Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Rapid growth and a new ransomware variant

0
Medium
Published: 06/29/2026 (06/29/2026, 11:01:00 UTC)
Source: AlienVault OTX General

Description

The Gentlemen ransomware-as-a-service group emerged as a top-10 threat actor in the first half of 2026. The group exploits vulnerabilities in internet-facing devices like VPNs and firewalls, potentially collaborating with initial access brokers. They employ comprehensive reconnaissance using tools like SharpADWS, NetScan, and Advanced IP Scanner, capturing network traffic with netsh. The attackers disable security products through BYOVD techniques using vulnerable drivers, and deploy custom Go-based backdoors and ransomware variants. They spread laterally via GPO deployment and PsExec, encrypt files using Curve25519 and XChaCha20, and recently developed a C-based ransomware variant using AES256-GCM and RSA. The group targets multiple industries worldwide, particularly in Brazil, China, Indonesia, Taiwan, and Thailand, with attacks focusing on manufacturing, IT services, healthcare, and financial sectors.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 07:06:18 UTC

Technical Analysis

The Gentlemen ransomware-as-a-service group emerged as a top-10 threat actor in the first half of 2026. They exploit vulnerabilities in internet-facing devices like VPNs and firewalls, potentially in collaboration with initial access brokers. Their attack methodology includes comprehensive reconnaissance using tools such as SharpADWS, NetScan, and Advanced IP Scanner, and capturing network traffic with netsh. They disable security products through Bring Your Own Vulnerable Driver (BYOVD) techniques, leveraging vulnerable drivers to evade detection. The group deploys custom backdoors written in Go and ransomware variants that encrypt files using Curve25519 and XChaCha20. Recently, they developed a C-based ransomware variant employing AES256-GCM and RSA encryption. Lateral movement is achieved via Group Policy Object deployment and PsExec. The group targets multiple industries worldwide, with a focus on Brazil, China, Indonesia, Taiwan, and Thailand, especially in manufacturing, IT services, healthcare, and financial sectors.

Potential Impact

The threat actor's activities result in network compromise through exploitation of vulnerable internet-facing devices, disabling of security controls, and deployment of ransomware that encrypts files with strong cryptographic algorithms. This leads to potential operational disruption and data loss across multiple critical industries globally. The use of advanced lateral movement techniques increases the scope and impact of infections within targeted networks.

Mitigation Recommendations

No official patch or remediation is specified for this threat actor or their ransomware variants. Organizations should monitor vendor advisories for vulnerabilities in internet-facing devices such as VPNs and firewalls and apply security updates promptly. Mitigation should focus on hardening perimeter devices, detecting and preventing the use of vulnerable drivers, and monitoring for indicators of lateral movement such as unusual Group Policy Object deployments and PsExec usage. Since this is a ransomware-as-a-service operation, incident response plans should include ransomware-specific containment and recovery procedures. Patch status is not yet confirmed — check vendor advisories for current remediation guidance.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://securelist.com/the-gentlemen-raas/120447/"]
Adversary
The Gentlemen
Pulse Id
6a42506c95cc259404196a5b
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainrsat.activedirectory.ds-lds.tools

Hash

ValueDescriptionCopy
hash9321a61a25c7961d9f36852ecaa86f55
hash6afc6b04cf73dd461e4a4956365f25c1f1162387
hashf8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b
hash5af1dae21425dda8311a2044209c308525135e1733eeff5dd20649946c6e054c
hashb6b51508ad6f462c45fe102c85d246c8
hash96f0dbf52aed0afd43e44500116b04b674f7358e
hash7556ae58c215b8245a43f764f0676c7a8f0fdd1a
hash8f0577d28c4ff5f71b149f444bfaba8e
hash9ddae47ff968343a8c32a5344060257fdc08e2a7bdb9a227c8b3a584ee3c9f1e
hasheef8a950952696b018aa9c6da2f5d7ad
hash1fa071303fb846308571e64727501fb98b1c2be6
hash5abe477517f51d81061d2e69a9adebdcda80d36667d0afabe103fda4802d33db
hash5b4f59236a9b950bcd5191b35d19125f60cfb9e1a1e1aa2e4f914b6745dde9df
hash68fec379f2ae76c3d2ce913f7be650cea1d06990
hash5761bd63da03686fc480245da7bd1e9f
hash6ae7c9a7ea0b8c40a64225734f6bd01d
hash8468cb5888fb383d25f9144c2b2f61c414cea3f8
hashb67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
hashc7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
hash3b46a729db7ae6af8b19711c9452194d
hash5aea74bf3e70f38eb596f8002b3c02514daee4f0
hash1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2
hash10ca9a4040001560d053b7e7885c1b95
hashe7cc7b32d844ec6a2f41f0efbc64a0783afb56e4
hash02944c8a5535cdb5b2cbb893db2d5acf
hash3c471ebc947cdf32240a90ffadf49b13
hash4be8bb62f0ebbcf4ce52c35ab6f794f5
hash53c616677bc7e2a0a03127f19166d007
hash554e699c96b332468f1ae69c1ae81ef9
hash5c3b9821fc82a9028cb63b9671950919
hash5f0b2c6d9f442754258bf4dd841c8341
hash608faf58353b65c45ef9833358ac3787
hash73f0a8c3ea794a04e80c32038249f044
hash846dc77c1246db20d976346e0e359502
hashadac9984b3cc43d66a0d33079bbec299
hashae0e536766788478263bf448a9381641
hashb3e418d30312c1b2c58a791286868f42
hashb9986a0f1f1f1a798dc3f0c59a80a1a3
hashc2764744dcb4b0e1db79ca1e8bf65368
hashd12a5b36dd00586cc374a1cae43efed4
hashd2f72897e8986303d5567eb2384932b8
hashde1522f9219497632f30f8a6e72f26b6
hashedb1c480295250dd1a38f3aa1357deae
hashfdae2beb813778b4540a997706862096
hashab5ad04bb822435e5453706cd86cc001ee555aee
hashcb747c0134f99d5033bac6e966864e2435a2a94244ca8e3f614f4992df93ff10

Ip

ValueDescriptionCopy
ip81.177.215.15

Threat ID: 6a43677227e9c79719412a92

Added to database: 06/30/2026, 06:51:30 UTC

Last enriched: 06/30/2026, 07:06:18 UTC

Last updated: 07/01/2026, 00:00:37 UTC

Views: 45

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses