The Gentlemen

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to intrusion sets

· Published 21/12/2025 16:02 · Modified 27/05/2026 15:52 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 21/12/2025 16:02
Modified: 27/05/2026 15:52
Updated at: 27/05/2026 15:52
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 8 reports, 90 attack patterns (mitre), 15 malware, 8 sectors, 5 countries, 48 indicators, 6 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (8)

Ransomware Analysis: Go Binary and Fast Encryption

AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 3 IOCs 3 Observables 1 APT
The Gentleman Ransomware | Defense Evasion TTPs Uncovered

AlienVault Confidence 100 1 CVE 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
Thus Spoke…The Gentlemen

3 CVEs 20 MITREs 2 Malwares 33 Observables 1 APT
LBIOC-20260071 - The Gentlemens Leak

AlienVault Confidence 100 20 MITREs 4 Malwares 26 IOCs 26 Observables 1 APT
The Gentlemen & SystemBC: A Sneak Peek Behind …

46 MITREs 6 Malwares 27 Observables 1 APT
An Overview of The Gentlemen's TTPs

AlienVault Confidence 100 4 CVEs 11 MITREs 7 Malwares 4 IOCs 4 Observables 1 APT
License to Encrypt: Make Their Move

17 MITREs 1 Malware 1 APT
Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures …

13 MITREs 1 APT

Attack patterns (MITRE) (90)

T1219 uses

Remote Access Tools MITRE
T1573.002 uses

Asymmetric Cryptography MITRE
T1036.005 uses

Match Legitimate Resource Name or Location MITRE
T1071 uses

Application Layer Protocol MITRE
T1021.004 uses

SSH MITRE
T1106 uses

Native API MITRE
T1550 uses

Use Alternate Authentication Material MITRE
T1071.001 uses

Web Protocols MITRE
T1543.003 uses

Windows Service MITRE
T1060 uses

MITRE
T1190 uses

Exploit Public-Facing Application MITRE
T1133 uses

External Remote Services MITRE

← Previous

Page / 8

1–12 of 90

Mimikatz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PowerRun uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AnyDesk uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Medusa uses

The MITRE Corporation Confidence 100

[MEDUSA](https://attack.mitre.org/software/S1220) is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and logging credentials.(Citation: Google Cloud Mandiant UNC3886 2024)

First seen 01/01/1970 · Last seen 16/11/5138 ·
SystemBC uses

AlienVault Confidence 100

[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Trojan:Win32/MpTamperBulkExcl.H uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Babyk uses

Family
LockBit 5.0 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Babuk - S0638 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
KillAV uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Qilin uses

Family
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 15

Government targets
Manufacturing targets
Healthcare targets
Construction targets
Insurance services targets
Transportation targets
Finance targets
Technology targets

Countries (5)

Thailand targets
United Kingdom of Great Britain and Northern Ireland targets
United States of America targets
Germany targets
Brazil targets

Indicators (48)

22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 indicates

stix 100/100

· Valid until 16/04/2027 · Source: AlienVault
025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a indicates

stix 100/100

· Valid until 16/04/2027 · Source: AlienVault
cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e indicates

stix 100/100

· Valid until 16/04/2027 · Source: AlienVault
fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958 indicates

stix 100/100

· Valid until 16/04/2027 · Source: AlienVault
http://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion/ indicates

stix 100/100 Revoked

· Valid until 19/05/2026 · Source: AlienVault
1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2 indicates

stix 100/100

· Valid until 10/05/2027 · Source: AlienVault
c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8 indicates

stix 100/100

· Valid until 16/04/2027 · Source: AlienVault
992c951f4af57ca7cd8396f5ed69c2199fd6fd4ae5e93726da3e198e78bec0a5 indicates

stix 100/100

· Valid until 16/04/2027 · Source: AlienVault
fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68 indicates

stix 100/100

· Valid until 16/04/2027 · Source: AlienVault
994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3 indicates

stix 100/100

· Valid until 16/04/2027 · Source: AlienVault
51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2 indicates

stix 100/100

· Valid until 15/11/2026 · Source: AlienVault
dfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6 indicates

stix 100/100

· Valid until 10/05/2027 · Source: AlienVault

← Previous

Page / 4

1–12 of 48

Vulnerabilities (CVE) (6)

CVE-2024-55591 KEV targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector: Network
Published: 14/01/2025
Modified: 27/05/2026

Analyzed

CVE-2025-33073 KEV targets

8.8 High

Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially …

Attack vector: Network
Published: 20/10/2025
Modified: 27/05/2026

Received

CVE-2025-32433 KEV targets

10.0 Critical

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may …

Attack vector: Network
Published: 09/06/2025
Modified: 27/05/2026

Received

CVE-2023-27532 KEV targets

7.5 High

Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …

Attack vector: Network
Published: 22/08/2023
Modified: 27/05/2026

CVE-2025-32463 KEV targets

9.3 Critical

Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) …

Attack vector: Local
Published: 29/09/2025
Modified: 27/05/2026

Received

CVE-2024-37085 KEV targets

6.8 Medium

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an …

Attack vector: Network
Published: 30/07/2024
Modified: 27/05/2026

Awaiting Analysis

Contact About Legal notice Privacy policy Terms of use

The Gentlemen

Essential information

Description

Marking (TLP)

Related entities

Reports (8)

Attack patterns (MITRE) (90)

Malware (15)

Sectors (8)

Countries (5)

Indicators (48)

Vulnerabilities (CVE) (6)