[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFVZkoFwltS9L-Dc1RQICA32sVpvVniQ5a3Ia86-Qb8E":3},{"article":4,"iocs":41},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":25},"51918f28-2943-4db0-b46b-99ff5af2aa6d","Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware\n\nIn April, we observed an int...","flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware-in-april-we-o-7e8aec","Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware\n\nIn April, we observed an intrusion that began with a malicious MSI masquerading as Sysinternals RAMMap and ended in domain-wide deployment of The Gentlemen ransomware.\n\nThe intrusion featured EtherRAT, https:\u002F\u002Ft.co\u002FX6wtOESzeO","In April, a domain-wide ransomware attack began with a malicious MSI installer disguised as Sysinternals RAMMap. The intrusion leveraged EtherRat and TukTuk C2 infrastructure to establish persistence before deploying The Gentleman ransomware across the victim's network.","EtherRat and TukTuk C2 malware used to deliver The Gentleman ransomware in April intrusion.",null,"https:\u002F\u002Fx.com\u002FTheDFIRReport\u002Fstatus\u002F2053841557367767109","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIC2AufWwAESVjk.jpg","2026-05-11T14:16:00+00:00","2026-05-11T15:00:07.323661+00:00",8,[18],{"name":19,"type":20},"Sysinternals RAMMap","product","7d8b5ab8-ea0b-4ced-ae97-ec251b86993a",{"id":21,"icon":11,"name":23,"slug":24},"Ransomware","ransomware",[26,31,36],{"category":27},{"id":28,"icon":11,"name":29,"slug":30},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":32},{"id":33,"icon":11,"name":34,"slug":35},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",{"category":37},{"id":38,"icon":11,"name":39,"slug":40},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[42,45,48],{"type":30,"value":43,"context":44},"EtherRat","Initial access malware disguised as Sysinternals RAMMap MSI installer",{"type":30,"value":46,"context":47},"TukTuk C2","Command and control infrastructure used in intrusion chain",{"type":30,"value":49,"context":50},"The Gentleman","Ransomware deployed for domain-wide encryption"]