Mastodawn

A leak of The Gentlemen's internal database added even more context, giving defenders a rare look at how the operation runs and what vulnerabilities they're actively targeting.

Lindsey O'Donnell-Welch and Harlan Carvey share the details:

https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps

The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress

Two recent incidents involving The Gentlemen ransomware show the use of defense evasion tactics, including logs being cleared and attempts to add antivirus exclusions.

Huntress

Show thread

Huntress May 22

What they didn't count on? The breadcrumbs they left behind.

Incomplete clearing and leftover PowerShell event logs gave our analysts enough to piece the story together.

Show thread

Huntress May 22

In both cases, the attackers followed a similar playbook.

When Defender blocked the first attempt to launch the encryptor, they didn’t give up. They cleared event logs, ran PowerShell commands to disable Defender and add exclusions, and came back for round two.

Huntress May 22

Our SOC recently investigated two incidents involving The Gentlemen, a ransomware-as-a-service operation that's claimed 400+ victims across 70 countries since mid-2025. 🧵

Huntress May 18

Andrew 🌻 Brandt 🐇May 8

An unknown threat actor is abusing a remote management tool called #TiFLUX as an initial access vector, targeting a broad range of potential victims by email. The attacks using this Brasil-originated commercial utility began in February, but really ramped up in April and the beginning of this month.

The lures employ a variety of #spam tropes, including bogus event invitations and business invoices/bills.

TiFLUX seems uniquely vulnerable to this kind of abuse; The installer package also installs an old version of UltraVNC as well as a vulnerable #loldriver that can elevate privileges. Weirdest of all, the attackers are also using this RMM to deploy other heavily-abused RMMs, including #Splashtop and #ScreenConnect to the devices that get hit. Those RMMs are connecting to IP addresses associated with known bulletproof hosts.

This is my first post at the @huntress blog: https://www.huntress.com/blog/tiflux-rmm-install

#malware #RMM #RogueRMM

Threat Actors Weaponize Tiflux RMMs in Malspam Attacks | Huntress

We dug into a recent malspam campaign that involved an installer for a commercially sold remote monitoring and management (RMM) tool called Tiflux.

Huntress

Show thread

Huntress Feb 9

Hat tip to @JohnHammond @gleeda @russianpanda9xx et al

https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399

Huntress Feb 9

Weekend work, but we've seen compromises of SolarWinds WHD -- one especially gnarly case where threat actor set up:
1. Zoho Assist RMM
2. QEMU & Cloudflared
3. Velociraptor for C2
and a wild story (to tell more about soon 😎): an attacker controlled Elastic stack for exfil 🔗👇

Huntress Jan 27

GreyNoise Jan 13

Check out @hrbrmstr today on @huntress's Tradecraft Tuesday at 1pm ET to chat about all things #React2Shell. 🤘

🔗 https://www.huntress.com/upcoming-webinars/tradecraft-tuesday-jan-2026?utm_source=webinar&utm_medium=social&utm_campaign=cy26-q1-0113-web-brand-na-broad-all-x-programmatic-tradecraft&hnt=x62ng2jijcd1

Huntress Nov 6, 2025

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 Oct 16, 2025

The technical detail in this PureRAT analysis by Heejae Hwang (황희재) is fantastic! The analyzed #PureRAT sample looks very similar to the one James Northey recently blogged about for @huntress. It even uses the same C2 server 157.66.26.209:56001.

Huntress Nov 6, 2025

Show thread

hubertf Nov 1, 2025

@huntress Now that the CTF is over, here's how to solve it using the kernel rootkit - this is HuntressCTF 2025 Day 31's "Root Canal" challenge which features the Diamorphine rootkit:

Website	https://huntress.com
Twitter	https://twitter.com/huntresslabs
LinkedIn	https://www.linkedin.com/company/huntress-labs/