Back to Intelligence

The Gentlemen RaaS, Webworm APT, & AI Impersonation Infostealers: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 22, 2026
5 min read

Recent OTX Pulse data highlights a convergence of high-threat activity spanning financially motivated ransomware, state-sponsored espionage, and developer-focused supply chain attacks. The Gentlemen RaaS operation has accelerated, claiming over 400 victims through aggressive defense evasion tactics. Simultaneously, the China-aligned Webworm APT has shifted focus to European government and education sectors, utilizing novel "living-off-the-land" cloud services like Discord and Microsoft Graph API for C2. Separately, a massive SEO poisoning campaign is targeting developers in the US and UK by impersonating legitimate AI tools (Gemini, Claude) to deliver infostealers. These disparate campaigns share a reliance on PowerShell, scheduled tasks, and trusted cloud infrastructure to bypass traditional perimeter defenses.

Threat Actor / Malware Profile

The Gentlemen (RaaS)

  • Type: Ransomware-as-a-Service (Qilin/BabyMeteoric variant).
  • Distribution: Phishing, initial access brokers.
  • Payload Behavior: Encrypts files, utilizes tools like MpTamperBulkExcl to bypass AV.
  • Persistence: Creates Scheduled Tasks to maintain access.
  • Defense Evasion: Explicitly clears Security, System, and Application Event Logs (wevtutil cl) to hinder forensics. Disables Microsoft Defender.

Webworm (China-aligned APT)

  • Type: State-sponsored Espionage.
  • Malware: EchoCreep, GraphWorm.
  • C2 Communication: EchoCreep uses Discord for command and control; GraphWorm leverages Microsoft Graph API.
  • Targeting: Government and Education sectors in Europe (Belgium, Czechia, Hungary, Italy, etc.).
  • Techniques: GitHub staging, proxy tools (WormFrp), WormSockets.

SEO Poisoning Actors (Unknown)

  • Type: eCrime / Credential Theft.
  • Targeting: Software Developers / Technology sector.
  • Method: Typosquatting and SEO poisoning to fake domains for "Gemini CLI", "Claude Code", "Node.js".
  • Payload: Fileless PowerShell scripts delivering infostealers.

IOC Analysis

The provided indicators cover multiple vectors of compromise:

  • IPv4 (193.233.202.17, 77.110.122.137): Hard C2 infrastructure associated with The Gentlemen ransomware. These should be blocked immediately at the firewall and proxy level.
  • Domains (gemini-setup.com, claude-setup.com): Typosquatted domains used in the developer-targeted campaign. While chocolatey.net is listed as a sample, it is likely a legitimate domain referenced in context or spoofed; SOC teams should verify DNS traffic for these specific fraudulent lookalikes.
  • File Hashes (SHA1/SHA256): Samples of EchoCreep, GraphWorm, and the AI-themed infostealers. These can be loaded into EDR solutions for memory scanning and disk hunts.
  • CVEs (CVE-2024-55591, CVE-2017-7692): Vulnerabilities exploited for initial access or privilege escalation.

Operational Guidance: SOC teams should import these IOCs into their SIEM for correlation. Focus heavily on network egress logs connecting to Discord IP ranges from non-workstation devices (servers) and DNS queries for the fake AI domains.

Detection Engineering

Sigma Rules

YAML
---
title: Potential The Gentlemen Ransomware Defense Evasion - Log Clearing
id: 4c8b6d12-1c5a-4a5f-9b8c-1d2e3f4a5b6c
description: Detects attempts to clear Security, System, or Application event logs, a tactic observed in The Gentlemen RaaS incidents.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66522a13f2b9e7d6e3a8b9c7
tags:
    - attack.defense_evasion
    - attack.t1070.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\wevtutil.exe'
        CommandLine|contains:
            - 'cl Security'
            - 'cl System'
            - 'cl Application'
    condition: selection
falsepositives:
    - Administrator maintenance
level: high
---
title: Webworm APT - Discord C2 Traffic via PowerShell
date: 2026/05/22
id: 5d9c7e23-2d6b-5b6g-0c9d-2e3f4a5b6c7d
description: Detects PowerShell processes initiating network connections to Discord endpoints, indicative of EchoCreep malware C2.
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66522b24f3c0e8d7f4b9c0d8
tags:
    - attack.command_and_control
    - attack.t1102.001
logsource:
    product: windows
    category: network_connection
detection:
    selection_img:
        Initiated: 'true'
        Image|endswith: '\powershell.exe'
    selection_dest:
        DestinationHostname|contains: 'discord.com'
    condition: all of selection_*
falsepositives:
    - Legitimate developer use of Discord APIs
level: medium
---
title: AI Impersonation - PowerShell Download from Typosquatted Domains
id: 6e0d8f34-3e7c-6c7h-1d0e-3f4a5b6c7d8e
date: 2026/05/22
description: Detects PowerShell downloading payloads from domains mimicking legitimate AI tools (Gemini, Claude).
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66522c35g4d1f9e8g5c0d1e9
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_flags:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadString'
    selection_domains:
        CommandLine|contains:
            - 'gemini-setup.com'
            - 'claude-setup.com'
    condition: all of selection_*
falsepositives:
    - Unknown
level: critical

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Webworm Discord C2 and SEO Poisoning domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("discord.com", "gemini-setup.com", "claude-setup.com") 
       or RemoteIP in ("193.233.202.17", "77.110.122.137")
| extend FullProcess = InitiatingProcessFileName, CommandLine = InitiatingProcessCommandLine
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, FullProcess, CommandLine
| where not(FullProcess in ~("chrome.exe", "msedge.exe", "firefox.exe")) and RemoteUrl has "discord"
| summarize count() by DeviceName, RemoteUrl, FullProcess

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt for The Gentlemen persistence and Webworm artifacts.
.DESCRIPTION
    Checks for Scheduled Tasks created by attackers and suspicious network connections.
#>

# Check for Scheduled Tasks created recently (last 7 days) that run PowerShell or Cmd
$schtasks =schtasks /query /fo LIST /v
Write-Host "Checking for recently created suspicious Scheduled Tasks..."

Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | 
ForEach-Object {
    $task = $_
    $action = $task.Actions.Execute
    if ($action -match "powershell" -or $action -match "cmd") {
        Write-Host "[!] Suspicious Task Found: $($task.TaskName)" -ForegroundColor Yellow
        Write-Host "    Action: $action"
        Write-Host "    Args: $($task.Actions.Arguments)"
    }
}

# Check for the specific file hashes (The Gentlemen)
$targetHashes = @(
    "f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8",
    "9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333"
)

Write-Host "\nScanning for malware hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($targetHashes -contains $hash) {
        Write-Host "[!] MALWARE DETECTED: $($_.FullName)" -ForegroundColor Red
    }
}

Response Priorities

  • Immediate: Block the IP addresses 193.233.202.17 and 77.110.122.137 at the perimeter. Block DNS resolution for gemini-setup.com and claude-setup.com. Search endpoints for the SHA256 hashes provided in the IOC list.
  • 24h: Initiate credential reset for developer accounts who may have been targeted by the SEO poisoning campaign. Review authentication logs for anomalous access linked to the Webworm targeting set (Gov/Edu).
  • 1 week: Harden the environment against PowerShell-based attacks by enforcing constrained language mode or strict script signing policies. Review allow-lists for AI developer tools to prevent typosquatting success. Audit logs for evidence of event log clearing (wevtutil) to identify potential dormant RaaS activity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaregentlemen-ransomwarewebworm-aptseo-poisoningdiscord-c2infostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action