[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4I6rV3ynerpRSrjk84SDD3qELbYyWDnTKqi9vFMVxKc":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"e397d3d9-10c3-46e0-9fd2-40a62cd91031","The Gentlemen are knocking: сustom backdoors and evolving tactics","the-gentlemen-are-knocking-ustom-backdoors-and-evolving-tactics-0f1f4c","Kaspersky researchers analyze incidents related to The Gentlemen RaaS group, disclose their tools and TTPs, and find a new ransomware variant.","Kaspersky disclosed a comprehensive analysis of The Gentlemen ransomware-as-a-service group, which emerged in early 2026 and ranks among the top 10 ransomware actors. The group employs custom Go and C-based ransomware variants, exploits VPN\u002Ffirewall vulnerabilities, and uses custom backdoors alongside reconnaissance tools like SharpADWS and NetScan to map networks and move laterally via NETLOGON shares and GPO deployment.","Kaspersky researchers detail The Gentlemen RaaS group's custom backdoors, Go\u002FC-based ransomware, and evolving attack","Table of Contents IntroductionTechnical detailsInitial infection vectorReconnaissanceLateral movementDisabling security productsGo-based backdoorGo-based ransomwareAutomated system execution preventionLateral movement through GPO deploymentLateral movement through PsExecPre-encryption activitiesEncryption processC-based ransomwareVictimsAttributionConclusionIndicators of compromiseGo ransomwareC-based ransomwareBackdoorVulnerable driversScanning toolsFile pathsDomain and IPs Authors Fatih Şensoy Maher Yamout Introduction This year saw the emergence of The Gentlemen, a prominent example of a group operating under the ransomware-as-a-service (RaaS) model. Although our initial assessment suggested the group first appeared in mid-2025, it actually started ramping up its activities at the beginning of 2026. According to public reports, in the first half of 2026, this group ranks among the top 10 ransomware actors by the number of victim announcements on its data leak site (DLS). We have been observing the activity of The Gentlemen since February 2026 and have discovered new tactics, techniques, and procedures (TTPs) as well as custom tool development efforts, as they target large corporations and critical infrastructure worldwide. In our research, we have uncovered the group’s methods of reconnaissance, network sniffing, and many other techniques that have not been publicly described before by the wider community. Technical details Initial infection vector The Gentlemen group and its affiliates usually get into victim systems by exploiting vulnerabilities in online services and using stolen or weak login credentials, as reported by multiple cybersecurity vendors. They often target devices like hardware VPNs and firewalls that are exposed to the internet, and use leaked or default credentials to gain access. We believe the group is likely collaborating with other actors or initial access brokers (IABs) to gain access to the target organizations. While they often deploy ransomware within a few hours after initial access is obtained, our analysis of several attacks revealed some cases, in which access to the victim’s system had been established long before the ransomware was deployed. These cases involved tactics that are not typically associated with the group. This suggests that the initial breach may not have been executed by The Gentlemen at all, but rather by another group or an initial access broker. Reconnaissance Our investigation reveals that The Gentlemen conduct thorough internal reconnaissance using tools like SharpADWS, NetScan, Advanced IP Scanner, and netsh to map the target environment and identify vulnerabilities. SharpADWS is used to gather detailed Active Directory information, including domain object enumeration, and can bypass standard logging by wrapping LDAP queries in SOAP messages. The group also uses NetScan and Advanced IP Scanner to scan the network, discover active ports and services, and identify potential vulnerabilities, ultimately gaining a deeper understanding of the network and establishing remote control over identified systems. Microsoft’s netsh tool is used to capture network packets and gather intelligence, executing the command cmd.exe \u002FQ \u002Fc netsh trace start capture=yes report=no filemode=circular overwrite=yes maxSize=4 > \\\u003Ctarget IP>\\ADMIN$\\{RANDOM-FILE-NAME} 2>&1 to start the capture, and cmd.exe \u002FQ \u002Fc netsh trace stop > \\\u003Ctarget IP>\\ADMIN$\\{RANDOM-FILE-NAME} to stop it. The captured data is saved to a shared administrative folder with a random name, and can be analyzed with tools like Wireshark to reveal sensitive information such as unencrypted network activity and potential passwords, which the attackers then use to conduct targeted ransomware attacks. Lateral movement The Gentlemen group leverages the NETLOGON share to distribute the ransomware executable to connected computers, enabling simultaneous attacks on multiple devices. To facilitate lateral movement, they use a customized PowerShell script, deploy_gpo.ps1, with specific parameters and variables for each target system. Additionally, they employ PsExec to remotely execute the ransomware binary on targeted systems, providing an alternative method for spreading the infection when the GPO-based approach is not feasible. Disabling security products The Gentlemen group uses various methods to disable security software on targeted computers, including the BYOVD technique. This involves installing a vulnerable driver and exploiting its weakness to shut down security software, gain unrestricted access, and launch ransomware attacks. We observed the following vulnerable drivers used in the group’s attacks. Driver name Description ProcessMonitorDriver.sys Safetica DLP and EDR driver wamsdk.sys WatchDog anti-malware driver gamedriverx64.sys Fedeen\u002FHotta studio anti-cheat driver biontdrv.sys Paragon partition manager driver inpoutx64.sys A legacy driver involved in managing RGB lighting wsftprm.sys Topaz anti-fraud software driver Havoc.sys Huawei audio driver The Gentlemen group also uses open-source tools, including Windows Kernel Explorer and OpenArk64, to disable security software. These tools can intercept and block system calls, and even remove security drivers, allowing the attackers to bypass security measures and remain undetected. Besides this, the group employs simple methods to disable security software, such as using kavrmvr.exe to uninstall Kaspersky Antivirus, which is prevented by the product’s behavioral detection, and modifying Windows registry settings to disable Windows Defender’s real-time protection. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender] \"DisableAntiSpyware\"=dword:00000001 [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection] \"DisableBehaviorMonitoring\"=dword:00000001 \"DisableOnAccessProtection\"=dword:00000001 \"DisableScanOnRealtimeEnable\"=dword:00000001 123456789 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender]\"DisableAntiSpyware\"=dword:00000001 [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection]\"DisableBehaviorMonitoring\"=dword:00000001\"DisableOnAccessProtection\"=dword:00000001\"DisableScanOnRealtimeEnable\"=dword:00000001 Last but not least, the attackers attempt to disable Windows Defender’s real-time monitoring and ransomware protection, and add itself to the exclusion list, by executing multiple PowerShell cmdlets, as observed in the Go implant, which we’ll analyze later in this post: Set-MpPreference -DisableRealtimeMonitoring $true -Force Set-MpPreference -EnableControlledFolderAccess Disabled -Force Add-MpPreference -ExclusionProcess \u003Cfile_name> Add-MpPreference -ExclusionPath 'C:\\\\' 1234 Set-MpPreference -DisableRealtimeMonitoring $true -ForceSet-MpPreference -EnableControlledFolderAccess Disabled -ForceAdd-MpPreference -ExclusionProcess \u003Cfile_name>Add-MpPreference -ExclusionPath 'C:\\\\' Go-based backdoor We observed a custom-made implant, written in Go and deployed a day before the ransomware attack, which acted as a backdoor, enabling remote command execution. The implant collected system information (hostname, domain name, UUID, and local IP addresses) and organized it into a JSON format using a map structure with keys like name, domain, uuid, and localIPs. To obtain the system’s UUID, it used the WMI query \"SELECT UUID FROM Win32_ComputerSystemProduct\". It then used the Yamux library to establish a persistent bidirectional TCP connection with the C2 server at 81.177.215[.]15:9443. It sent the collected system info to the C2 and waited for operator responses, executing commands using cmd.exe \u002Fc if the response byte was 'c', or establishing a SOCKS proxy connection if the byte was 's'. This functionality likely enables The Gentlemen’s red team to pivot within the target network and expand their scan coverage. Given the backdoor implant’s capabilitie","https:\u002F\u002Fsecurelist.com\u002Fthe-gentlemen-raas\u002F120447\u002F","https:\u002F\u002Fmedia.kasperskycontenthub.com\u002Fwp-content\u002Fuploads\u002Fsites\u002F43\u002F2026\u002F06\u002F29071114\u002FSL-The-Gentlemen-ransomware-featured-scaled.jpg","2026-06-29T10:00:35+00:00","2026-06-29T12:00:19.973824+00:00",9,[18,21,24,27,30],{"name":19,"type":20},"The Gentlemen","threat_actor",{"name":22,"type":23},"Kaspersky","vendor",{"name":25,"type":26},"Active Directory","technology",{"name":28,"type":29},"PowerShell","product",{"name":31,"type":29},"PsExec","7d8b5ab8-ea0b-4ced-ae97-ec251b86993a",{"id":32,"icon":34,"name":35,"slug":36},null,"Ransomware","ransomware",[38,43,48],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,56,59,62],{"type":47,"value":19,"context":55},"RaaS group operating custom Go and C-based ransomware variants",{"type":47,"value":57,"context":58},"SharpADWS","Custom reconnaissance tool used to gather Active Directory information via LDAP\u002FSOAP queries",{"type":47,"value":60,"context":61},"NetScan","Network scanning tool used for reconnaissance and vulnerability discovery",{"type":47,"value":63,"context":64},"Advanced IP Scanner","Network reconnaissance tool used to identify active ports, services, and vulnerabilities"]