicious Installers
let IOCIps = dynamic(["89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "94.156.154.6"]);
let IOCDomains = dynamic(["g8way.io", "rti.cargomanbd.com"]);
let IOCHashes = dynamic(["73ce2438d4ed475e03727b7b000d2794", "77fbe265fd65c7f7b6d323fb6de6a4fd", "06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf"]);
// Network Connections to C2
DeviceNetworkEvents
| where RemoteIP in (IOCIps) or RemoteUrl in (IOCDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, InitiatingProcessCommandLine
| union (
// File Execution of Known Malicious Hashes
DeviceProcessEvents
| where SHA256 in (IOCHashes) or MD5 in (IOCHashes)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, SHA256
)
powershell
# Hunt Script for The Gentlemen and TroyDen Artifacts
# Checks for file hashes and suspicious process relationships
$MaliciousHashes = @(
"73ce2438d4ed475e03727b7b000d2794", "77fbe265fd65c7f7b6d323fb6de6a4fd",
"b188fbc6ff5557767e73e4c883a553a3", "06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf"
)
Write-Host "[+] Hunting for The Gentlemen/TroyDen Artifacts..." -ForegroundColor Cyan
# Check Processes
Get-Process | Where-Object { $_.Path -ne $null } | ForEach-Object {
$filePath = $_.Path
if (Test-Path $filePath) {
$fileHash = (Get-FileHash -Path $filePath -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $fileHash) {
Write-Host "[!] ALERT: Malicious process running: $filePath (Hash: $fileHash)" -ForegroundColor Red
}
}
}
# Check for LuaJIT in User Directories
$userDirs = @("C:\Users\Public", "C:\Users")
Get-ChildItem -Path $userDirs -Filter "luajit.exe" -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
Write-Host "[!] SUSPICIOUS: LuaJIT found in user dir: $($_.FullName)" -ForegroundColor Yellow
}
Write-Host "[+] Hunt complete."
# Response Priorities
* **Immediate**:
* Block all listed IPv4 addresses and domains (`g8way.io`, etc.) at the firewall/proxy.
* Scan endpoints for the provided file hashes (MD5/SHA256).
* Isolate any systems exhibiting signs of NTLM relay attacks or suspicious MSI activity.
* **24 Hours**:
* Audit credentials for accounts with access to Fortinet and Cisco appliances (check for exposure in The Gentlemen leaks).
* Review GitHub and npm repositories used by development teams for unauthorized or "AI-named" packages.
* Hunt for `msiexec.exe` spawning processes from Temp directories.
* **1 Week**:
* Apply patches for CVE-2024-55591, CVE-2025-32433, and CVE-2025-55182.
* Implement strict allow-listing for npm packages and GitHub repository access.
* Update EDR policies to flag unsigned executables posing as Sysinternals tools.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealerransomware-as-a-servicesupply-chain-attackai-generated-lurescve-exploitation
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.