← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware
WHITE AlienVault 2026-05-11 Modified: 2026-05-11
45
IOCs
MEDIUM VOLUME
An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deployed TukTuk malware framework using DLL sideloading techniques with legitimate applications like Greenshot and SyncTrayzor. TukTuk established C2 channels through SaaS platforms including ClickHouse and Supabase, with backup channels via Ably, Dropbox, and GitHub Issues. The actors performed Kerberoasting, credential theft via Mimikatz and LSASS dumping, and deployed GoTo Resolve RMM tooling for lateral movement. Data exfiltration to Wasabi cloud storage was conducted using Rclone before deploying The Gentlemen ransomware domain-wide through a malicious GPO. The intrusion leveraged blockchain infrastructure, SaaS platforms, and decentralized services to evade traditional network defenses.
kerberoastingethereummimikatzcve-2025-55182netexecthe gentlemen ransomwaresaas abusetuktukthe gentlemenrclonedll sideloadingblockchain c2etherrat
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
EtherRAT TukTuk The Gentlemen Mimikatz NetExec Rclone
Indicators of Compromise (45)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2025-55182 2026-05-11
FileHash-MD5 73ce2438d4ed475e03727b7b000d2794 2026-05-11
FileHash-MD5 77fbe265fd65c7f7b6d323fb6de6a4fd 2026-05-11
FileHash-MD5 b188fbc6ff5557767e73e4c883a553a3 2026-05-11
FileHash-MD5 b2d51212744f404714fd909e87254d98 2026-05-11
FileHash-MD5 c92cf9a1af5b1fe25cdcb8771ce52be4 2026-05-11
FileHash-MD5 f985b8d6d635c266fc4779dad77aa75c 2026-05-11
FileHash-SHA1 114ec028a3fc4ed50056ee8166b0c39acff6ff03 2026-05-11
FileHash-SHA1 3d5ee8429ef00824c0351cba507dfeb92b54f83b 2026-05-11
FileHash-SHA1 aa9218994798ae31a19d3e7e39cfac2e2ee55840 2026-05-11
FileHash-SHA1 b44c8084b88d31113ee51758740eb84c251bdae8 2026-05-11
FileHash-SHA1 ba80d7b038758a129861e1e498e462cc3d68ae20 2026-05-11
FileHash-SHA1 c98ee41f09ae079a5643626f57eb84f92205bb2b 2026-05-11
FileHash-SHA256 1795eacd2c58894ccdd6be8854fe6456c3b069a3a873432343b57b475b256aee 2026-05-11
FileHash-SHA256 19021e53b9929fdf4b7d0e0707434d56bb73c1a9b7403c8837b44d1c417198dc 2026-05-11
FileHash-SHA256 2d4b4bb18b8445e49eeda571982874403befcecf78266e3d405f6529d98bee46 2026-05-11
FileHash-SHA256 4142d5efd4ea2abab77f2f0a917610e2ff976bf9e19d7ad1e9156eccdc5412db 2026-05-11
FileHash-SHA256 8c2665adf8bfab65463f2a9bd1b7bb0231de3f5c1e6a2e51479e44aaac2e7bf0 2026-05-11
FileHash-SHA256 d9487fdc097f770e5661f9e5dee130068cb179d33716abff1a21c8cb901f25a6 2026-05-11
URL https://afford-effect-construct-tricks.trycloudflare.com 2026-05-11
URL https://entered-medications-motherboard-advanced.trycloudflare.com 2026-05-11
URL https://fields-pct-easier-vancouver.trycloudflare.com 2026-05-11
URL https://howto-tar-naturals-coordination.trycloudflare.com 2026-05-11
URL https://mode-exit-legendary-trusted.trycloudflare.com 2026-05-11
URL https://rapids-lil-lending-charleston.trycloudflare.com 2026-05-11
URL https://seasonal-estimation-heating-necessarily.trycloudflare.com 2026-05-11
URL https://walt-messaging-affairs-occurring.trycloudflare.com 2026-05-11
URL https://when-architectural-cdna-faster.trycloudflare.com 2026-05-11
URL https://witch-skins-lip-coal.trycloudflare.com 2026-05-11
URL https://workshop-lighting-protective-customs.trycloudflare.com 2026-05-11
domain borjumaniya.store 2026-05-11
domain g8way.io 2026-05-11
hostname afford-effect-construct-tricks.trycloudflare.com 2026-05-11
hostname entered-medications-motherboard-advanced.trycloudflare.com 2026-05-11
hostname fields-pct-easier-vancouver.trycloudflare.com 2026-05-11
hostname howto-tar-naturals-coordination.trycloudflare.com 2026-05-11
hostname k135neflez.westus3.azure.clickhouse.cloud 2026-05-11
hostname mode-exit-legendary-trusted.trycloudflare.com 2026-05-11
hostname rapids-lil-lending-charleston.trycloudflare.com 2026-05-11
hostname seasonal-estimation-heating-necessarily.trycloudflare.com 2026-05-11
hostname vngz3ntdrb.us-east1.gcp.clickhouse.cloud 2026-05-11
hostname walt-messaging-affairs-occurring.trycloudflare.com 2026-05-11
hostname when-architectural-cdna-faster.trycloudflare.com 2026-05-11
hostname witch-skins-lip-coal.trycloudflare.com 2026-05-11
hostname workshop-lighting-protective-customs.trycloudflare.com 2026-05-11
References (1)
↗ https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/