Back to Intelligence

XenoRAT, BTMOB, and The Gentlemen: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 1, 2026
6 min read

Recent OTX pulses highlight a convergence of sophisticated threats across multiple platforms and vectors. Security teams must contend with SideCopy (APT36) leveraging spear-phishing to deliver XenoRAT against the Afghan government, the evolution of the BTMOB Android RAT targeting Latin America via malicious APKs, and the emergence of The Gentlemen, a Go-based RaaS operation distinguished by aggressive self-propagation and robust encryption. Collectively, these campaigns demonstrate a shift towards accessible malware-as-a-service models (BTMOB, The Gentlemen) alongside persistent, region-specific APT activity.

Threat Actor / Malware Profile

SideCopy / XenoRAT (Operation XENOFISCAL)

  • Adversary: SideCopy (Transparent Tribe / APT36)
  • Target: Afghanistan Ministry of Finance, Provincial Revenue Directorates.
  • Distribution: Spear-phishing emails containing Pashto-language LNK files disguised as staff directories.
  • Payload Behavior: The LNK file executes mshta.exe to fetch remote HTA payloads. These payloads deliver XenoRAT, a remote access trojan providing full control over the victim's machine.
  • C2 & Persistence: Uses compromised Afghan education infrastructure (abimj.edu.af) for C2 staging; utilizes multi-stage loaders to maintain persistence.

BTMOB (SpySolr Evolution)

  • Adversary: Unknown (MaaS Operator)
  • Target: Android users in Argentina and Brazil.
  • Distribution: Phishing campaigns distributing fake apps via fraudulent app stores impersonating streaming, crypto, and gov services.
  • Payload Behavior: An evolved Android RAT featuring an APK builder for rapid payload generation. Abuses Accessibility Services to grant itself permissions silently.
  • C2 & Persistence: Establishes persistent C2 connections to hardcoded IP infrastructure; avoids detection by mimicking legitimate app structures.

The Gentlemen (Storm-2697)

  • Adversary: Storm-2697
  • Target: Education, Transportation, Healthcare, Finance.
  • Distribution: RaaS (Ransomware-as-a-Service) affiliates via BreachForums; self-propagating mechanisms.
  • Payload Behavior: Written in Go language. Uses Curve25519 for key exchange and XChaCha20 for stream cipher encryption. Features aggressive lateral movement capabilities to spread across the network.
  • C2 & Persistence: Standard RaaS model connecting to affiliate C2s; persistence achieved via scheduled tasks or startup modifications typical of Windows encryptors.

IOC Analysis

The provided indicators reveal a mix of infrastructure and file-based artifacts:

  • IPv4 Addresses: The BTMOB campaign relies on a dedicated block (e.g., 191.96.225.241, 191.96.79.41), likely hosting the C2 panels. SideCopy utilizes 103.132.98.224.
  • Domains: abimj.edu.af is a critical indicator for SideCopy, representing a compromised legitimate domain used for payload staging.
  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes are provided for the loaders (HTA/LNK) and final payloads (XenoRAT, The Gentlemen encryptor).

Operational Guidance: SOC teams should immediately block the listed IPs and domains at the perimeter. File hashes should be uploaded to EDR solutions for immediate scanning of endpoints. Network logs should be queried for connections to the specific IP ranges associated with BTMOB and SideCopy.

Detection Engineering

YAML
---
title: SideCopy APT - Suspicious mshta.exe Execution via LNK
id: 5c7f3c91-8a2b-4b5d-9c1e-2f3a4b5c6d7e
description: Detects SideCopy activity where a LNK file spawns mshta.exe, a common pattern in their XenoRAT delivery.
status: experimental
date: 2026/06/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64234d231234
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith: '\mshta.exe'
        CommandLine|contains: '.hta'
    condition: selection
falsepositives:
    - Legitimate administrative tasks
level: high
tags:
    - attack.initial_access
    - attack.t1566.001
    - attack.execution
    - attack.t1204.002
---
title: The Gentlemen Ransomware - Go Binary Suspicious Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects potential execution of The Gentlemen ransomware based on Go binary characteristics and file encryption behavior.
status: experimental
date: 2026/06/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64234d239999
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '.exe'
    selection_go:
        Company: ''
        Description: ''
        Product|contains: 'Go'
    selection_behavior:
        CommandLine|contains:
            - 'encrypt'
            - 'crypto'
    condition: all of selection_*
falsepositives:
    - Legitimate Go applications (rare in enterprise endpoints)
level: critical
tags:
    - attack.impact
    - attack.t1486
---
title: BTMOB C2 Infrastructure - Network Connection
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
description: Detects outbound connections to known BTMOB RAT C2 infrastructure.
status: experimental
date: 2026/06/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64234d230000
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|contains:
            - '191.96.225.241'
            - '191.96.79.41'
            - '191.96.79.133'
            - '191.96.224.87'
    condition: selection
falsepositives:
    - Unknown
level: high
tags:
    - attack.c2
    - attack.t1071.001


kql
// Hunt for SideCopy C2 Domain and XenoRAT indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "abimj.edu.af" or RemoteIP == "103.132.98.224"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP

// Hunt for The Gentlemen and BTMOB File Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    "3b4194bdfe40d94031a94b30397ffd8a4b09d0a4057668e897b8bdcd1703dd01",
    "99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d",
    "22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67",
    "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68"
    )
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName


powershell
# IOC Hunt Script for Windows Endpoints
# Scans for specific XenoRAT and The Gentlemen file hashes

$TargetHashes = @(
    "3b4194bdfe40d94031a94b30397ffd8a4b09d0a4057668e897b8bdcd1703dd01",
    "99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d",
    "22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67",
    "7a262d4cbbc4808932b6af42c4041f06",
    "25e3c200de4868d754a3b4f4f09ec2bf"
)

$SearchPaths = @("C:\", "D:\", "E:\") # Adjust as needed
$FoundThreats = @()

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path for malicious hashes..."
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                $FoundThreats += [PSCustomObject]@{
                    File = $_.FullName
                    Hash = $Hash
                    Status = "Detected"
                }
            }
            # Fallback to MD5 check for specific indicators
            $HashMD5 = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $HashMD5) {
                $FoundThreats += [PSCustomObject]@{
                    File = $_.FullName
                    Hash = $HashMD5
                    Status = "Detected"
                }
            }
        }
    }
}

if ($FoundThreats) {
    Write-Host "THREAT DETECTED:" -ForegroundColor Red
    $FoundThreats | Format-Table -AutoSize
} else {
    Write-Host "No matching files found." -ForegroundColor Green
}

Response Priorities

Immediate (0-24 hours)

  • Network Blocking: Block all listed IPv4 addresses (e.g., 191.96.0.0/16 subnets if policy allows, specifically 191.96.225.241, 103.132.98.224) and the domain abimj.edu.af at the firewall and proxy level.
  • Endpoint Isolation: If indicators of compromise (IOCs) are detected on endpoints (via the PowerShell script or EDR), isolate affected machines immediately.

24-48 Hours

  • Threat Hunting: Run the provided KQL and PowerShell scripts across the enterprise to identify any latent infections or lateral movement activity associated with The Gentlemen or SideCopy.
  • Mobile Audit: For organizations with BYOD or presence in Argentina/Brazil, issue alerts to users regarding fake streaming apps and verify MDM compliance to detect BTMOB variants.

1 Week

  • Architecture Hardening: Implement application whitelisting (AppLocker) to prevent unsigned or unexpected LNK/HTA execution. Restrict mshta.exe usage to only authorized scripts.
  • Awareness Training: Update security awareness training to highlight the specific tactics used by SideCopy (Pashto-language lures) and BTMOB (fake app stores).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarexenoratbtmobthe-gentlemensidecopyransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action