Back to Intelligence

UAT-8616, Interlock & The Gentlemen: Cisco Edge Exploitation, Sliver C2, and PlasmaLoader OTX Pulse Analysis

SA
Security Arsenal Team
May 19, 2026
6 min read

Excerpt

Active exploitation of Cisco SD-WAN & FMC zero-days by UAT-8616 & Interlock; Sliver C2, Godzilla webshells, and SystemBC detected. Urgent patching required.

Threat Summary

Recent OTX pulses indicate a coordinated surge in attacks targeting network edge infrastructure, specifically Cisco appliances. The threat landscape is dominated by three distinct but operationally similar clusters: the APT-style actor UAT-8616, the Interlock Ransomware Group, and the RaaS operation The Gentlemen.

Collectively, these actors are exploiting critical authentication bypass and deserialization vulnerabilities (CVE-2026-20128, CVE-2026-20133, CVE-2026-20131, CVE-2024-55591) to gain initial access. The attack chain consistently moves from exploitation to webshell deployment (Godzilla, Behinder, XenShell), followed by the loading of sophisticated C2 frameworks (Sliver, AdaptixC2) or proxy tools (SystemBC). Objectives range from cryptocurrency mining (XMRig) and credential harvesting to full-scale ransomware deployment via PlasmaLoader.

Threat Actor / Malware Profile

UAT-8616

  • Profile: Sophisticated threat actor focusing on network infrastructure compromise.
  • Distribution: Exploits CVE-2026-20128 and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager/Controller.
  • Payloads: Deploys webshells (Godzilla, Behinder, XenShell) for persistence, followed by Sliver and AdaptixC2 implants.
  • Objectives: Establish long-term C2, lateral movement, and deployment of XMRig for resource monetization.

Interlock Ransomware Group

  • Profile: Ransomware-as-a-Service (RaaS) operator utilizing the "Ghost" series malware.
  • Distribution: Exploits zero-day CVE-2026-20131 in Cisco Firepower Management Center (FMC).
  • Payloads: GHOSTKNIFE, GHOSTSABER, GHOSTBLADE, and PlasmaLoader.
  • Objectives: Data exfiltration and encryption for extortion.

The Gentlemen

  • Profile: RaaS administrator whose internal database was leaked, revealing operational TTPs.
  • Distribution: Initial access via Fortinet and Cisco edge appliance exploits (CVE-2024-55591, CVE-2025-32433) and NTLM relay attacks.
  • Payloads: SystemBC (a proxy/socks5 tool) for traffic tunneling.
  • Objectives: Credential theft (NTLM relay) and facilitating access for affiliate operators.

IOC Analysis

The provided indicators consist of File Hashes (MD5, SHA1, SHA256), CVEs, and IPv4 addresses.

  • File Hashes: Multiple payloads associated with Sliver, XMRig, and SystemBC were identified. SOC teams should immediately scan endpoints for these hashes.
  • IPv4: Indicator 176.65.139.31 is a confirmed C2 node associated with UAT-8616 and should be blocked at the perimeter.
  • CVEs: The critical CVEs (2026-20128, 2026-20131, 2024-55591) represent the primary attack vector. While CVEs are not "indicators" in the traditional sense, they are critical signatures for vulnerability scanners.
  • Operationalization: Load hashes into EDR detection queues. Block IP 176.65.139.31 on firewalls and secure web gateways.

Detection Engineering

Sigma Rules

YAML
title: Potential UAT-8616 Sliver C2 Implant Activity
id: 4c2f7b3d-1a9e-4b5c-9e8d-1f2a3b4c5d6e
description: Detects process execution and network patterns consistent with Sliver C2 framework, frequently used by UAT-8616 following webshell deployment.
status: experimental
date: 2026/05/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/...
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - \sliver.exe
            - \sliver-client.exe
    selection_cli:
        CommandLine|contains:
            - 'generate --mtls'
            - 'http-profile'
    selection_network:
        CommandLine|contains:
            - 'connect'
            - ' beacon'
    condition: 1 of selection_*
falsepositives:
    - Legitimate security testing or administrator usage of Sliver
level: high

---
title: Godzilla or Behinder Webshell File Creation
id: 5d3e8c4e-2b0f-5c6d-0f9e-2g3b4c5d6e7f
description: Detects the creation of files often associated with JSP/ASPX webshells like Godzilla or Behinder observed in UAT-8616 campaigns.
status: experimental
date: 2026/05/20
author: Security Arsenal
references:
    - https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: file_event
    product: windows
detection:
    selection_extension:
        TargetFilename|endswith:
            - '.jsp'
            - '.jspx'
            - '.asp'
            - '.aspx'
    selection_keywords:
        TargetFilename|contains:
            - 'shell.jsp'
            - 'behinder'
            - 'godzilla'
    condition: all of selection_*
falsepositives:
    - Legitimate application deployment (rarely uses these specific file names)
level: critical

---
title: SystemBC Proxy Installation - The Gentlemen
id: 6e4f9d5f-3c1g-6d7e-1g0f-3h4c5d6e7f8g
description: Detects installation or execution of SystemBC, a proxy tool used by The Gentlemen group to tunnel traffic after credential theft.
status: experimental
date: 2026/05/20
author: Security Arsenal
references:
    - https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
tags:
    - attack.command_and_control
    - attack.t1090.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - \systembc.exe
            - \sbclient.exe
    selection_cli:
        CommandLine|contains:
            - '-socks'
            - '-proxy'
            - '127.0.0.1:1080'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Sliver C2 and SystemBC process execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName has "sliver" 
   or ProcessName has "systembc"
   or ProcessCommandLine has "-mtls" 
   or ProcessCommandLine has "-socks"
| extend DeviceName = DeviceName, AccountName = InitiatingProcessAccountName
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for file hashes associated with The Gentlemen and UAT-8616
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256

PowerShell Hunt Script

PowerShell
# IOC Hunter for UAT-8616 and The Gentlemen Campaigns
# Scans file system for specific hashes and process anomalies.

$TargetHashes = @( 
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa", # UAT-8616 Payload
    "d75cb9920d1d3d280518ddccfe4789d2",
    "18821dbb53892d6faa14b1f063517a0302057290",
    "adf675ffc1acb357f2d9f1a94e016f52", # The Gentlemen Payloads
    "2cd15d5d4cc58d06cfb6be5eabc681925d0ce5ce",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2",
    "4200b46a93c6ab059e2b34ce200c4a5b"
)

Write-Host "[+] Hunting for specific file hashes associated with OTX Pulse activity..." -ForegroundColor Cyan

$DrivesToScan = @("C:\", "D:\")

foreach ($Drive in $DrivesToScan) {
    if (Test-Path $Drive) {
        Write-Host "Scanning $Drive..."
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Where-Object { 
            !$_.PSIsContainer -and $_.Length -gt 0kb 
        } | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] ALERT: Malicious file found: $($_.FullName)" -ForegroundColor Red
                Write-Host "    Hash: $Hash"
            }
        }
    }
}

Write-Host "[+] Checking for active processes associated with Sliver or SystemBC..." -ForegroundColor Cyan
$MaliciousProcesses = @("sliver", "systembc", "sbclient", "xmrig", "kscan")
Get-Process | Where-Object { $MaliciousProcesses -contains $_.ProcessName.ToLower() } | ForEach-Object {
    Write-Host "[!] ALERT: Suspicious process running: $($_.ProcessName) (PID: $($_.Id))" -ForegroundColor Red
}

Write-Host "Scan complete."

Response Priorities

Immediate (0-4 hours)

  • Block Indicators: Immediately block IP 176.65.139.31 on all perimeter firewalls and proxies.
  • Vulnerability Scanning: Initiate emergency scans for CVE-2026-20128, CVE-2026-20133, CVE-2026-20131, and CVE-2024-55591 on all Cisco SD-WAN and Fortinet edge appliances.
  • IOC Sweep: Deploy the provided PowerShell script to endpoints to hunt for the specific file hashes.

24 Hours

  • Credential Audit: Given The Gentlemen's use of NTLM relay and credential logs, force a password reset for all admin accounts holding privileged access to network edge devices.
  • Log Review: Correlate web server logs (IIS/Tomcat) for suspicious POST requests to .jsp or .aspx files, indicative of Godzilla/Behinder webshell activity.

1 Week

  • Architecture Hardening: Implement Zero Trust Network Access (ZTNA) controls for management interfaces of SD-WAN and Firewall controllers. Ensure management interfaces are not exposed to the public internet.
  • Detection Tuning: Implement the Sigma rules provided above into your SIEM to automate future detection of Sliver C2 and SystemBC.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptuat-8616cisco-sdwan-exploitationsliver-c2interlock-ransomwaresystembc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action