Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware – The DFIR Report

MITRE Techniques

• [T1204 ] User Execution – The victim executed a malicious MSI installer disguised as a Sysinternals utility (‘user execute a malicious MSI installer masquerading as the Sysinternals RAMMap utility’).
• [T1218.007 ] Msiexec – The malware was installed through MSI execution using msiexec (‘Monitor msiexec.exe executing from user Desktop/Downloads’).
• [T1055 ] Process Injection – The report indicates memory-captured activity and LSASS-targeting behavior consistent with injected or in-memory tradecraft (‘captured in memory’).
• [T1082 ] System Information Discovery – The actor profiled the host, OS, video controller, domain state, and antivirus (‘system profiling, antivirus enumeration, domain checks’).
• [T1018 ] Remote System Discovery – The threat actor enumerated domain controllers and trusted domains (‘nltest /domain_trusts /all_trusts’, ‘nltest /dclist’).
• [T1033 ] System Owner/User Discovery – The actor used whoami /all and LDAP-style user discovery to learn about accounts (‘user activity discovery’, ‘whoami /all’).
• [T1482 ] Domain Trust Discovery – Domain trust enumeration was performed during discovery (‘nltest /domain_trusts /all_trusts’).
• [T1069.002 ] Domain Group Discovery – The actor queried privileged groups such as Domain Admins and Enterprise Admins (‘net group “Domain Admins” /domain’).
• [T1068 ] Exploitation for Privilege Escalation – Initial access began with exploitation of a public vulnerability on Linux servers (‘exploitation of CVE-2025-55182 (React2Shell)’).
• [T1003.001 ] OS Credential Dumping: LSASS Memory – The attacker dumped LSASS via comsvcs.dll (‘rundll32.exe … comsvcs.dll … lsass.exe’).
• [T1003.003 ] OS Credential Dumping: NTDS – NetExec was used with the –ntds option and NTDS dumping was referenced (‘nxc smb … –ntds’, ‘LSASS/NTDS dumping activity’).
• [T1110.003 ] Kerberoasting – The attacker performed Kerberoasting to target service account credentials (‘Kerberoasting operations’).
• [T1021.001 ] Remote Services: RDP – The intrusion expanded access through Remote Desktop Protocol (‘expanded access through RDP’).
• [T1021.002 ] Remote Services: SMB/Windows Admin Shares – Lateral movement used SMB across systems (‘expanded access through … SMB’).
• [T1021.006 ] Remote Services: WinRM – The actor used WinRM for lateral access (‘expanded access through … WinRM’).
• [T1219 ] Remote Access Software – GoTo Resolve was installed and used as remote management tooling (‘deploy GoTo Resolve remote management tooling’).
• [T1071.001 ] Web Protocols – C2 and tasking used HTTPS-based services and tunnels such as TryCloudflare, ClickHouse, and Supabase (‘communicated with … SaaS platforms’).
• [T1090.002 ] External Proxy – TryCloudflare tunnels were used as a proxy to the environment (‘allowing remote access … over a Cloudflare tunnel’).
• [T1105 ] Ingress Tool Transfer – Additional payloads were downloaded from S3 buckets and other internet sources (‘downloaded additional payloads from S3 buckets’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Ransomware binaries were executed via scheduled tasks in SYSVOL/NETLOGON (‘executed staged ransomware binaries … via scheduled tasks’).
• [T1486 ] Data Encrypted for Impact – The Gentlemen ransomware was deployed to encrypt systems (‘ransomware operations began’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Defender protections and AV were disabled or excluded (‘disabled Microsoft Defender protections, added AV exclusions’).
• [T1070.004 ] Indicator Removal on Host: File Deletion – Shadow copies and forensic artifacts were removed (‘deleted shadow copies, cleared event logs, and removed forensic artifacts’).
• [T1610 ] Deploy Container – Virtual machines were stopped before encryption, impacting system recovery (‘stopped virtual machines’).
• [T1136.001 ] Create Account: Local Account – Privileged account passwords were reset during the intrusion (‘resetting privileged account passwords’).
• [T1071.004 ] DNS – The operation used DNS lookups for configuration and infrastructure resolution (‘DNS Lookup (1rpc.io)’, ‘DNS Query to Commonly Abused Cloudflare Domain’).
• [T1555 ] Credentials from Password Stores – Credential discovery targeted administrative credentials and service account secrets (‘credential discovery targeting administrative accounts’).
• [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – TukTuk was executed via DLL sideloading (‘executed via DLL sideloading’).
• [T1102.001 ] Web Service: Dead Drop Resolver – TukTuk could query Arweave as a dead-drop resolver (‘queries the Arweave blockchain … retrieves an encrypted configuration blob’).