Threat Advisories:
The Gentlemen Ransomware: A Rising Global Cyber Threat MostereRAT: A Deep Dive into an EPL-Backed Phishing Operation Stealerium Changing the Rules of Cyber Espionage s1ngularity Nx Supply Chain Attack: AI-Driven Credential Theft & Mass Exposure GPUGate: Weaponizing Ads and GitHub to Outsmart Sandboxes Cephalus Ransomware a Wake-Up Call for Stronger Endpoint Defense Sitecore Zero-Day Powers Reconnaissance Malware TP-Link Router End-of-Service Models Exploited in Botnet Operation GhostRedirector Targets Windows Servers Globally for SEO Fraud CVE-2025-55177: WhatsApp Zero-Click Flaw Used in Targeted Campaigns Experimental AI Ransomware PromptLock Sparks Security Concerns NightSpire Ransomware Expands Reach with Aggressive Extortion Deadlines Operation HanKook Phantom: APT37’s Stealthy Espionage Campaign Storm-0501’s Shift to Cloud-Native Ransomware Salt Typhoon Cyber Attacks Hit 200 Organizations in the United States CVE-2025-7775: Actively Exploited Critical Flaw in Citrix NetScaler ZipLine Campaign Spins Web Around U.S. Supply Chain Manufacturers with MixShell August 2025 Linux Patch Roundup New SHAMOS Stealer Exploits One-Line Commands on macOS QuirkyLoader: A Silent Enabler of Modern Malware Families
🎧 Hive Force Labs: Critical Threats Affecting You This Week - 5 Minute Audio Intelligence Report
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

The Gentlemen Ransomware: A Rising Global Cyber Threat

Red | Attack Report
Download PDF

The Gentlemen Ransomware: Targeted Campaign Against Global Critical Sectors

Summary

In August 2025, a new ransomware group known as The Gentlemen emerged, launching highly adaptive, targeted attacks across 17 countries. Their primary focus includes manufacturing, construction, healthcare, insurance, and consumer services, with attacks directed against Windows environments.

The Gentlemen use a combination of legitimate administrative tools, custom anti-AV software, and environment-specific payloads to evade defenses and achieve persistence. Their operations mark an evolution toward methodical, customized ransomware attacks that neutralize security measures, destroy backups, and ensure maximum operational disruption before deploying ransomware.

Attack Details

  • Initial Access: Exploitation of internet-exposed services and compromised FortiGate administrative accounts, enabling deep network reconnaissance and lateral movement.

  • Living-off-the-Land Techniques: Extensive use of legitimate tools like PowerRun, PsExec, Nmap, PuTTY for privilege escalation and remote control.

  • Defense Evasion & Persistence: Abuse of signed drivers, deployment of custom anti-AV utilities, Group Policy manipulation, and registry modifications to maintain stealth.

  • Remote Access & Exfiltration: Use of AnyDesk for persistent remote access and WinSCP over encrypted channels for data staging and exfiltration.

  • Ransomware Deployment: Distributed through domain NETLOGON shares with password-protected payloads to bypass automated analysis. Actively terminates backup, database, and AV services, deletes logs, and drops ransom notes titled “README-GENTLEMEN.txt”. Files are appended with the .7mtzhh extension, confirming encryption.

This campaign highlights a well-funded and organized ransomware operation, potentially a rebrand of an experienced threat group.

Recommendations

  • Harden Privileged Accounts & AD: Apply least privilege, Just-In-Time access, and monitor Group Policy Objects for abnormal changes.

  • Block Driver & Tool Abuse: Enforce driver allowlisting and restrict administrative tool usage. Monitor for unauthorized AnyDesk sessions.

  • Enhance Endpoint & Network Security: Deploy EDR/XDR, watch for AV tampering, and detect suspicious encrypted file transfers.

  • Network Segmentation & DLP: Limit lateral movement opportunities and reduce data exfiltration risks with segmentation and data loss prevention controls.

  • Regular Offline Backups: Maintain and test backup integrity frequently to ensure recovery without ransom payment.

Indicators of Compromise (IoCs)

SHA1 Hashes

  • c12c4d58541cc4f75ae19b65295a52c559570054

  • c0979ec20b87084317d1bfa50405f7149c3b5c5f

  • df249727c12741ca176d5f1ccba3ce188a546d28

  • e00293ce0eb534874efd615ae590cf6aa3858ba4

Recent Breach Domains

MITRE ATT&CK TTPs

  • Initial Access: T1190 (Exploit Public-Facing Applications), T1078 / T1078.002 (Valid & Domain Accounts)

  • Execution: T1059 (Command & Scripting Interpreter), T1059.001 (PowerShell), T1059.003 (Windows Command Shell)

  • Persistence: T1547 (Boot or Logon Autostart Execution), T1136 (Create Account)

  • Privilege Escalation: T1068 (Exploitation for Privilege Escalation)

  • Defense Evasion: T1562 (Impair Defenses), T1112 (Modify Registry), T1027 (Obfuscation), T1484.001 (Group Policy Modification)

  • Discovery: T1046 (Network Service Discovery), T1087 / T1087.002 (Account & Domain Account Discovery), T1482 (Domain Trust Discovery)

  • Lateral Movement: T1021 (Remote Services), T1021.001 (RDP), T1021.002 (SMB/Windows Admin Shares), T1021.004 (SSH)

  • Collection & Exfiltration: T1074 / T1074.001 (Data Staging), T1039 (Data from Network Shared Drive), T1048 / T1048.001 (Exfiltration Over Encrypted Channels)

  • Command & Control: T1071 / T1071.001 (Web Protocols), T1219 (Remote Access Software)

  • Impact: T1486 (Data Encrypted for Impact), T1489 (Service Stop), T1552 (Unsecured Credentials)

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox