A new threat actor, “Gentlemen,” has emerged, demonstrating operational tactics that warrant close attention. Active since late August 2025, this organized crime group targets Manufacturing, Healthcare, Construction, and Financials.

Their lack of a manifesto or stated motive makes their actions purely malicious. Here’s a breakdown of their modus operandi for defense teams:

Key TTPs (Tactics, Techniques & Procedures):

• Initial Access: Exploiting compromised credentials and vulnerable internet-facing services (perimeter appliances are a key vector).
• Reconnaissance: Deploys tools like Advanced IP Scanner and Nmap for internal topology mapping. Heavy focus on Active Directory enumeration to find privileged accounts (e.g., itgateadmin).
• Lateral Movement: Utilizes living-off-the-land (LotL) tools like PsExec for remote command execution.
• Defense Evasion & Weakening: This is where they excel.
• Deployment & Exfiltration: Abuses Group Policy Objects (GPOs) and the NETLOGON share for domain-wide ransomware distribution. Data is exfiltrated via legitimate, encrypted channels using tools like WinSCP.
• Persistence: Establishes C2 channels using remote access tools like AnyDesk.

Potential IOCs & Hunting Queries:

• Look for the execution of Advanced IP Scanner, Nmap, PsExec, PowerRun.exe, AnyDesk, WinSCP.
• Monitor for the presence of files like All.exe, ThrottleBlood.sys, Allpatch2.exe.
• Hunt for batch scripts (1.bat) performing mass account enumeration.
• Watch for unusual activity from the NETLOGON share across multiple hosts.

This group’s ability to adapt its methods to bypass enterprise-grade defenses makes them a significant threat.

#ThreatHunting #CyberSecurity #DFIR #InfoSec #TTPs #IOCs #Ransomware #SOC #Gentlemen