216.73.216.133

Rapid growth and a new ransomware variant

· Published 29/06/2026 13:01

Export JSON

Essential information

Published
29/06/2026 13:01
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
appleseed byovd cobalt strike coolclient custom backdoor encryption tactics gpo deployment lateral movement mgbot network reconnaissance powercloud ransomware-as-a-service reversesocks sharkloader vulnerable drivers zichatbot
Related entities
11 indicators, 2 observables, 1 intrusion sets (apt), 20 techniques (mitre), 8 malware

Description

The Gentlemen group emerged as a top-10 threat actor in the first half of 2026. The group exploits vulnerabilities in internet-facing devices like VPNs and firewalls, potentially collaborating with initial access brokers. They employ comprehensive reconnaissance using tools like SharpADWS, NetScan, and Advanced IP Scanner, capturing network traffic with netsh. The attackers disable security products through techniques using , and deploy custom Go-based backdoors and ransomware variants. They spread laterally via GPO deployment and PsExec, encrypt files using Curve25519 and XChaCha20, and recently developed a C-based ransomware variant using AES256-GCM and RSA. The group targets multiple industries worldwide, particularly in Brazil, China, Indonesia, Taiwan, and Thailand, with attacks focusing on manufacturing, IT services, healthcare, and financial sectors.

External references