{
  "name": "The Gentleman Ransomware | Defense Evasion TTPs Uncovered",
  "slug": "the-gentleman-ransomware-defense-evasion-ttps-uncovered",
  "description": "In April and May 2026, investigations revealed two incidents involving The Gentlemen ransomware-as-a-service operation, which has claimed over 400 victims across 70 countries since mid-2025. Both incidents demonstrated common tactics including Scheduled Tasks, PowerShell commands, and defense evasion techniques such as clearing Security, System, and Application Event Logs, disabling Microsoft Defender, and adding antivirus exclusions. A leaked internal database in early May exposed the operation's infrastructure, affiliate structure, and targeting of vulnerabilities like CVE-2024-55591. The attacks showed threat actors using RDP connections, disguised executables, SOCKS proxy connections for persistence, and domain-wide deployment via NETLOGON shares. Despite attempts to evade detection, sufficient forensic telemetry remained for analysis, revealing workstation names previously associated with Qilin ransomware and Lazarus infrastructure.",
  "published": "2026-05-21T23:03:16.366000+00:00",
  "created_at": "2026-05-22T06:43:09.246000+00:00",
  "modified_at": "2026-05-22T04:43:45+00:00",
  "created_at_opencti": "2026-05-22T06:43:09.246000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "cve-2024-55591",
    "defense evasion",
    "event log clearing",
    "microsoft defender tampering",
    "powershell",
    "qilin",
    "ransomware-as-a-service",
    "rdp compromise",
    "scheduled tasks",
    "socks proxy",
    "the gentlemen",
    "trojan:win32/mptamperbulkexcl.h"
  ],
  "tags": [
    "2026-05-21",
    "CVE-2024-55591",
    "defense evasion",
    "event log clearing",
    "microsoft defender tampering",
    "powershell",
    "qilin",
    "ransomware-as-a-service",
    "rdp compromise",
    "scheduled tasks",
    "socks proxy",
    "the gentlemen",
    "trojan:win32/mptamperbulkexcl.h"
  ],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "4d34801a-eb98-4022-b8f3-aeac5bacc285",
        "name": "CVE-2024-55591"
      }
    ],
    "indicators": [
      {
        "id": "1c69d747-bfd9-417b-9434-97e4d2e86269",
        "name": "77.110.122.137"
      },
      {
        "id": "315e8a55-4c18-499b-8f17-2f4fe30cfe0a",
        "name": "193.233.202.17"
      },
      {
        "id": "41a9bff0-0694-4272-9970-26b6e35664fd",
        "name": "f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c920a404-92c6-423b-9714-146e22302900",
        "name": "The Gentlemen",
        "slug": "the-gentlemen"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "d048ac4b-dd28-4c66-b62b-fe25cefef481",
        "name": "T1548.002"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "36d26fbc-439e-460e-bb28-0935ad0c1b8a",
        "name": "T1090.001"
      },
      {
        "id": "da44e22e-1925-42e4-b30d-ac38860d39bb",
        "name": "T1070.001"
      },
      {
        "id": "195d9773-4de3-4f61-b94d-a2b53cb65608",
        "name": "T1021.001"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "malware": [
      {
        "id": "45a72d45-71f5-4ab9-b39a-77bb13fcc885",
        "name": "Trojan:Win32/MpTamperBulkExcl.H",
        "slug": "trojanwin32mptamperbulkexclh"
      },
      {
        "id": "10ade440-687e-45c6-992a-3b0ab99cb572",
        "name": "The Gentlemen",
        "slug": "the-gentlemen"
      },
      {
        "id": "df9c1329-2d8a-4477-865e-8b01c4d7c0e6",
        "name": "Qilin",
        "slug": "qilin"
      }
    ],
    "observables": [
      {
        "id": "e9b27b3a-9cf9-4121-a0a8-50959d6c8e26",
        "name": "193.233.202.17"
      },
      {
        "id": "b1a27312-6837-4746-87f0-71c68d4d85ee",
        "name": "77.110.122.137"
      },
      {
        "id": "",
        "name": "f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Transport"
      },
      {
        "id": "",
        "name": "Construction"
      }
    ]
  },
  "external_refs": [
    {
      "id": "fefb182a-7fce-4bbb-9fe3-409ba30b9f27",
      "standard_id": "external-reference--68337280-1d23-5656-9180-29d7c6bad29c",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps",
      "hash": null,
      "external_id": null,
      "created": "2026-05-22T06:43:03.143Z",
      "modified": "2026-05-22T06:43:03.143Z",
      "createdById": null
    },
    {
      "id": "c7e6c9db-31f7-45b0-b4ab-845b15f72487",
      "standard_id": "external-reference--930e5c92-d0f3-5e1f-8937-9408b582a2f5",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a0f8f34dd916c38a643df30",
      "hash": null,
      "external_id": "6a0f8f34dd916c38a643df30",
      "created": "2026-05-22T06:43:03.107Z",
      "modified": "2026-05-22T06:43:03.107Z",
      "createdById": null
    }
  ]
}