The Gentlemen ransomware: Dissecting a self-propagating Go encryptor

The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.

Pulse ID: 6a189defc88ad66cd0a9d87d
Pulse Link: https://otx.alienvault.com/pulse/6a189defc88ad66cd0a9d87d
Pulse Author: AlienVault
Created: 2026-05-28 19:56:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ChaCha20 #CyberSecurity #ELF #Education #Encryption #Extortion #Healthcare #ICS #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #PsExec #RAT #RaaS #RansomWare #RansomwareAsAService #bot #AlienVault

📢 Analyse technique du ransomware Payload : chiffrement ChaCha20/Curve25519 et anti-forensics avancés
📝 ## 🔍 Contexte

Source : DarkAtlas (https://darkatlas.io/blog/behind-payload-in-de...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-28-analyse-technique-du-ransomware-payload-chiffrement-chacha20-curve25519-et-anti-forensics-avances/
🌐 source : https://darkatlas.io/blog/behind-payload-in-depth-technical-analysis-of-payload-ransomware
#ChaCha20 #Curve25519 #Cyberveille

ClickFix Removes Your Background but Leaves the Malware

BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.

Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault

DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet

An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of xlabs_v1, a Mirai-derived IoT botnet operated by an actor using the handle Tadashi. The operation provides DDoS-for-hire services specifically targeting game servers and Minecraft hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features bandwidth profiling to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified.

Pulse ID: 69f25f09e5c3a33611f7cb16
Pulse Link: https://otx.alienvault.com/pulse/69f25f09e5c3a33611f7cb16
Pulse Author: AlienVault
Created: 2026-04-29 19:42:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #ChaCha20 #CryptoJacking #CyberSecurity #DDoS #DoS #Encryption #InfoSec #IoT #Minecraft #Mirai #OTX #OpenThreatExchange #RAT #TCP #TheNetherlands #bot #botnet #AlienVault

📢 VECT 2.0 : un ransomware RaaS qui détruit irrémédiablement les fichiers par défaut de conception
📝 ## 🔍 Contexte

Publié le 28 avril 2026 par Check Point Research (CPR), cet article présente une analys...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-29-vect-2-0-un-ransomware-raas-qui-detruit-irremediablement-les-fichiers-par-defaut-de-conception/
🌐 source : https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
#ChaCha20 #ESXi #Cyberveille

VECT: Ransomware by design, Wiper by accident

Check Point Research discovered critical flaws in VECT 2.0 ransomware affecting Windows, Linux, and ESXi platforms. A fundamental encryption implementation error causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware uses ChaCha20-IETF cipher but only saves one of four decryption nonces required for large files, making recovery impossible even after ransom payment. VECT's encryption speed modes are non-functional, thread scheduling degrades performance, and anti-analysis code is unreachable. Despite partnerships with TeamPCP and BreachForums for distribution, the technical implementation demonstrates amateur execution behind a professional facade. The nonce-handling flaw exists across all platform variants since initial deployment, effectively transforming this ransomware into a wiper for enterprise assets including VM disks, databases, and backups.

Pulse ID: 69f0e1a5f1a168738b4eda1a
Pulse Link: https://otx.alienvault.com/pulse/69f0e1a5f1a168738b4eda1a
Pulse Author: AlienVault
Created: 2026-04-28 16:34:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #ChaCha20 #CheckPoint #CyberSecurity #Encryption #InfoSec #Linux #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Windows #bot #AlienVault

📢 CrystalX RAT : un nouveau cheval de Troie MaaS combinant espionnage, vol de crypto et fonctions de canular
📝 ## 🔍 Contexte

Publié le 1 avril 2026 par l'équipe GReAT de Kaspersky, cet article présente l'a...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-02-crystalx-rat-un-nouveau-cheval-de-troie-maas-combinant-espionnage-vol-de-crypto-et-fonctions-de-canular/
🌐 source : https://www.kaspersky.com/blog/prankware-crystalx-rat-maas/55537/
#ChaCha20 #CrystalX #Cyberveille

¯\_(ツ)_/¯

#cryptography #cypherpunk #chacha #pgp #gpg #chacha20 #xchacha20_poly1305 #aes #des #camellia #aegis256