{ "type": "SHA256", "indicator": "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68", "validation": [], "base_indicator": { "id": 4319567656, "indicator": "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6a189defc88ad66cd0a9d87d", "name": "The Gentlemen ransomware: Dissecting a self-propagating Go encryptor", "description": "The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.", "modified": "2026-05-29T10:37:45.345000", "created": "2026-05-28T19:56:31.232000", "tags": [ "go language", "kazuar", "ransomware-as-a-service", "the gentlemen" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/" ], "public": 1, "adversary": "Storm-2697", "targeted_countries": [], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Kazuar - S0265", "display_name": "Kazuar - S0265", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1021.003", "name": "Distributed Component Object Model", "display_name": "T1021.003 - Distributed Component Object Model" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Education", "Transportation", "Healthcare", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a043fa88d6fd92063164a04", "name": "LBIOC-20260071 - The Gentlemens Leak", "description": "The Gentlemen is an active ransomware and extortion operation that emerged publicly in the second half of 2025, rapidly escalating into a high-volume threat actor. The group appears to be a continuation or reorganization of prior ransomware affiliate activity, with reported connections to the Qilin ecosystem and the Russian-speaking actor 'hastalamuerte.' This growth likely reflects existing ransomware experience, affiliate relationships, and access to established resources. Underground sources indicate attempts to sell data allegedly connected to The Gentlemen ransomware activity, though the available information lacks sufficient victim-specific or technical details to confirm authenticity. The operation utilizes SystemBC for command and control communications and deploys ransomware variants targeting both Windows and Linux systems.", "modified": "2026-05-13T09:46:08.486000", "created": "2026-05-13T09:08:56.231000", "tags": [ "hastalamuerte", "linux", "systembc", "ransomware", "the gentlemen", "affiliate", "data-leak", "windows", "powerrun", "killav", "qilin", "extortion" ], "references": [], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "KillAV", "display_name": "KillAV", "target": null }, { "id": "PowerRun", "display_name": "PowerRun", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 24 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e63f93a0ddbd53fcab3f51", "name": "The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...", "modified": "2026-04-20T16:29:35.184000", "created": "2026-04-20T15:00:35.743000", "tags": [ "cobalt-strike", "domain-compromise", "the gentlemen", "psexec", "systembc", "esxi-encryption", "lateral-movement", "cobalt strike", "anydesk", "ransomware-as-a-service", "mimikatz", "group-policy-deployment" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "PsExec", "display_name": "PsExec", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "display_name": "T1562.007 - Disable or Modify Cloud Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1037.004", "name": "RC Scripts", "display_name": "T1037.004 - RC Scripts" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 26, "URL": 1, "domain": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e0c75ee5ca57ac39bdda56", "name": "EbeeApril2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-16T11:26:22.347000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-MD5": 223, "FileHash-SHA1": 235, "FileHash-SHA256": 214, "URL": 54, "domain": 70, "hostname": 64 }, "indicator_count": 868, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e8354186e254acafbb389d", "name": "IOC - DFIR Report \u2013 The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "The Gentlemen ransomware\u2011as\u2011a\u2011service (RaaS) operation is a relatively new group that emerged around mid\u20112025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates.", "modified": "2026-05-22T02:03:39.507000", "created": "2026-04-22T02:41:05.572000", "tags": [ "cobalt strike", "systembc", "systembc c", "embedded", "gentlemen linux" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 25, "FileHash-SHA256": 27 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a055348647abd23c0a6cd7d", "name": "LBIOC-20260071 - The Gentlemens Leak", "description": "", "modified": "2026-05-14T04:44:56.142000", "created": "2026-05-14T04:44:56.142000", "tags": [ "hastalamuerte", "linux", "systembc", "ransomware", "the gentlemen", "affiliate", "data-leak", "windows", "powerrun", "killav", "qilin", "extortion" ], "references": [], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "KillAV", "display_name": "KillAV", "target": null }, { "id": "PowerRun", "display_name": "PowerRun", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [], "TLP": "white", "cloned_from": "6a043fa88d6fd92063164a04", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 24 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a04ed136aebaf3b6cdfe52c", "name": "LBIOC-20260071 - The Gentlemens Leak CREATED 12 HOURS AGO MODIFIED 12 HOURS AGO by AlienVault", "description": "", "modified": "2026-05-13T21:55:05.346000", "created": "2026-05-13T21:28:51.760000", "tags": [ "hastalamuerte", "linux", "systembc", "ransomware", "the gentlemen", "affiliate", "data-leak", "windows", "powerrun", "killav", "qilin", "extortion" ], "references": [], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "KillAV", "display_name": "KillAV", "target": null }, { "id": "PowerRun", "display_name": "PowerRun", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [], "TLP": "white", "cloned_from": "6a043fa88d6fd92063164a04", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 14, "FileHash-MD5": 25, "FileHash-SHA1": 25, "FileHash-SHA256": 85, "hostname": 22, "domain": 6, "URL": 30, "email": 3 }, "indicator_count": 210, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e6fc1c4220f1638cd934bb", "name": "The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "", "modified": "2026-04-21T04:25:00.821000", "created": "2026-04-21T04:25:00.821000", "tags": [ "cobalt-strike", "domain-compromise", "the gentlemen", "psexec", "systembc", "esxi-encryption", "lateral-movement", "cobalt strike", "anydesk", "ransomware-as-a-service", "mimikatz", "group-policy-deployment" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "PsExec", "display_name": "PsExec", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "display_name": "T1562.007 - Disable or Modify Cloud Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1037.004", "name": "RC Scripts", "display_name": "T1037.004 - RC Scripts" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": "69e63f93a0ddbd53fcab3f51", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 26, "URL": 1, "domain": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "39 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "IOCs.April.pdf", "IOCs.2026.csv", "IOCs.csv", "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/", "https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/" ], "related": { "alienvault": { "adversary": [ "Storm-2697", "The Gentlemen" ], "malware_families": [ "Anydesk", "Kazuar - s0265", "Mimikatz", "Psexec", "Powerrun", "The gentlemen", "Systembc", "Cobalt strike - s0154", "Killav" ], "industries": [ "Finance", "Education", "Transportation", "Healthcare" ] }, "other": { "adversary": [ "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "The Gentlemen" ], "malware_families": [ "Anydesk", "Mimikatz", "Psexec", "Powerrun", "The gentlemen", "Cobalt strike - s0154", "Systembc", "Killav" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6a189defc88ad66cd0a9d87d", "name": "The Gentlemen ransomware: Dissecting a self-propagating Go encryptor", "description": "The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.", "modified": "2026-05-29T10:37:45.345000", "created": "2026-05-28T19:56:31.232000", "tags": [ "go language", "kazuar", "ransomware-as-a-service", "the gentlemen" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/" ], "public": 1, "adversary": "Storm-2697", "targeted_countries": [], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Kazuar - S0265", "display_name": "Kazuar - S0265", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1021.003", "name": "Distributed Component Object Model", "display_name": "T1021.003 - Distributed Component Object Model" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Education", "Transportation", "Healthcare", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a043fa88d6fd92063164a04", "name": "LBIOC-20260071 - The Gentlemens Leak", "description": "The Gentlemen is an active ransomware and extortion operation that emerged publicly in the second half of 2025, rapidly escalating into a high-volume threat actor. The group appears to be a continuation or reorganization of prior ransomware affiliate activity, with reported connections to the Qilin ecosystem and the Russian-speaking actor 'hastalamuerte.' This growth likely reflects existing ransomware experience, affiliate relationships, and access to established resources. Underground sources indicate attempts to sell data allegedly connected to The Gentlemen ransomware activity, though the available information lacks sufficient victim-specific or technical details to confirm authenticity. The operation utilizes SystemBC for command and control communications and deploys ransomware variants targeting both Windows and Linux systems.", "modified": "2026-05-13T09:46:08.486000", "created": "2026-05-13T09:08:56.231000", "tags": [ "hastalamuerte", "linux", "systembc", "ransomware", "the gentlemen", "affiliate", "data-leak", "windows", "powerrun", "killav", "qilin", "extortion" ], "references": [], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "KillAV", "display_name": "KillAV", "target": null }, { "id": "PowerRun", "display_name": "PowerRun", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 24 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e63f93a0ddbd53fcab3f51", "name": "The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...", "modified": "2026-04-20T16:29:35.184000", "created": "2026-04-20T15:00:35.743000", "tags": [ "cobalt-strike", "domain-compromise", "the gentlemen", "psexec", "systembc", "esxi-encryption", "lateral-movement", "cobalt strike", "anydesk", "ransomware-as-a-service", "mimikatz", "group-policy-deployment" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "PsExec", "display_name": "PsExec", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "display_name": "T1562.007 - Disable or Modify Cloud Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1037.004", "name": "RC Scripts", "display_name": "T1037.004 - RC Scripts" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 26, "URL": 1, "domain": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e0c75ee5ca57ac39bdda56", "name": "EbeeApril2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-16T11:26:22.347000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-MD5": 223, "FileHash-SHA1": 235, "FileHash-SHA256": 214, "URL": 54, "domain": 70, "hostname": 64 }, "indicator_count": 868, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e8354186e254acafbb389d", "name": "IOC - DFIR Report \u2013 The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "The Gentlemen ransomware\u2011as\u2011a\u2011service (RaaS) operation is a relatively new group that emerged around mid\u20112025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates.", "modified": "2026-05-22T02:03:39.507000", "created": "2026-04-22T02:41:05.572000", "tags": [ "cobalt strike", "systembc", "systembc c", "embedded", "gentlemen linux" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 25, "FileHash-SHA256": 27 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a055348647abd23c0a6cd7d", "name": "LBIOC-20260071 - The Gentlemens Leak", "description": "", "modified": "2026-05-14T04:44:56.142000", "created": "2026-05-14T04:44:56.142000", "tags": [ "hastalamuerte", "linux", "systembc", "ransomware", "the gentlemen", "affiliate", "data-leak", "windows", "powerrun", "killav", "qilin", "extortion" ], "references": [], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "KillAV", "display_name": "KillAV", "target": null }, { "id": "PowerRun", "display_name": "PowerRun", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [], "TLP": "white", "cloned_from": "6a043fa88d6fd92063164a04", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 24 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a04ed136aebaf3b6cdfe52c", "name": "LBIOC-20260071 - The Gentlemens Leak CREATED 12 HOURS AGO MODIFIED 12 HOURS AGO by AlienVault", "description": "", "modified": "2026-05-13T21:55:05.346000", "created": "2026-05-13T21:28:51.760000", "tags": [ "hastalamuerte", "linux", "systembc", "ransomware", "the gentlemen", "affiliate", "data-leak", "windows", "powerrun", "killav", "qilin", "extortion" ], "references": [], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [], "malware_families": [ { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "KillAV", "display_name": "KillAV", "target": null }, { "id": "PowerRun", "display_name": "PowerRun", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [], "TLP": "white", "cloned_from": "6a043fa88d6fd92063164a04", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 14, "FileHash-MD5": 25, "FileHash-SHA1": 25, "FileHash-SHA256": 85, "hostname": 22, "domain": 6, "URL": 30, "email": 3 }, "indicator_count": 210, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e6fc1c4220f1638cd934bb", "name": "The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", "description": "", "modified": "2026-04-21T04:25:00.821000", "created": "2026-04-21T04:25:00.821000", "tags": [ "cobalt-strike", "domain-compromise", "the gentlemen", "psexec", "systembc", "esxi-encryption", "lateral-movement", "cobalt strike", "anydesk", "ransomware-as-a-service", "mimikatz", "group-policy-deployment" ], "references": [ "https://research.checkpoint.com/2026/dfir-report-the-gentlemen/" ], "public": 1, "adversary": "The Gentlemen", "targeted_countries": [ "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "PsExec", "display_name": "PsExec", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "display_name": "T1562.007 - Disable or Modify Cloud Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1037.004", "name": "RC Scripts", "display_name": "T1037.004 - RC Scripts" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": "69e63f93a0ddbd53fcab3f51", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 26, "URL": 1, "domain": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "39 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780169999.2985168 }