Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
Key Takeaways The Gentlemen ransomware group, tracked by Microsoft as Storm-2697, has rapidly emerged as a Tier-1 threat, impacting over 500 organizations across 70+ countries within its first year....
Key Takeaways
- The Gentlemen ransomware group, tracked by Microsoft as Storm-2697, has rapidly emerged as a Tier-1 threat, impacting over 500 organizations across 70+ countries within its first year.
- The group distinguishes itself with “GentleKiller,” a sophisticated, custom-built EDR/AV evasion suite featuring eight BYOVD (Bring Your Own Vulnerable Driver) variants capable of disabling over 400 security processes from 48 vendors.
- Initial access primarily exploits internet-facing FortiGate VPN vulnerabilities, brute-forced credentials, and infostealer data, followed by extensive internal reconnaissance and the deployment of advanced defense evasion tools.
- Targeted sectors include manufacturing, healthcare, financial services, and critical operational technology, with a notable focus on non-U.S. regions like Southeast Asia, South America, and Western Europe.
- A significant internal database leak in May 2026 exposed the group’s full toolchain, operator identities, victim lists, and ransomware negotiation details, providing unprecedented insight into their operations.
The Gentlemen ransomware operation, identified by Microsoft as Storm-2697, has rapidly escalated into a formidable global threat since its emergence in mid-2025. Originating from a dispute within the Qilin Ransomware-as-a-Service (RaaS) program, this human-operated RaaS collective has already compromised over 500 victims across more than 70 countries within its inaugural year of independent activity. By April 2026, The Gentlemen accounted for approximately 10% of all ransomware incidents worldwide.
Table Of Content
- Key Takeaways
- Threat Actor Profile
- Identity and Origin
- Organizational Structure
- Attack Chain: Step-by-Step Lifecycle
- Phase 1: Initial Access
- Phase 2: Reconnaissance and Privilege Escalation
- Phase 3: Defense Evasion (EDR/AV Killing)
- Phase 4: Lateral Movement and Persistence
- Phase 5: Data Exfiltration (Pre-Encryption)
- Phase 6: Encryption and Impact
- Encryption Technology
- Encryption Speed Modes
- Post-Encryption Actions
- Network Share Discovery
- Known Infection Vectors
- Common Vulnerabilities Exploited
- Known Tools Used
- Full Toolchain Reference
- Targeted Industries and Victimology
- Industries by Victim Count (Top 5)
- Geographic Focus (Top 5 Countries)
- Notable Attack: Mackay Sugar (June 2026)
- What You Should Do
- Immediate Priority Actions
- Detection Rules (SIEM/EDR Alerts)
- Architecture and Hardening
What truly sets The Gentlemen apart is not merely its operational scale, but its advanced, operator-managed infrastructure for neutralizing endpoint detection and response (EDR) and antivirus (AV) solutions. This proprietary framework, dubbed “GentleKiller,” is marketed directly to affiliates and comprises at least eight distinct Bring Your Own Vulnerable Driver (BYOVD) variants. These sophisticated tools can terminate more than 400 security processes from 48 different vendors. The group also integrates popular third-party EDR killers such as HexKiller, ThrottleBlood, and HavocKiller into a modular evasion suite. This, combined with a Go-based, self-propagating worm encryptor utilizing hybrid Curve25519/XChaCha20 cryptography, positions The Gentlemen as a critical threat to global manufacturing, healthcare, financial services, and operational technology (OT) environments.
A major intelligence breakthrough occurred in May 2026, when an internal backend database named “Rocket” belonging to The Gentlemen was leaked. This breach exposed 3,366 internal chat messages, operator identities, over 1,570 confirmed victim records, ransom negotiation transcripts, and the group’s complete arsenal of tools. This unprecedented data trove has allowed cybersecurity researchers to compile a comprehensive, defender-grade threat briefing, synthesizing intelligence from the leak, ESET Research, Microsoft Threat Intelligence, Check Point Research, Trend Micro, and Huntress.
Threat Actor Profile
Identity and Origin
The Gentlemen was founded by an individual operating under the aliases “hastalamuerte” and “zeta88,” also tracked as LARVA-368 by PRODAFT. This individual previously led an affiliate crew within the Qilin RaaS program before establishing The Gentlemen as an independent entity in July 2025, following a payment dispute. The primary operator is identified as Russian-speaking and remains actively involved in orchestrating attacks, in addition to managing the RaaS platform.
Consistent with the behavior of Russian-nexus threat actors, The Gentlemen adheres to a strict Commonwealth of Independent States (CIS) exclusion policy. While globally targeting organizations, the group deliberately avoids victims located in CIS countries.
Organizational Structure
Analysis of the leaked Rocket.Chat database reveals a highly organized structure, featuring a core of approximately nine named operators and at least eight distinct affiliate TOX IDs. The key roles identified include:
zeta88/hastalamuerte: Administrator, responsible for locker development, RaaS panel management, target distribution, and payout processing.qbit: Hands-on operator, specializing in Fortinet scanning, NTLM relay attacks, Active Directory reconnaissance, and EDR killer deployment.quant: Focuses on log-based access, credential harvesting, and maintaining tools like OxideHarvest/buildx641.Wick,mAst3r,Protagor: Red-teamers, advertising partners, and collaborators for specific cases.Bl0ck,JeLLy,Kunder,Mamba: Access brokers and support personnel.
The administrator actively leverages AI-assisted development, citing tools like DeepSeek, Qwen, and Kimi for coding and panel creation. The Gentlemen GLOCKER admin panel was reportedly constructed in just three days with AI assistance.
- Affiliate Revenue Split: Affiliates receive a generous 90% of the ransom, with 10% going to the operators, making it one of the most attractive splits in the ransomware ecosystem.
- Affiliate Recruitment: The group actively recruits on underground forums like RAMP and BreachForums, seeking penetration testers and initial access brokers.
- Partnership: An official partnership was established with BreachForums in 2025 to expand its affiliate network.
- Extortion Model: Employs a double extortion strategy, involving both data encryption and exfiltration.
- Ransom Range: Initial demands typically hover around $250,000, with observed settlements in leaked transcripts averaging $190,000.
- Leak Site: Operates a dedicated Tor-based leak site (DLS) complemented by a branded X/Twitter account to exert additional public pressure on victims.
Attack Chain: Step-by-Step Lifecycle
Phase 1: Initial Access
Unlike many ransomware groups, The Gentlemen rarely relies on phishing for initial access. Instead, affiliates systematically target exposed internet-facing infrastructure, primarily FortiGate VPN appliances, Cisco ASA devices, and SonicWall appliances. The group maintained an active inventory of approximately 14,700 compromised FortiGate devices and over 900 validated brute-forced FortiGate VPN credentials for affiliate use.
Common branding credentials identified in leaked data include: gentlemen25, Gentlemen25, and gentle26.
Secondary initial access vectors include:
- Credentials acquired from infostealer marketplaces.
- Exploitation of exposed OWA/O365 portals using log-based credential tools, such as
quant’s custom log parser. - Purchasing pre-compromised enterprise footholds from access brokers.
Phase 2: Reconnaissance and Privilege Escalation
Upon gaining an initial foothold, operators conduct extensive internal reconnaissance using a bespoke offensive toolkit:
- NetExec (NXC): A versatile framework for Active Directory, SMB, and WinRM operations.
- RelayKing-Depth: Used for NTLM relay scanning and exploitation.
- TaskHound: Facilitates task and privilege abuse.
- PrivHound: Discovers local privilege escalation paths.
- CertiHound: Enumerates Active Directory Certificate Services (ADCS) misconfigurations (ESC1–ESC17).
- gogo.exe: A port scanner for identifying exposed services.
- Advanced IP Scanner / Nmap: Utilized for network mapping (e.g., in the Mackay Sugar incident).
- KslDump / KslKatz: Tools for Kerberos/LSASS credential dumping.
The group’s primary objective during this phase is to obtain domain administrator credentials and manipulate Group Policy Objects (GPOs) to achieve domain-wide compromise.
Phase 3: Defense Evasion (EDR/AV Killing)
This phase represents The Gentlemen’s signature capability. Before initiating encryption, operators deploy their centralized GentleKiller suite, typically staged in a directory named GentlemenCollection on the target system.
The BYOVD technique operates as follows:
- A signed-but-vulnerable kernel driver is dropped to disk.
- The driver is loaded as a Windows service using
sc createandsc startcommands. - User-mode applications send Input/Output Control (IOCTL) commands to the driver, achieving Ring-0 (kernel) privilege.
- At kernel level, all targeted security processes are enumerated and terminated, bypassing user-mode tamper protection.
GentleKiller features eight known variants, each impersonating a different legitimate product:
| Variant Name | Fake Filename | Abused Driver | ESET Detection |
|---|---|---|---|
| Kaspersky | Kasp<suffix>.exe |
eb.sys (custom rootkit PoC) |
Win64/KillAV.EA |
| FACEIT Anti-Cheat | FaceIT<suffix>.exe |
nseckrnl.sys (NSecsoft NSecKrnl) |
Win64/KillAV.EA |
| Valorant | Valorant<suffix>.exe |
GameDriverX64.sys / vgk.sys (Tower of Fantasy anti-cheat) |
Win64/KillAV.EA |
| Javelin | EAAntiCheat<suffix>.exe, EASolo<suffix>.exe |
stpm_old.sys, stpm_new.sys (Safetica Process Monitor) |
Win64/KillAV.EA |
| WatchDog | BitD<suffix>.exe |
dmx.sys (Zemana WatchDog Antimalware) |
Win64/KillAV.EA |
| Network Blocker | MB<suffix>.exe |
360netmon_wfp.sys (Qihoo 360) |
Win64/KillAV.EA |
| Cleaner | Deletor.exe |
IMFForceDelete (IObit IMF ForceDelete) |
Win64/KillAV.EA |
| G11 | G11<suffix>.exe, Symantec<suffix>.exe |
G11.sys / PoisonX (rootkit PoC) |
Win64/KillAV.EA |
The group also integrates third-party EDR killers into its arsenal:
| ESET Name | Fake Filename | Abused Driver | Notes |
|---|---|---|---|
| HexKiller | Avast<suffix>.exe |
googleApiUtil64.sys (Baidu Antivirus BdApi) |
Previously attributed to Warlock gang |
| ThrottleBlood | Sent<suffix>.exe |
ThrottleBlood.sys (TechPowerUp LLC ThrottleStop) |
Also seen in MedusaLocker, DragonForce |
| HavocKiller | HwAudKiller.exe, Sophos<suffix>.exe |
havoc.sys (Huawei Audio Driver) |
Active since Jan 2026, disclosed by Huntress Mar 2026 |
Additional evasion tools from the leaked toolchain include:
EDRStartupHinder: Blocks or delays EDR processes during system startup.gfreeze: Utility for freezing EDR processes.glinker: An EDR evasion companion tool forgfreeze.DumpBrowserSecrets: Harvests browser cookies and session tokens.- Techniques involving ETW (Event Tracing for Windows) patching and
zerosalarium. Titanis: A framework for manipulating Windows ETW and logging.
Binary protection and impersonation strategies are uniformly applied to all EDR killers:
| Filename Suffix | Protection | Fake Signature | Fake Version Info |
|---|---|---|---|
1 |
Enigma | Yes | Yes |
2 |
Themida | Yes | Yes |
Light |
None | Yes | Yes |
Clear |
None | No | No |
Phase 4: Lateral Movement and Persistence
The Gentlemen ransomware’s self-propagation module (activated with the --spread argument) employs 21 distinct remote execution techniques per target host, exhibiting worm-like behavior:
- Remote file copy via
C$administrative shares. - PsExec-based remote execution, either using an embedded binary or downloading from Sysinternals Live.
- WMIC process creation (
wmic /node:<target> process call create). - Scheduled tasks in user context (
DefU,UpdateGU,UpdateGU2). - Scheduled tasks in SYSTEM context (same tasks, elevated).
- Windows Services (
DefSvc,UpdateSvc,UpdateSvc2). - PowerShell Remoting via
Invoke-Command(WinRM). - PowerShell WMI (
Invoke-WmiMethod) as an alternative to wmic.exe.
For persistence, the encryptor establishes two layers:
- Scheduled tasks:
UpdateSystem(SYSTEM context) andUpdateUser(current user context). - Registry Run keys:
GupdateSunderHKLM...RunandGupdateUunderHKCU...Run.
Additional persistence mechanisms include AnyDesk remote access software, Cloudflare Zero Trust tunnels, and SystemBC SOCKS5 proxy. The group utilizes Velociraptor as a covert C2 framework, alongside ZeroPulse and Cloudflare tunnels. Lateral movement tools observed include PsExec, PuTTY (in the Mackay Sugar incident), and WinSCP for data exfiltration over encrypted channels.
Phase 5: Data Exfiltration (Pre-Encryption)
The Gentlemen typically exfiltrates substantial volumes of data, ranging from hundreds of gigabytes to several terabytes per victim. WinSCP is used for encrypted file transfers. The group also employs quant’s custom credential and data collector (buildx641/OxideHarvest), which leverages:
vssadminfor shadow copy access.ntds.ditextraction.SYSTEMhive copies.MANSPIDERfor identifying sensitive file shares.
The group actively reuses data from prior compromises to facilitate new attacks, as exemplified by a UK consultancy breach that was leveraged to gain access to a Turkish company, using stolen internal documents for cross-target enrichment.
Phase 6: Encryption and Impact
Encryption Technology
The encryptor, written in Go and obfuscated with Garble, targets Windows, Linux, NAS, BSD, and ESXi platforms:
- Cryptographic scheme: A hybrid approach combining Curve25519 and XChaCha20.
- Key design: Uses a per-file ephemeral Curve25519 key pair, with the ECDH shared secret serving as the XChaCha20 key.
- Nonce: The first 24 bytes of the ephemeral public key, XOR-mutated per chunk for larger files.
- Encrypted file extension: Primarily
.umc16h, with.7mtzhhobserved in some samples. - Execution requirement: Requires a build-specific
--passwordargument as an anti-analysis measure.
Encryption Speed Modes
The encryptor supports various speed modes, affecting the percentage of data encrypted in large files:
| CLI Argument | Per-Chunk % | Total Encrypted (Large Files) |
|---|---|---|
(default) |
9% | ~27% |
--fast |
3% | ~9% |
--superfast |
1% | ~3% |
--ultrafast |
0.3% | ~0.9% |
Small files (1 MB or less) are fully encrypted regardless of the chosen speed mode.
Post-Encryption Actions
After encryption, the malware creates a scheduled task (gentlemen_system) to relaunch itself with SYSTEM privileges for encrypting local drives. Other post-encryption actions include:
- Ransom note: A file named
README-GENTLEMEN.txtis dropped in every traversed directory. - Desktop wallpaper: The desktop background is changed to
%TEMP%gentlemen.bmp. - Shadow copy deletion: Uses
vssadmin delete shadows /all /quietandwmic shadowcopy deleteto prevent system recovery. - Event log clearing: Clears System, Application, and Security event logs using
wevtutil. - Deletion of forensic artifacts: Removes prefetch files, Defender logs, RDP logs, and PowerShell history.
- Free space wiping: The
--wipeflag overwrites all unallocated disk space with random data. - Self-deletion: The encryptor binary removes itself post-execution, unless the
--keepflag is specified.
Network Share Discovery
When executed with the --shares argument, the encryptor enables Windows network discovery services (fdrespub, fdPHost, SSDPSRV, upnphost) and removes firewall restrictions to maximize the number of reachable encryption targets.
Known Infection Vectors
| Vector | Mechanism | CVE/Tool | Confidence |
|---|---|---|---|
| FortiGate VPN exploitation | Authentication bypass in FortiOS/FortiProxy management interface | CVE-2024-55591 | High (81 mentions in leaked chat logs; 14,700+ compromised devices tracked) |
| Erlang SSH / Cisco RCE | Remote code execution on Cisco and Erlang-based SSH services | CVE-2025-32433 | High (PoC shared and evaluated in internal Rocket.Chat logs) |
| NTLM Relay | Internal credential relay for privilege escalation post-initial access | CVE-2025-33073 | High (RelayKing integrated into standard recon workflow) |
| FortiGate VPN brute-force | Credential stuffing/brute-force of VPN web panels | ~900+ validated credentials in active use | High |
| Infostealer credentials | Purchased from underground markets; OWA/O365 portal abuse | N/A | High |
| Access brokers | Pre-compromised Fortinet VPN access purchased from “Mamba” and other brokers | N/A | High |
| SonicWall VPN, Cisco ASA, Oracle EBS | Active reconnaissance and exploit development noted | Under research by group | Medium |
| BYOVD kernel driver exploit | CVE-2025-7771 ThrottleStop.sys driver for kernel code execution | CVE-2025-7771 | Medium |
Common Vulnerabilities Exploited
| CVE | Product | Vulnerability Type | CVSS | Status |
|---|---|---|---|---|
| CVE-2024-55591 | Fortinet FortiOS / FortiProxy | Authentication bypass in management interface enables unauthenticated super-admin access | Critical | Patch available, widely unpatched |
| CVE-2025-32433 | Erlang/OTP SSH (Cisco context) | Pre-authentication remote code execution | Critical | PoC actively evaluated by operators |
| CVE-2025-33073 | Windows NTLM | NTLM reflection/relay privilege escalation | High | Actively scanned using RelayKing |
| CVE-2025-7771 | TechPowerUp ThrottleStop.sys | Kernel code execution via vulnerable driver (BYOVD) | High | Integrated as ThrottleBlood.sys |
| CVE-2023-27532 | Veeam Backup & Replication | Missing authentication targeted for backup destruction | Critical | Patching recommended |
| CVE-2024-37085 | VMware ESXi | Authentication bypass ESXi locker deployment vector | High | Patching recommended |
| Multiple ADCS flaws | Microsoft Active Directory Certificate Services | ESC1–ESC17 misconfigurations (CertiHound) | Variable | Enumerated post-compromise |
Known Tools Used
Full Toolchain Reference
| Category | Tool | Purpose |
|---|---|---|
| EDR Killing (In-House) | GentleKiller (8 variants) | BYOVD kernel-level security process termination (400+ processes, 48 vendors) |
| EDR Killing (Third-Party) | HexKiller | BYOVD EDR killer (Baidu BdApi driver) |
| EDR Killing (Third-Party) | ThrottleBlood | BYOVD EDR killer (ThrottleStop.sys driver) |
| EDR Killing (Third-Party) | HavocKiller | BYOVD EDR killer (Huawei Audio driver) |
| EDR Evasion | EDRStartupHinder | Blocks/delays EDR processes at startup |
| EDR Evasion | gfreeze | EDR process freezing utility |
| EDR Evasion | glinker | EDR evasion companion tool |
| Credential Theft | OxideHarvest (buildx641.exe) | Rust-based credential stealer; harvests browsers, LSASS, NTDS |
| Credential Theft | DumpBrowserSecrets | Browser cookie and session token harvester |
| Credential Theft | KslDump / KslKatz | Kerberos / LSASS credential dumping |
| Credential Theft | Mimikatz | Credential extraction (operator referenced in multiple incidents) |
| AD Recon | NetExec (NXC) | SMB, AD, WinRM, LDAP offensive framework |
| AD Recon | RelayKing-Depth | NTLM relay path discovery and exploitation |
| AD Recon | CertiHound | ADCS misconfiguration enumeration (ESC1–ESC17) |
| Privilege Escalation | PrivHound | Local privilege escalation path finder |
| Privilege Escalation | TaskHound | Task and privilege abuse |
| Privilege Escalation | RegPwn | Registry-based service privilege escalation |
| Lateral Movement | PsExec | Remote execution; embedded in ransomware binary |
| Lateral Movement | WinSCP | Encrypted data exfiltration |
| Lateral Movement | MANSPIDER | Sensitive file share hunting |
| C2 / Remote Access | Velociraptor | Covert C2 with LSASS/memory collection |
| C2 / Remote Access | ZeroPulse | Remote access framework |
| C2 / Remote Access | AnyDesk | Persistent remote access |
| C2 / Remote Access | SystemBC | SOCKS5 proxy for covert C2 tunneling |
| C2 / Remote Access | Cloudflare Zero Trust / Tunnels | Covert HTTPS tunneling into victim networks |
| C2 / Remote Access | Cobalt Strike | Beacon-based C2 framework |
| Infrastructure | gogo.exe | Port scanner for initial surface discovery |
| ETW Evasion | Titanis | Windows ETW/logging manipulation |
| ETW Evasion | zerosalarium | ETW and log-based EDR kill research/techniques |
| OSINT | Sputnik (browser extension) | OSINT aggregation for target enrichment |
| Password Cracking | chamd5.org / hashcracking_bot | Online hash cracking services |
| VPN Infrastructure | WireGuard, OpenVPN, Double-VPN | Operator-side VPN for operational security |
| GPO Deployment | Group Policy Management / Editor | Domain-wide ransomware deployment via NETLOGON |
Targeted Industries and Victimology
Industries by Victim Count (Top 5)
| Rank | Industry | Victim Count |
|---|---|---|
| 1 | Manufacturing | 101 |
| 2 | Business Services | 66 |
| 3 | Technology | 65 |
| 4 | Healthcare | 50 |
| 5 | Consumer Services | 44 |
Additional sectors frequently targeted include Construction, Education, Transportation, Financial Services, Insurance, Agri-Industrial (food production/sugar processing), Pharmaceuticals, and Critical Infrastructure (OT/ICS environments).
Geographic Focus (Top 5 Countries)
| Rank | Country | Victim Count |
|---|---|---|
| 1 | United States | 87 |
| 2 | Thailand | 37 |
| 3 | France | 28 |
| 4 | Germany | 24 |
| 5 | Australia | ~20 (estimated 4th most targeted per CheckPoint) |
The Gentlemen notably diverges from many top-tier ransomware gangs by not having a U.S.-centric victimology. Instead, it maintains a significant focus on Southeast Asia, South America, and Western Europe. Targeting decisions are primarily driven by the presence of misconfigured FortiGate devices rather than specific geographic locations.
Notable Attack: Mackay Sugar (June 2026)
In June 2026, The Gentlemen claimed responsibility for a ransomware attack that severely impacted Mackay Sugar, Australia’s second-largest raw sugar producer. The incident forced the shutdown of operations at the Farleigh and Racecourse mills for over a week, causing significant disruptions to cane haulage and affecting more than 1,300 family-owned farms. The attack involved payload deployment via the NETLOGON share and included a double-extortion threat, demanding a ransom to prevent the release of stolen data within 10 days.
What You Should Do
Immediate Priority Actions
- Patch CVE-2024-55591 Urgently: The FortiOS authentication bypass is a primary initial access vector for The Gentlemen. Immediately audit all internet-facing FortiGate, FortiProxy, and FortiSwitch devices and apply Fortinet’s patches. Reset credentials for all VPN accounts.
- Block GentleKiller Drivers: Utilize Microsoft’s Vulnerable Driver Blocklist and Windows Defender Application Control (WDAC) to block all eight GentleKiller drivers and the three integrated third-party EDR killer drivers. Ensure the complete list of drivers is audited against:
eb.sys,nseckrnl.sys,vgk.sys,stpm_old.sys,stpm_new.sys,dmx.sys,360netmon_wfp.sys,IMFForceDelete,G11.sys,googleApiUtil64.sys,ThrottleBlood.sys,havoc.sys. - Enable HVCI (Memory Integrity): Implement Hypervisor-Protected Code Integrity (HVCI) to prevent the loading of unsigned and vulnerable kernel drivers, thereby blocking the BYOVD attack vector at the hardware level.
- Alert on Sysmon Event ID 6 (Driver Loaded): Log all driver loads, including their hash and SignatureStatus, using Sysmon. Cross-reference these logs against known vulnerable drivers (LOLDrivers list) and the Gentlemen-specific driver hashes.
- Mandate Phishing-Resistant MFA: Implement multi-factor authentication (MFA) on all VPN, RDP, and OWA endpoints, especially phishing-resistant forms. The group actively brute-forces and credential-stuffs these services. Eliminate single-factor authentication on all external-facing infrastructure.
Detection Rules (SIEM/EDR Alerts)
| Alert Priority | Detection | Rationale |
|---|---|---|
| Critical | Scheduled task gentlemen_system created |
Confirmed precursor to SYSTEM-privileged encryption |
| Critical | vssadmin.exe delete shadows or wmic shadowcopy delete |
Shadow copy deletion is an immediate ransomware indicator |
| Critical | Security, System, Application event logs cleared | Observed in 100% of documented incidents |
| Critical | Loading of driver from GentlemenCollection directory |
Direct staging indicator for EDR killer suite |
| High | Multiple Sysmon EID 6 (driver loads) with non-Microsoft certificates | Indicates BYOVD attack in progress |
| High | Set-MpPreference -DisableRealtimeMonitoring $true via PowerShell |
Defender disabling observed in every incident |
| High | Add-MpPreference -ExclusionPath C: |
Exclusion of entire C: drive from AV scanning |
| High | svchost32.exe connecting outbound over SOCKS (ports 44729, 37182) |
Known C2 beacon masquerading as system process |
| High | GPO creation with unknown executable as startup script | Precursor to domain-wide ransomware deployment |
| High | Outbound Cloudflare WARP tunnel from non-IT endpoints | Pre-encryption staging behavior |
| Medium | Bulk NTLM relay scanning from internal hosts (RelayKing signatures) | Pre-encryption network reconnaissance |
| Medium | EDRStartupHinder or gfreeze process names detected |
Startup EDR evasion tools |
| Medium | New shares created: share$ on C:Temp |
Lateral movement staging share |
Architecture and Hardening
- Implement Strict IT/OT Network Segmentation: The Gentlemen’s worm-like propagation thrives on flat networks. Segmentation
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.