Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
July 7, 2026
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Home/CyberSecurity News/Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
CyberSecurity News

Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries

Key Takeaways The Gentlemen ransomware group, tracked by Microsoft as Storm-2697, has rapidly emerged as a Tier-1 threat, impacting over 500 organizations across 70+ countries within its first year....

David kimber
David kimber
July 7, 2026 12 Min Read
2 0

Key Takeaways

  • The Gentlemen ransomware group, tracked by Microsoft as Storm-2697, has rapidly emerged as a Tier-1 threat, impacting over 500 organizations across 70+ countries within its first year.
  • The group distinguishes itself with “GentleKiller,” a sophisticated, custom-built EDR/AV evasion suite featuring eight BYOVD (Bring Your Own Vulnerable Driver) variants capable of disabling over 400 security processes from 48 vendors.
  • Initial access primarily exploits internet-facing FortiGate VPN vulnerabilities, brute-forced credentials, and infostealer data, followed by extensive internal reconnaissance and the deployment of advanced defense evasion tools.
  • Targeted sectors include manufacturing, healthcare, financial services, and critical operational technology, with a notable focus on non-U.S. regions like Southeast Asia, South America, and Western Europe.
  • A significant internal database leak in May 2026 exposed the group’s full toolchain, operator identities, victim lists, and ransomware negotiation details, providing unprecedented insight into their operations.

The Gentlemen ransomware operation, identified by Microsoft as Storm-2697, has rapidly escalated into a formidable global threat since its emergence in mid-2025. Originating from a dispute within the Qilin Ransomware-as-a-Service (RaaS) program, this human-operated RaaS collective has already compromised over 500 victims across more than 70 countries within its inaugural year of independent activity. By April 2026, The Gentlemen accounted for approximately 10% of all ransomware incidents worldwide.

Table Of Content

  • Key Takeaways
  • Threat Actor Profile
  • Identity and Origin
  • Organizational Structure
  • Attack Chain: Step-by-Step Lifecycle
  • Phase 1: Initial Access
  • Phase 2: Reconnaissance and Privilege Escalation
  • Phase 3: Defense Evasion (EDR/AV Killing)
  • Phase 4: Lateral Movement and Persistence
  • Phase 5: Data Exfiltration (Pre-Encryption)
  • Phase 6: Encryption and Impact
  • Encryption Technology
  • Encryption Speed Modes
  • Post-Encryption Actions
  • Network Share Discovery
  • Known Infection Vectors
  • Common Vulnerabilities Exploited
  • Known Tools Used
  • Full Toolchain Reference
  • Targeted Industries and Victimology
  • Industries by Victim Count (Top 5)
  • Geographic Focus (Top 5 Countries)
  • Notable Attack: Mackay Sugar (June 2026)
  • What You Should Do
  • Immediate Priority Actions
  • Detection Rules (SIEM/EDR Alerts)
  • Architecture and Hardening

What truly sets The Gentlemen apart is not merely its operational scale, but its advanced, operator-managed infrastructure for neutralizing endpoint detection and response (EDR) and antivirus (AV) solutions. This proprietary framework, dubbed “GentleKiller,” is marketed directly to affiliates and comprises at least eight distinct Bring Your Own Vulnerable Driver (BYOVD) variants. These sophisticated tools can terminate more than 400 security processes from 48 different vendors. The group also integrates popular third-party EDR killers such as HexKiller, ThrottleBlood, and HavocKiller into a modular evasion suite. This, combined with a Go-based, self-propagating worm encryptor utilizing hybrid Curve25519/XChaCha20 cryptography, positions The Gentlemen as a critical threat to global manufacturing, healthcare, financial services, and operational technology (OT) environments.

A major intelligence breakthrough occurred in May 2026, when an internal backend database named “Rocket” belonging to The Gentlemen was leaked. This breach exposed 3,366 internal chat messages, operator identities, over 1,570 confirmed victim records, ransom negotiation transcripts, and the group’s complete arsenal of tools. This unprecedented data trove has allowed cybersecurity researchers to compile a comprehensive, defender-grade threat briefing, synthesizing intelligence from the leak, ESET Research, Microsoft Threat Intelligence, Check Point Research, Trend Micro, and Huntress.

Threat Actor Profile

Identity and Origin

The Gentlemen was founded by an individual operating under the aliases “hastalamuerte” and “zeta88,” also tracked as LARVA-368 by PRODAFT. This individual previously led an affiliate crew within the Qilin RaaS program before establishing The Gentlemen as an independent entity in July 2025, following a payment dispute. The primary operator is identified as Russian-speaking and remains actively involved in orchestrating attacks, in addition to managing the RaaS platform.

Consistent with the behavior of Russian-nexus threat actors, The Gentlemen adheres to a strict Commonwealth of Independent States (CIS) exclusion policy. While globally targeting organizations, the group deliberately avoids victims located in CIS countries.

Organizational Structure

Analysis of the leaked Rocket.Chat database reveals a highly organized structure, featuring a core of approximately nine named operators and at least eight distinct affiliate TOX IDs. The key roles identified include:

  • zeta88 / hastalamuerte: Administrator, responsible for locker development, RaaS panel management, target distribution, and payout processing.
  • qbit: Hands-on operator, specializing in Fortinet scanning, NTLM relay attacks, Active Directory reconnaissance, and EDR killer deployment.
  • quant: Focuses on log-based access, credential harvesting, and maintaining tools like OxideHarvest/buildx641.
  • Wick, mAst3r, Protagor: Red-teamers, advertising partners, and collaborators for specific cases.
  • Bl0ck, JeLLy, Kunder, Mamba: Access brokers and support personnel.

The administrator actively leverages AI-assisted development, citing tools like DeepSeek, Qwen, and Kimi for coding and panel creation. The Gentlemen GLOCKER admin panel was reportedly constructed in just three days with AI assistance.

  • Affiliate Revenue Split: Affiliates receive a generous 90% of the ransom, with 10% going to the operators, making it one of the most attractive splits in the ransomware ecosystem.
  • Affiliate Recruitment: The group actively recruits on underground forums like RAMP and BreachForums, seeking penetration testers and initial access brokers.
  • Partnership: An official partnership was established with BreachForums in 2025 to expand its affiliate network.
  • Extortion Model: Employs a double extortion strategy, involving both data encryption and exfiltration.
  • Ransom Range: Initial demands typically hover around $250,000, with observed settlements in leaked transcripts averaging $190,000.
  • Leak Site: Operates a dedicated Tor-based leak site (DLS) complemented by a branded X/Twitter account to exert additional public pressure on victims.

Attack Chain: Step-by-Step Lifecycle

Phase 1: Initial Access

Unlike many ransomware groups, The Gentlemen rarely relies on phishing for initial access. Instead, affiliates systematically target exposed internet-facing infrastructure, primarily FortiGate VPN appliances, Cisco ASA devices, and SonicWall appliances. The group maintained an active inventory of approximately 14,700 compromised FortiGate devices and over 900 validated brute-forced FortiGate VPN credentials for affiliate use.

Common branding credentials identified in leaked data include: gentlemen25, Gentlemen25, and gentle26.

Secondary initial access vectors include:

  • Credentials acquired from infostealer marketplaces.
  • Exploitation of exposed OWA/O365 portals using log-based credential tools, such as quant’s custom log parser.
  • Purchasing pre-compromised enterprise footholds from access brokers.

Phase 2: Reconnaissance and Privilege Escalation

Upon gaining an initial foothold, operators conduct extensive internal reconnaissance using a bespoke offensive toolkit:

  • NetExec (NXC): A versatile framework for Active Directory, SMB, and WinRM operations.
  • RelayKing-Depth: Used for NTLM relay scanning and exploitation.
  • TaskHound: Facilitates task and privilege abuse.
  • PrivHound: Discovers local privilege escalation paths.
  • CertiHound: Enumerates Active Directory Certificate Services (ADCS) misconfigurations (ESC1–ESC17).
  • gogo.exe: A port scanner for identifying exposed services.
  • Advanced IP Scanner / Nmap: Utilized for network mapping (e.g., in the Mackay Sugar incident).
  • KslDump / KslKatz: Tools for Kerberos/LSASS credential dumping.

The group’s primary objective during this phase is to obtain domain administrator credentials and manipulate Group Policy Objects (GPOs) to achieve domain-wide compromise.

Phase 3: Defense Evasion (EDR/AV Killing)

This phase represents The Gentlemen’s signature capability. Before initiating encryption, operators deploy their centralized GentleKiller suite, typically staged in a directory named GentlemenCollection on the target system.

The BYOVD technique operates as follows:

  1. A signed-but-vulnerable kernel driver is dropped to disk.
  2. The driver is loaded as a Windows service using sc create and sc start commands.
  3. User-mode applications send Input/Output Control (IOCTL) commands to the driver, achieving Ring-0 (kernel) privilege.
  4. At kernel level, all targeted security processes are enumerated and terminated, bypassing user-mode tamper protection.

GentleKiller features eight known variants, each impersonating a different legitimate product:

Variant Name Fake Filename Abused Driver ESET Detection
Kaspersky Kasp<suffix>.exe eb.sys (custom rootkit PoC) Win64/KillAV.EA
FACEIT Anti-Cheat FaceIT<suffix>.exe nseckrnl.sys (NSecsoft NSecKrnl) Win64/KillAV.EA
Valorant Valorant<suffix>.exe GameDriverX64.sys / vgk.sys (Tower of Fantasy anti-cheat) Win64/KillAV.EA
Javelin EAAntiCheat<suffix>.exe, EASolo<suffix>.exe stpm_old.sys, stpm_new.sys (Safetica Process Monitor) Win64/KillAV.EA
WatchDog BitD<suffix>.exe dmx.sys (Zemana WatchDog Antimalware) Win64/KillAV.EA
Network Blocker MB<suffix>.exe 360netmon_wfp.sys (Qihoo 360) Win64/KillAV.EA
Cleaner Deletor.exe IMFForceDelete (IObit IMF ForceDelete) Win64/KillAV.EA
G11 G11<suffix>.exe, Symantec<suffix>.exe G11.sys / PoisonX (rootkit PoC) Win64/KillAV.EA

The group also integrates third-party EDR killers into its arsenal:

ESET Name Fake Filename Abused Driver Notes
HexKiller Avast<suffix>.exe googleApiUtil64.sys (Baidu Antivirus BdApi) Previously attributed to Warlock gang
ThrottleBlood Sent<suffix>.exe ThrottleBlood.sys (TechPowerUp LLC ThrottleStop) Also seen in MedusaLocker, DragonForce
HavocKiller HwAudKiller.exe, Sophos<suffix>.exe havoc.sys (Huawei Audio Driver) Active since Jan 2026, disclosed by Huntress Mar 2026

Additional evasion tools from the leaked toolchain include:

  • EDRStartupHinder: Blocks or delays EDR processes during system startup.
  • gfreeze: Utility for freezing EDR processes.
  • glinker: An EDR evasion companion tool for gfreeze.
  • DumpBrowserSecrets: Harvests browser cookies and session tokens.
  • Techniques involving ETW (Event Tracing for Windows) patching and zerosalarium.
  • Titanis: A framework for manipulating Windows ETW and logging.

Binary protection and impersonation strategies are uniformly applied to all EDR killers:

Filename Suffix Protection Fake Signature Fake Version Info
1 Enigma Yes Yes
2 Themida Yes Yes
Light None Yes Yes
Clear None No No

Phase 4: Lateral Movement and Persistence

The Gentlemen ransomware’s self-propagation module (activated with the --spread argument) employs 21 distinct remote execution techniques per target host, exhibiting worm-like behavior:

  • Remote file copy via C$ administrative shares.
  • PsExec-based remote execution, either using an embedded binary or downloading from Sysinternals Live.
  • WMIC process creation (wmic /node:<target> process call create).
  • Scheduled tasks in user context (DefU, UpdateGU, UpdateGU2).
  • Scheduled tasks in SYSTEM context (same tasks, elevated).
  • Windows Services (DefSvc, UpdateSvc, UpdateSvc2).
  • PowerShell Remoting via Invoke-Command (WinRM).
  • PowerShell WMI (Invoke-WmiMethod) as an alternative to wmic.exe.

For persistence, the encryptor establishes two layers:

  • Scheduled tasks: UpdateSystem (SYSTEM context) and UpdateUser (current user context).
  • Registry Run keys: GupdateS under HKLM...Run and GupdateU under HKCU...Run.

Additional persistence mechanisms include AnyDesk remote access software, Cloudflare Zero Trust tunnels, and SystemBC SOCKS5 proxy. The group utilizes Velociraptor as a covert C2 framework, alongside ZeroPulse and Cloudflare tunnels. Lateral movement tools observed include PsExec, PuTTY (in the Mackay Sugar incident), and WinSCP for data exfiltration over encrypted channels.

Phase 5: Data Exfiltration (Pre-Encryption)

The Gentlemen typically exfiltrates substantial volumes of data, ranging from hundreds of gigabytes to several terabytes per victim. WinSCP is used for encrypted file transfers. The group also employs quant’s custom credential and data collector (buildx641/OxideHarvest), which leverages:

  • vssadmin for shadow copy access.
  • ntds.dit extraction.
  • SYSTEM hive copies.
  • MANSPIDER for identifying sensitive file shares.

The group actively reuses data from prior compromises to facilitate new attacks, as exemplified by a UK consultancy breach that was leveraged to gain access to a Turkish company, using stolen internal documents for cross-target enrichment.

Phase 6: Encryption and Impact

Encryption Technology

The encryptor, written in Go and obfuscated with Garble, targets Windows, Linux, NAS, BSD, and ESXi platforms:

  • Cryptographic scheme: A hybrid approach combining Curve25519 and XChaCha20.
  • Key design: Uses a per-file ephemeral Curve25519 key pair, with the ECDH shared secret serving as the XChaCha20 key.
  • Nonce: The first 24 bytes of the ephemeral public key, XOR-mutated per chunk for larger files.
  • Encrypted file extension: Primarily .umc16h, with .7mtzhh observed in some samples.
  • Execution requirement: Requires a build-specific --password argument as an anti-analysis measure.

Encryption Speed Modes

The encryptor supports various speed modes, affecting the percentage of data encrypted in large files:

CLI Argument Per-Chunk % Total Encrypted (Large Files)
(default) 9% ~27%
--fast 3% ~9%
--superfast 1% ~3%
--ultrafast 0.3% ~0.9%

Small files (1 MB or less) are fully encrypted regardless of the chosen speed mode.

Post-Encryption Actions

After encryption, the malware creates a scheduled task (gentlemen_system) to relaunch itself with SYSTEM privileges for encrypting local drives. Other post-encryption actions include:

  • Ransom note: A file named README-GENTLEMEN.txt is dropped in every traversed directory.
  • Desktop wallpaper: The desktop background is changed to %TEMP%gentlemen.bmp.
  • Shadow copy deletion: Uses vssadmin delete shadows /all /quiet and wmic shadowcopy delete to prevent system recovery.
  • Event log clearing: Clears System, Application, and Security event logs using wevtutil.
  • Deletion of forensic artifacts: Removes prefetch files, Defender logs, RDP logs, and PowerShell history.
  • Free space wiping: The --wipe flag overwrites all unallocated disk space with random data.
  • Self-deletion: The encryptor binary removes itself post-execution, unless the --keep flag is specified.

Network Share Discovery

When executed with the --shares argument, the encryptor enables Windows network discovery services (fdrespub, fdPHost, SSDPSRV, upnphost) and removes firewall restrictions to maximize the number of reachable encryption targets.

Known Infection Vectors

Vector Mechanism CVE/Tool Confidence
FortiGate VPN exploitation Authentication bypass in FortiOS/FortiProxy management interface CVE-2024-55591 High (81 mentions in leaked chat logs; 14,700+ compromised devices tracked)
Erlang SSH / Cisco RCE Remote code execution on Cisco and Erlang-based SSH services CVE-2025-32433 High (PoC shared and evaluated in internal Rocket.Chat logs)
NTLM Relay Internal credential relay for privilege escalation post-initial access CVE-2025-33073 High (RelayKing integrated into standard recon workflow)
FortiGate VPN brute-force Credential stuffing/brute-force of VPN web panels ~900+ validated credentials in active use High
Infostealer credentials Purchased from underground markets; OWA/O365 portal abuse N/A High
Access brokers Pre-compromised Fortinet VPN access purchased from “Mamba” and other brokers N/A High
SonicWall VPN, Cisco ASA, Oracle EBS Active reconnaissance and exploit development noted Under research by group Medium
BYOVD kernel driver exploit CVE-2025-7771 ThrottleStop.sys driver for kernel code execution CVE-2025-7771 Medium

Common Vulnerabilities Exploited

CVE Product Vulnerability Type CVSS Status
CVE-2024-55591 Fortinet FortiOS / FortiProxy Authentication bypass in management interface enables unauthenticated super-admin access Critical Patch available, widely unpatched
CVE-2025-32433 Erlang/OTP SSH (Cisco context) Pre-authentication remote code execution Critical PoC actively evaluated by operators
CVE-2025-33073 Windows NTLM NTLM reflection/relay privilege escalation High Actively scanned using RelayKing
CVE-2025-7771 TechPowerUp ThrottleStop.sys Kernel code execution via vulnerable driver (BYOVD) High Integrated as ThrottleBlood.sys
CVE-2023-27532 Veeam Backup & Replication Missing authentication targeted for backup destruction Critical Patching recommended
CVE-2024-37085 VMware ESXi Authentication bypass ESXi locker deployment vector High Patching recommended
Multiple ADCS flaws Microsoft Active Directory Certificate Services ESC1–ESC17 misconfigurations (CertiHound) Variable Enumerated post-compromise

Known Tools Used

Full Toolchain Reference

Category Tool Purpose
EDR Killing (In-House) GentleKiller (8 variants) BYOVD kernel-level security process termination (400+ processes, 48 vendors)
EDR Killing (Third-Party) HexKiller BYOVD EDR killer (Baidu BdApi driver)
EDR Killing (Third-Party) ThrottleBlood BYOVD EDR killer (ThrottleStop.sys driver)
EDR Killing (Third-Party) HavocKiller BYOVD EDR killer (Huawei Audio driver)
EDR Evasion EDRStartupHinder Blocks/delays EDR processes at startup
EDR Evasion gfreeze EDR process freezing utility
EDR Evasion glinker EDR evasion companion tool
Credential Theft OxideHarvest (buildx641.exe) Rust-based credential stealer; harvests browsers, LSASS, NTDS
Credential Theft DumpBrowserSecrets Browser cookie and session token harvester
Credential Theft KslDump / KslKatz Kerberos / LSASS credential dumping
Credential Theft Mimikatz Credential extraction (operator referenced in multiple incidents)
AD Recon NetExec (NXC) SMB, AD, WinRM, LDAP offensive framework
AD Recon RelayKing-Depth NTLM relay path discovery and exploitation
AD Recon CertiHound ADCS misconfiguration enumeration (ESC1–ESC17)
Privilege Escalation PrivHound Local privilege escalation path finder
Privilege Escalation TaskHound Task and privilege abuse
Privilege Escalation RegPwn Registry-based service privilege escalation
Lateral Movement PsExec Remote execution; embedded in ransomware binary
Lateral Movement WinSCP Encrypted data exfiltration
Lateral Movement MANSPIDER Sensitive file share hunting
C2 / Remote Access Velociraptor Covert C2 with LSASS/memory collection
C2 / Remote Access ZeroPulse Remote access framework
C2 / Remote Access AnyDesk Persistent remote access
C2 / Remote Access SystemBC SOCKS5 proxy for covert C2 tunneling
C2 / Remote Access Cloudflare Zero Trust / Tunnels Covert HTTPS tunneling into victim networks
C2 / Remote Access Cobalt Strike Beacon-based C2 framework
Infrastructure gogo.exe Port scanner for initial surface discovery
ETW Evasion Titanis Windows ETW/logging manipulation
ETW Evasion zerosalarium ETW and log-based EDR kill research/techniques
OSINT Sputnik (browser extension) OSINT aggregation for target enrichment
Password Cracking chamd5.org / hashcracking_bot Online hash cracking services
VPN Infrastructure WireGuard, OpenVPN, Double-VPN Operator-side VPN for operational security
GPO Deployment Group Policy Management / Editor Domain-wide ransomware deployment via NETLOGON

Targeted Industries and Victimology

Industries by Victim Count (Top 5)

Rank Industry Victim Count
1 Manufacturing 101
2 Business Services 66
3 Technology 65
4 Healthcare 50
5 Consumer Services 44

Additional sectors frequently targeted include Construction, Education, Transportation, Financial Services, Insurance, Agri-Industrial (food production/sugar processing), Pharmaceuticals, and Critical Infrastructure (OT/ICS environments).

Geographic Focus (Top 5 Countries)

Rank Country Victim Count
1 United States 87
2 Thailand 37
3 France 28
4 Germany 24
5 Australia ~20 (estimated 4th most targeted per CheckPoint)

The Gentlemen notably diverges from many top-tier ransomware gangs by not having a U.S.-centric victimology. Instead, it maintains a significant focus on Southeast Asia, South America, and Western Europe. Targeting decisions are primarily driven by the presence of misconfigured FortiGate devices rather than specific geographic locations.

Notable Attack: Mackay Sugar (June 2026)

In June 2026, The Gentlemen claimed responsibility for a ransomware attack that severely impacted Mackay Sugar, Australia’s second-largest raw sugar producer. The incident forced the shutdown of operations at the Farleigh and Racecourse mills for over a week, causing significant disruptions to cane haulage and affecting more than 1,300 family-owned farms. The attack involved payload deployment via the NETLOGON share and included a double-extortion threat, demanding a ransom to prevent the release of stolen data within 10 days.

What You Should Do

Immediate Priority Actions

  1. Patch CVE-2024-55591 Urgently: The FortiOS authentication bypass is a primary initial access vector for The Gentlemen. Immediately audit all internet-facing FortiGate, FortiProxy, and FortiSwitch devices and apply Fortinet’s patches. Reset credentials for all VPN accounts.
  2. Block GentleKiller Drivers: Utilize Microsoft’s Vulnerable Driver Blocklist and Windows Defender Application Control (WDAC) to block all eight GentleKiller drivers and the three integrated third-party EDR killer drivers. Ensure the complete list of drivers is audited against: eb.sys, nseckrnl.sys, vgk.sys, stpm_old.sys, stpm_new.sys, dmx.sys, 360netmon_wfp.sys, IMFForceDelete, G11.sys, googleApiUtil64.sys, ThrottleBlood.sys, havoc.sys.
  3. Enable HVCI (Memory Integrity): Implement Hypervisor-Protected Code Integrity (HVCI) to prevent the loading of unsigned and vulnerable kernel drivers, thereby blocking the BYOVD attack vector at the hardware level.
  4. Alert on Sysmon Event ID 6 (Driver Loaded): Log all driver loads, including their hash and SignatureStatus, using Sysmon. Cross-reference these logs against known vulnerable drivers (LOLDrivers list) and the Gentlemen-specific driver hashes.
  5. Mandate Phishing-Resistant MFA: Implement multi-factor authentication (MFA) on all VPN, RDP, and OWA endpoints, especially phishing-resistant forms. The group actively brute-forces and credential-stuffs these services. Eliminate single-factor authentication on all external-facing infrastructure.

Detection Rules (SIEM/EDR Alerts)

Alert Priority Detection Rationale
Critical Scheduled task gentlemen_system created Confirmed precursor to SYSTEM-privileged encryption
Critical vssadmin.exe delete shadows or wmic shadowcopy delete Shadow copy deletion is an immediate ransomware indicator
Critical Security, System, Application event logs cleared Observed in 100% of documented incidents
Critical Loading of driver from GentlemenCollection directory Direct staging indicator for EDR killer suite
High Multiple Sysmon EID 6 (driver loads) with non-Microsoft certificates Indicates BYOVD attack in progress
High Set-MpPreference -DisableRealtimeMonitoring $true via PowerShell Defender disabling observed in every incident
High Add-MpPreference -ExclusionPath C: Exclusion of entire C: drive from AV scanning
High svchost32.exe connecting outbound over SOCKS (ports 44729, 37182) Known C2 beacon masquerading as system process
High GPO creation with unknown executable as startup script Precursor to domain-wide ransomware deployment
High Outbound Cloudflare WARP tunnel from non-IT endpoints Pre-encryption staging behavior
Medium Bulk NTLM relay scanning from internal hosts (RelayKing signatures) Pre-encryption network reconnaissance
Medium EDRStartupHinder or gfreeze process names detected Startup EDR evasion tools
Medium New shares created: share$ on C:Temp Lateral movement staging share

Architecture and Hardening

  • Implement Strict IT/OT Network Segmentation: The Gentlemen’s worm-like propagation thrives on flat networks. Segmentation

    Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

    Tags:

    BreachCVECybersecurityExploitMalwarePatchphishingransomwareSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft

Next Post

Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
July 7, 2026
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us