{ "type": "MD5", "indicator": "7a262d4cbbc4808932b6af42c4041f06", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "7a262d4cbbc4808932b6af42c4041f06", "validation": [], "base_indicator": { "id": 4322484172, "indicator": "9e951cf2f868b71aaaa05966d8eb96d333b80106", "type": "FileHash-SHA1", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "6a189defc88ad66cd0a9d87d", "name": "The Gentlemen ransomware: Dissecting a self-propagating Go encryptor", "description": "The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.", "modified": "2026-05-29T10:37:45.345000", "created": "2026-05-28T19:56:31.232000", "tags": [ "go language", "kazuar", "ransomware-as-a-service", "the gentlemen" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/" ], "public": 1, "adversary": "Storm-2697", "targeted_countries": [], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Kazuar - S0265", "display_name": "Kazuar - S0265", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1021.003", "name": "Distributed Component Object Model", "display_name": "T1021.003 - Distributed Component Object Model" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Education", "Transportation", "Healthcare", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6a04aad1cd2da41f0087f85d", "name": "Thus Spoke\u2026The Gentlemen", "description": "On May 4th, 2026, The Gentlemen RaaS administrator acknowledged that an internal backend database called Rocket had been leaked, exposing nine accounts including zeta88, the program's effective administrator. The leak revealed internal discussions detailing initial access methods through Fortinet and Cisco edge appliances, NTLM relay, and credential logs, along with the group's role divisions and toolsets. Evidence shows evaluation of CVEs including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Leaked ransom negotiations showed a successful payment of 190,000 USD. The group reused stolen data from a UK software consultancy to attack a Turkish company, employing dual-pressure tactics during negotiations. Analysis of ransomware samples identified eight distinct affiliate TOX IDs, indicating the administrator actively participates in infections alongside managing the RaaS program.", "modified": "2026-05-14T08:21:27.325000", "created": "2026-05-13T16:46:09.167000", "tags": [ "cve-2025-32433", "raas", "systembc", "cisco", "cryptocurrency", "cve-2024-55591", "fortinet", "data-leak", "ntlm-relay", "the gentlemen", "affiliate-program", "ransomware-as-a-service", "tox-ids", "cve-2025-33073" ], "references": [ "https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/" ], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 56, "FileHash-SHA1": 27, "FileHash-SHA256": 33 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 386447, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69e63f93a0ddbd53fcab3f51", "name": "The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...", "modified": "2026-04-20T16:29:35.184000", "created": "2026-04-20T15:00:35.743000", "tags": [ "cobalt-strike", "domain-compromise", "the gentlemen", "psexec", "systembc", "esxi-encryption", "lateral-movement", "cobalt strike", "anydesk", "ransomware-as-a-service", "mimikatz", "group-policy-deployment" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "PsExec", "display_name": "PsExec", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "display_name": "T1562.007 - Disable or Modify Cloud Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1037.004", "name": "RC Scripts", "display_name": "T1037.004 - RC Scripts" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 26, "URL": 1, "domain": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1b0e5bb3f1a283bd684ef5", "name": "The Gentlemen Ransomware Leverages SYSTEM Tasks for Attack Execution", "description": "", "modified": "2026-05-30T16:20:43.067000", "created": "2026-05-30T16:20:43.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "3 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69e0c75ee5ca57ac39bdda56", "name": "EbeeApril2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-16T11:26:22.347000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-MD5": 223, "FileHash-SHA1": 235, "FileHash-SHA256": 214, "URL": 54, "domain": 70, "hostname": 64 }, "indicator_count": 868, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69e8354186e254acafbb389d", "name": "IOC - DFIR Report \u2013 The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "The Gentlemen ransomware\u2011as\u2011a\u2011service (RaaS) operation is a relatively new group that emerged around mid\u20112025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates.", "modified": "2026-05-22T02:03:39.507000", "created": "2026-04-22T02:41:05.572000", "tags": [ "cobalt strike", "systembc", "systembc c", "embedded", "gentlemen linux" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 25, "FileHash-SHA256": 27 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6a0dc18cb2b6ffed13b1133d", "name": "Payload_Delivery | May 21, 2026", "description": "Payload_Delivery indicators. Date: May 21, 2026. Total: 1132 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-20T14:13:32.670000", "created": "2026-05-20T14:13:32.670000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 146, "hostname": 209, "domain": 565, "FileHash-SHA256": 187, "FileHash-SHA1": 1 }, "indicator_count": 1108, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a0c706a4570464ea826710f", "name": "Payload_Delivery | May 20, 2026", "description": "Payload_Delivery indicators. Date: May 20, 2026. Total: 1355 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-19T14:15:06.773000", "created": "2026-05-19T14:15:06.773000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 785, "URL": 165, "hostname": 200, "FileHash-SHA256": 186 }, "indicator_count": 1336, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a0b1eafa4fc425bfbc141f6", "name": "Payload_Delivery | May 19, 2026", "description": "Payload_Delivery indicators. Date: May 19, 2026. Total: 1328 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-18T14:14:07.911000", "created": "2026-05-18T14:14:07.911000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 761, "hostname": 191, "FileHash-SHA256": 179, "URL": 180 }, "indicator_count": 1311, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a09cd003ba94200d4137b0b", "name": "Payload_Delivery | May 18, 2026", "description": "Payload_Delivery indicators. Date: May 18, 2026. Total: 1585 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-17T14:13:20.977000", "created": "2026-05-17T14:13:20.977000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 965, "hostname": 242, "URL": 187, "FileHash-SHA256": 175 }, "indicator_count": 1569, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a087b851ae1c647a5a9be34", "name": "Payload_Delivery | May 17, 2026", "description": "Payload_Delivery indicators. Date: May 17, 2026. Total: 1929 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-16T14:13:25.335000", "created": "2026-05-16T14:13:25.335000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 863, "hostname": 691, "URL": 187, "FileHash-SHA256": 175 }, "indicator_count": 1916, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a072a0cca5a4ed82ebc7d79", "name": "Payload_Delivery | May 16, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: May 16, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-15T14:13:32.373000", "created": "2026-05-15T14:13:32.373000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 798, "URL": 198, "hostname": 921, "FileHash-SHA256": 67, "FileHash-MD5": 2 }, "indicator_count": 1986, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a06a55ea41ca0f2894e09e1", "name": "Thus Spoke\u2026The Gentlemen", "description": "", "modified": "2026-05-15T04:47:26.512000", "created": "2026-05-15T04:47:26.512000", "tags": [ "cve-2025-32433", "raas", "systembc", "cisco", "cryptocurrency", "cve-2024-55591", "fortinet", "data-leak", "ntlm-relay", "the gentlemen", "affiliate-program", "ransomware-as-a-service", "tox-ids", "cve-2025-33073" ], "references": [ "https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/" ], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a04aad1cd2da41f0087f85d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 56, "FileHash-SHA1": 27, "FileHash-SHA256": 33 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6a05d886dccb63fe1849db73", "name": "Payload_Delivery | May 15, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: May 15, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-14T14:13:26.205000", "created": "2026-05-14T14:13:26.205000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 731, "URL": 185, "hostname": 1003, "FileHash-SHA256": 67, "FileHash-MD5": 2 }, "indicator_count": 1988, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a052c2661957e15fec03c34", "name": "IOC - Thus Spoke\u2026The Gentlemen", "description": "The Gentlemen ransomware\u2011as\u2011a\u2011service (RaaS) operation is a relatively new group that emerged around mid\u20112025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates.", "modified": "2026-05-14T01:57:58.400000", "created": "2026-05-14T01:57:58.400000", "tags": [ "gentlemen linux" ], "references": [ "https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 33 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69e6fc1c4220f1638cd934bb", "name": "The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "", "modified": "2026-04-21T04:25:00.821000", "created": "2026-04-21T04:25:00.821000", "tags": [ "cobalt-strike", "domain-compromise", "the gentlemen", "psexec", "systembc", "esxi-encryption", "lateral-movement", "cobalt strike", "anydesk", "ransomware-as-a-service", "mimikatz", "group-policy-deployment" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "PsExec", "display_name": "PsExec", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "display_name": "T1562.007 - Disable or Modify Cloud Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1037.004", "name": "RC Scripts", "display_name": "T1037.004 - RC Scripts" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": "69e63f93a0ddbd53fcab3f51", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 26, "URL": 1, "domain": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "39 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/", "IOCs.2026.csv", "IOCs.April.pdf", "https://ltna.com.au/cyber", "https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/", "https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/" ], "related": { "alienvault": { "adversary": [ "Storm-2697", "The Gentlemen" ], "malware_families": [ "The gentlemen", "Kazuar - s0265", "Systembc", "Anydesk", "Cobalt strike - s0154", "Mimikatz", "Psexec" ], "industries": [ "Education", "Transportation", "Technology", "Healthcare", "Finance" ] }, "other": { "adversary": [ "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "The Gentlemen", "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot" ], "malware_families": [ "The gentlemen", "Systembc", "Anydesk", "Cobalt strike - s0154", "Mimikatz", "Psexec" ], "industries": [ "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "6a189defc88ad66cd0a9d87d", "name": "The Gentlemen ransomware: Dissecting a self-propagating Go encryptor", "description": "The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.", "modified": "2026-05-29T10:37:45.345000", "created": "2026-05-28T19:56:31.232000", "tags": [ "go language", "kazuar", "ransomware-as-a-service", "the gentlemen" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/" ], "public": 1, "adversary": "Storm-2697", "targeted_countries": [], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Kazuar - S0265", "display_name": "Kazuar - S0265", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1021.003", "name": "Distributed Component Object Model", "display_name": "T1021.003 - Distributed Component Object Model" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Education", "Transportation", "Healthcare", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6a04aad1cd2da41f0087f85d", "name": "Thus Spoke\u2026The Gentlemen", "description": "On May 4th, 2026, The Gentlemen RaaS administrator acknowledged that an internal backend database called Rocket had been leaked, exposing nine accounts including zeta88, the program's effective administrator. The leak revealed internal discussions detailing initial access methods through Fortinet and Cisco edge appliances, NTLM relay, and credential logs, along with the group's role divisions and toolsets. Evidence shows evaluation of CVEs including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Leaked ransom negotiations showed a successful payment of 190,000 USD. The group reused stolen data from a UK software consultancy to attack a Turkish company, employing dual-pressure tactics during negotiations. Analysis of ransomware samples identified eight distinct affiliate TOX IDs, indicating the administrator actively participates in infections alongside managing the RaaS program.", "modified": "2026-05-14T08:21:27.325000", "created": "2026-05-13T16:46:09.167000", "tags": [ "cve-2025-32433", "raas", "systembc", "cisco", "cryptocurrency", "cve-2024-55591", "fortinet", "data-leak", "ntlm-relay", "the gentlemen", "affiliate-program", "ransomware-as-a-service", "tox-ids", "cve-2025-33073" ], "references": [ "https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/" ], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 56, "FileHash-SHA1": 27, "FileHash-SHA256": 33 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 386447, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69e63f93a0ddbd53fcab3f51", "name": "The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...", "modified": "2026-04-20T16:29:35.184000", "created": "2026-04-20T15:00:35.743000", "tags": [ "cobalt-strike", "domain-compromise", "the gentlemen", "psexec", "systembc", "esxi-encryption", "lateral-movement", "cobalt strike", "anydesk", "ransomware-as-a-service", "mimikatz", "group-policy-deployment" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "PsExec", "display_name": "PsExec", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "display_name": "T1562.007 - Disable or Modify Cloud Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1037.004", "name": "RC Scripts", "display_name": "T1037.004 - RC Scripts" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 26, "URL": 1, "domain": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1b0e5bb3f1a283bd684ef5", "name": "The Gentlemen Ransomware Leverages SYSTEM Tasks for Attack Execution", "description": "", "modified": "2026-05-30T16:20:43.067000", "created": "2026-05-30T16:20:43.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "3 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69e0c75ee5ca57ac39bdda56", "name": "EbeeApril2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-16T11:26:22.347000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-MD5": 223, "FileHash-SHA1": 235, "FileHash-SHA256": 214, "URL": 54, "domain": 70, "hostname": 64 }, "indicator_count": 868, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69e8354186e254acafbb389d", "name": "IOC - DFIR Report \u2013 The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "The Gentlemen ransomware\u2011as\u2011a\u2011service (RaaS) operation is a relatively new group that emerged around mid\u20112025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates.", "modified": "2026-05-22T02:03:39.507000", "created": "2026-04-22T02:41:05.572000", "tags": [ "cobalt strike", "systembc", "systembc c", "embedded", "gentlemen linux" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 25, "FileHash-SHA256": 27 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6a0dc18cb2b6ffed13b1133d", "name": "Payload_Delivery | May 21, 2026", "description": "Payload_Delivery indicators. Date: May 21, 2026. Total: 1132 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-20T14:13:32.670000", "created": "2026-05-20T14:13:32.670000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 146, "hostname": 209, "domain": 565, "FileHash-SHA256": 187, "FileHash-SHA1": 1 }, "indicator_count": 1108, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a0c706a4570464ea826710f", "name": "Payload_Delivery | May 20, 2026", "description": "Payload_Delivery indicators. Date: May 20, 2026. Total: 1355 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-19T14:15:06.773000", "created": "2026-05-19T14:15:06.773000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 785, "URL": 165, "hostname": 200, "FileHash-SHA256": 186 }, "indicator_count": 1336, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "7a262d4cbbc4808932b6af42c4041f06", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "7a262d4cbbc4808932b6af42c4041f06", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780169928.7455084 }