Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware
· Published 11/05/2026 18:15 · Modified 11/05/2026 19:28
Essential information
- Published
- 11/05/2026 18:15
- Modified
- 11/05/2026 19:28
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- blockchain c2 cve-2025-55182 dll sideloading ethereum etherrat kerberoasting mimikatz netexec rclone saas abuse the gentlemen the gentlemen ransomware tuktuk
- Tags
- 2026-05-11 CVE-2025-55182 blockchain c2 dll sideloading ethereum etherrat kerberoasting mimikatz netexec rclone saas abuse the gentlemen the gentlemen ransomware tuktuk
- Related entities
- 1 vulnerabilities (cve), 32 indicators, 32 observables, 23 techniques (mitre), 6 malware, 15 others
Description
An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deployed TukTuk malware framework using DLL sideloading techniques with legitimate applications like Greenshot and SyncTrayzor. TukTuk established C2 channels through SaaS platforms including ClickHouse and Supabase, with backup channels via Ably, Dropbox, and GitHub Issues. The actors performed Kerberoasting, credential theft via Mimikatz and LSASS dumping, and deployed GoTo Resolve RMM tooling for lateral movement. Data exfiltration to Wasabi cloud storage was conducted using Rclone before deploying The Gentlemen ransomware domain-wide through a malicious GPO. The intrusion leveraged blockchain infrastructure, SaaS platforms, and decentralized services to evade traditional network defenses.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (1)
CVE-2025-55182
KEV
10.0
Critical
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …
- Attack vector
- Network
- Published
- 05/12/2025
- Modified
- 29/05/2026
Indicators (32)
-
mode-exit-legendary-trusted.trycloudflare.com -
https://fields-pct-easier-vancouver.trycloudflare.com -
https://afford-effect-construct-tricks.trycloudflare.com -
fields-pct-easier-vancouver.trycloudflare.com -
https://seasonal-estimation-heating-necessarily.trycloudflare.com -
g8way.io -
when-architectural-cdna-faster.trycloudflare.com -
borjumaniya.store -
walt-messaging-affairs-occurring.trycloudflare.com -
witch-skins-lip-coal.trycloudflare.com -
https://entered-medications-motherboard-advanced.trycloudflare.com -
https://rapids-lil-lending-charleston.trycloudflare.com -
8c2665adf8bfab65463f2a9bd1b7bb0231de3f5c1e6a2e51479e44aaac2e7bf0 -
d9487fdc097f770e5661f9e5dee130068cb179d33716abff1a21c8cb901f25a6 -
seasonal-estimation-heating-necessarily.trycloudflare.com -
entered-medications-motherboard-advanced.trycloudflare.com -
https://when-architectural-cdna-faster.trycloudflare.com -
19021e53b9929fdf4b7d0e0707434d56bb73c1a9b7403c8837b44d1c417198dc -
2d4b4bb18b8445e49eeda571982874403befcecf78266e3d405f6529d98bee46 -
https://walt-messaging-affairs-occurring.trycloudflare.com -
https://howto-tar-naturals-coordination.trycloudflare.com -
1795eacd2c58894ccdd6be8854fe6456c3b069a3a873432343b57b475b256aee -
afford-effect-construct-tricks.trycloudflare.com -
howto-tar-naturals-coordination.trycloudflare.com -
https://witch-skins-lip-coal.trycloudflare.com -
workshop-lighting-protective-customs.trycloudflare.com -
rapids-lil-lending-charleston.trycloudflare.com -
https://workshop-lighting-protective-customs.trycloudflare.com -
vngz3ntdrb.us-east1.gcp.clickhouse.cloud -
k135neflez.westus3.azure.clickhouse.cloud -
4142d5efd4ea2abab77f2f0a917610e2ff976bf9e19d7ad1e9156eccdc5412db -
https://mode-exit-legendary-trusted.trycloudflare.com
Observables (32)
g8way.ioborjumaniya.storevngz3ntdrb.us-east1.gcp.clickhouse.cloudwitch-skins-lip-coal.trycloudflare.comfields-pct-easier-vancouver.trycloudflare.comworkshop-lighting-protective-customs.trycloudflare.comk135neflez.westus3.azure.clickhouse.cloudmode-exit-legendary-trusted.trycloudflare.comrapids-lil-lending-charleston.trycloudflare.comhowto-tar-naturals-coordination.trycloudflare.comafford-effect-construct-tricks.trycloudflare.comentered-medications-motherboard-advanced.trycloudflare.comwalt-messaging-affairs-occurring.trycloudflare.comseasonal-estimation-heating-necessarily.trycloudflare.comwhen-architectural-cdna-faster.trycloudflare.comhttps://entered-medications-motherboard-advanced.trycloudflare.comhttps://fields-pct-easier-vancouver.trycloudflare.comhttps://afford-effect-construct-tricks.trycloudflare.comhttps://seasonal-estimation-heating-necessarily.trycloudflare.comhttps://mode-exit-legendary-trusted.trycloudflare.comhttps://rapids-lil-lending-charleston.trycloudflare.comhttps://when-architectural-cdna-faster.trycloudflare.comhttps://workshop-lighting-protective-customs.trycloudflare.comhttps://walt-messaging-affairs-occurring.trycloudflare.comhttps://witch-skins-lip-coal.trycloudflare.comhttps://howto-tar-naturals-coordination.trycloudflare.com8c2665adf8bfab65463f2a9bd1b7bb0231de3f5c1e6a2e51479e44aaac2e7bf0d9487fdc097f770e5661f9e5dee130068cb179d33716abff1a21c8cb901f25a619021e53b9929fdf4b7d0e0707434d56bb73c1a9b7403c8837b44d1c417198dc2d4b4bb18b8445e49eeda571982874403befcecf78266e3d405f6529d98bee461795eacd2c58894ccdd6be8854fe6456c3b069a3a873432343b57b475b256aee4142d5efd4ea2abab77f2f0a917610e2ff976bf9e19d7ad1e9156eccdc5412db
Techniques (MITRE) (23)
-
SMB/Windows Admin Shares
-
NTDS
-
Permission Groups Discovery
-
Process Injection
-
Msiexec
-
Phishing
-
Inhibit System Recovery
-
PowerShell
-
User Execution
-
Data Encrypted for Impact
-
Windows Command Shell
-
Remote System Discovery
-
Kerberoasting
-
Obfuscated Files or Information
-
Remote Access Tools
-
LSASS Memory
-
Account Discovery
-
Registry Run Keys / Startup Folder
-
Clear Windows Event Logs
-
Remote Desktop Protocol
-
Exfiltration Over Web Service
-
System Information Discovery
-
Domain Trust Discovery
Malware (6)
-
FamilyPublished 28/05/2026 19:56 · Modified 28/05/2026 19:56
-
FamilyPublished 16/06/2026 14:27 · Modified 16/06/2026 14:27
-
FamilyPublished 11/05/2026 16:15 · Modified 11/05/2026 16:15
-
FamilyPublished 11/05/2026 16:15 · Modified 11/05/2026 16:15
-
FamilyPublished 11/05/2026 16:15 · Modified 11/05/2026 16:15
-
FamilyPublished 11/05/2026 16:15 · Modified 11/05/2026 16:15
Others (15)
- mode-exit-legendary-trusted.trycloudflare.com
- fields-pct-easier-vancouver.trycloudflare.com
- g8way.io
- when-architectural-cdna-faster.trycloudflare.com
- borjumaniya.store
- walt-messaging-affairs-occurring.trycloudflare.com
- witch-skins-lip-coal.trycloudflare.com
- seasonal-estimation-heating-necessarily.trycloudflare.com
- entered-medications-motherboard-advanced.trycloudflare.com
- afford-effect-construct-tricks.trycloudflare.com
- howto-tar-naturals-coordination.trycloudflare.com
- workshop-lighting-protective-customs.trycloudflare.com
- rapids-lil-lending-charleston.trycloudflare.com
- vngz3ntdrb.us-east1.gcp.clickhouse.cloud
- k135neflez.westus3.azure.clickhouse.cloud