Rapid growth and a new ransomware variant
Essential information
- Published
- 29/06/2026 13:01
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- appleseed byovd cobalt strike coolclient custom backdoor encryption tactics gpo deployment lateral movement mgbot network reconnaissance powercloud ransomware-as-a-service reversesocks sharkloader vulnerable drivers zichatbot
- Related entities
- 11 indicators, 2 observables, 1 intrusion sets (apt), 20 techniques (mitre), 8 malware
Description
The Gentlemen ransomware-as-a-service group emerged as a top-10 threat actor in the first half of 2026. The group exploits vulnerabilities in internet-facing devices like VPNs and firewalls, potentially collaborating with initial access brokers. They employ comprehensive reconnaissance using tools like SharpADWS, NetScan, and Advanced IP Scanner, capturing network traffic with netsh. The attackers disable security products through BYOVD techniques using vulnerable drivers, and deploy custom Go-based backdoors and ransomware variants. They spread laterally via GPO deployment and PsExec, encrypt files using Curve25519 and XChaCha20, and recently developed a C-based ransomware variant using AES256-GCM and RSA. The group targets multiple industries worldwide, particularly in Brazil, China, Indonesia, Taiwan, and Thailand, with attacks focusing on manufacturing, IT services, healthcare, and financial sectors.