The Gentlemen are Knocking: Custom Backdoors and Evolving Tactics

    Date: 06/30/2026

    Severity: Critical

    Summary

    The Gentlemen emerged as a prominent Ransomware-as-a-Service (RaaS) group, significantly expanding its operations in early 2026 and ranking among the top ransomware actors by victim disclosures on its Data Leak Site (DLS). Researchers observed the group's activities since February 2026, uncovering previously undocumented Tactics, Techniques, and Procedures (TTPs), including custom tooling, reconnaissance, and network sniffing capabilities. The group primarily targets critical infrastructure across multiple regions, demonstrating a sophisticated and evolving ransomware operation.

    Indicators of Compromise (IOC) List   

    IP Address:

    81.177.215.15

    Hash:

    3B46A729DB7AE6AF8B19711C9452194D

    02944C8A5535CDB5B2CBB893DB2D5ACF

    10CA9A4040001560D053B7E7885C1B95

    3C471EBC947CDF32240A90FFADF49B13

    4BE8BB62F0EBBCF4CE52C35AB6F794F5

    53C616677BC7E2A0A03127F19166D007

    5C3B9821FC82A9028CB63B9671950919

    5F0B2C6D9F442754258BF4DD841C8341

    608FAF58353B65C45EF9833358AC3787

    6AE7C9A7EA0B8C40A64225734F6BD01D

    846DC77C1246DB20D976346E0E359502

    ADAC9984B3CC43D66A0D33079BBEC299

    AE0E536766788478263BF448A9381641

    B3E418D30312C1B2C58A791286868F42

    C2764744DCB4B0E1DB79CA1E8BF65368

    D12A5B36DD00586CC374A1CAE43EFED4

    D2F72897E8986303D5567EB2384932B8

    DE1522F9219497632F30F8A6E72F26B6

    FDAE2BEB813778B4540A997706862096

    B9986A0F1F1F1A798DC3F0C59A80A1A3

    554E699C96B332468F1AE69C1AE81EF9

    5761BD63DA03686FC480245DA7BD1E9F

    B6B51508AD6F462C45FE102C85D246C8

    8F0577D28C4FF5F71B149F444BFABA8E

    525EF6014F0EF20E44FE47C1D9980B69

    407B6A136BBAA7172EB44EF9D08BB58A

    9321A61A25C7961D9F36852ECAA86F55

    73F0A8C3EA794A04E80C32038249F044

    EEF8A950952696B018AA9C6DA2F5D7AD

    EDB1C480295250DD1A38F3AA1357DEAE

    5537C708EDB9A2C21F88E34E8A0F1744

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("81.177.215.15") or srcipaddress IN ("81.177.215.15")

    Detection Query 2 :

    md5hash IN ("D2F72897E8986303D5567EB2384932B8","9321A61A25C7961D9F36852ECAA86F55","C2764744DCB4B0E1DB79CA1E8BF65368","5537C708EDB9A2C21F88E34E8A0F1744","3C471EBC947CDF32240A90FFADF49B13","ADAC9984B3CC43D66A0D33079BBEC299","B3E418D30312C1B2C58A791286868F42","5C3B9821FC82A9028CB63B9671950919","5F0B2C6D9F442754258BF4DD841C8341","407B6A136BBAA7172EB44EF9D08BB58A","B9986A0F1F1F1A798DC3F0C59A80A1A3","525EF6014F0EF20E44FE47C1D9980B69","53C616677BC7E2A0A03127F19166D007","73F0A8C3EA794A04E80C32038249F044","6AE7C9A7EA0B8C40A64225734F6BD01D","EDB1C480295250DD1A38F3AA1357DEAE","3B46A729DB7AE6AF8B19711C9452194D","D12A5B36DD00586CC374A1CAE43EFED4","608FAF58353B65C45EF9833358AC3787","4BE8BB62F0EBBCF4CE52C35AB6F794F5","AE0E536766788478263BF448A9381641","B6B51508AD6F462C45FE102C85D246C8","02944C8A5535CDB5B2CBB893DB2D5ACF","8F0577D28C4FF5F71B149F444BFABA8E","846DC77C1246DB20D976346E0E359502","FDAE2BEB813778B4540A997706862096","554E699C96B332468F1AE69C1AE81EF9","DE1522F9219497632F30F8A6E72F26B6","5761BD63DA03686FC480245DA7BD1E9F","EEF8A950952696B018AA9C6DA2F5D7AD","10CA9A4040001560D053B7E7885C1B95")

    Reference:   

    https://securelist.com/the-gentlemen-raas/120447/


    Tags

    MalwareThreat ActorRansomwareBackdoorCritical Infrastructure

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags