Threats Tagged 'powerrun'

The Gentlemen is an active ransomware and extortion operation that emerged publicly in the second half of 2025, rapidly escalating into a high-volume threat actor. The group appears to be a continuation or reorganization of prior ransomware affiliate activity, with reported connections to the Qilin ecosystem and the Russian-speaking actor 'hastalamuerte.' This growth likely reflects existing ransomware experience, affiliate relationships, and access to established resources. Underground sources indicate attempts to sell data allegedly connected to The Gentlemen ransomware activity, though the available information lacks sufficient victim-specific or technical details to confirm authenticity. The operation utilizes SystemBC for command and control communications and deploys ransomware variants targeting both Windows and Linux systems.

Trigona ransomware affiliates have developed and deployed a custom exfiltration tool named uploader_client. exe, observed in attacks during March 2026. This tool uses parallel data streams, connection rotation, and file filtering to evade detection and streamline data theft. Attackers disable endpoint protections at the kernel level using multiple utilities before exfiltration. Remote access and credential theft are facilitated by AnyDesk and tools like Mimikatz. This represents a more technically sophisticated approach than typical ransomware affiliate operations.