Home > Security > Security News

The Gentlemen RaaS Uses New Ransomware Variant, Backdoor, Encryption

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Ransomware Actors
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • New Variant: The Gentlemen was seen using a new C-based ransomware variant alongside the primary Go-based one.
  • Top Ranking: The group ranked among the top 10 ransomware actors in the first half of 2026 by victim announcements
  • Targets Hit: Victims span manufacturing, IT, healthcare, and finance across Brazil, China, Indonesia, Taiwan, and Thailand.

The Gentlemen, a ransomware-as-a-service (RaaS) group that has rapidly gained traction since ramping up activity in early 2026, is evolving with a new backdoor, encryption, and malware variant, Kaspersky researchers say. 

The Gentlemen and its affiliates typically breach victims by exploiting vulnerabilities in internet-exposed VPNs and firewalls and by abusing stolen, weak, or default credentials, likely working with initial access brokers. 

The Gentlemen Tools

The Gentlemen activity since February 2026 revealed new tactics, techniques, and procedures (TTPs) as well as custom tool development efforts. The new report uncovered the group’s methods of reconnaissance and network sniffing, among many other techniques.

To disable security products, the group relies on the Bring Your Own Vulnerable Driver (BYOVD) technique, loading flawed drivers such as ProcessMonitorDriver.sys and biontdrv.sys. For reconnaissance, operators deploy SharpADWS to enumerate Active Directory, alongside NetScan and Advanced IP Scanner to map networks and services.

C ransomware parameter descriptions | Source: Securelist
C ransomware parameter descriptions | Source: Securelist

A custom Go-based backdoor, deployed a day before encryption, maintains a persistent TCP connection with a command-and-control (C2) server, establishing two-way communication, executing commands, setting up a SOCKS proxy, and harvesting information.

Emerging C-Based Windows Variant

The newly discovered C-based Windows variant, still in development, shifts to the OpenSSL library instead of AES256-GCM and RSA encryption, and communicates with operators via email rather than Tox Messenger, signaling the group's expanding capabilities.

The group now ranks among the top 10 ransomware actors by victim announcements on its data leak site during the first half of 2026.

The report concludes that the analysis shows the group will likely continue to engage in malicious activity and advises organizations to prioritize vulnerability management and system hardening.

A September 2025 Trend Micro report showed the threat actor was targeting critical industries across at least 17 countries with a highly adaptive and systematic approach.

Add a Comment
Related
vulnerability
Daktronics Controller Flaws Expose Highway Signs to Remote Hacking
iPhone 16 Model Design
Apple iPhone 18 Pro Supplier List Exposed in Tata Data Leak
Office - Employees
Nissan Discloses Employee Data Breach Linked to Oracle Zero-Day
Fake Perplexity AI Chromium Extension Hijacks Browser Search via Typosquatted Domain
Browser Data
Microsoft Removes Over 100 StegoAd Edge Extensions Hiding Malware via Steganography
India’s Meerut Development Authority Website Defaced With Pro-Pakistan Messages
Most Popular
vulnerability
Daktronics Controller Flaws Expose Highway Signs to Remote Hacking
iPhone 16 Model Design
Apple iPhone 18 Pro Supplier List Exposed in Tata Data Leak
Office - Employees
Nissan Discloses Employee Data Breach Linked to Oracle Zero-Day
Fake Perplexity AI Chromium Extension Hijacks Browser Search via Typosquatted Domain
Browser Data
Microsoft Removes Over 100 StegoAd Edge Extensions Hiding Malware via Steganography
India’s Meerut Development Authority Website Defaced With Pro-Pakistan Messages
Daktronics Controller Flaws Expose Highway Signs to Remote Hacking
Apple iPhone 18 Pro Supplier List Exposed in Tata Data Leak
Nissan Discloses Employee Data Breach Linked to Oracle Zero-Day
Fake Perplexity AI Chromium Extension Hijacks Browser Search via Typosquatted Domain
Microsoft Removes Over 100 StegoAd Edge Extensions Hiding Malware via Steganography
India’s Meerut Development Authority Website Defaced With Pro-Pakistan Messages

Most Popular
vulnerability
Daktronics Controller Flaws Expose Highway Signs to Remote Hacking
iPhone 16 Model Design
Apple iPhone 18 Pro Supplier List Exposed in Tata Data Leak
Office - Employees
Nissan Discloses Employee Data Breach Linked to Oracle Zero-Day
Fake Perplexity AI Chromium Extension Hijacks Browser Search via Typosquatted Domain
Browser Data
Microsoft Removes Over 100 StegoAd Edge Extensions Hiding Malware via Steganography
India’s Meerut Development Authority Website Defaced With Pro-Pakistan Messages
Daktronics Controller Flaws Expose Highway Signs to Remote Hacking
Apple iPhone 18 Pro Supplier List Exposed in Tata Data Leak
Nissan Discloses Employee Data Breach Linked to Oracle Zero-Day
Fake Perplexity AI Chromium Extension Hijacks Browser Search via Typosquatted Domain
Microsoft Removes Over 100 StegoAd Edge Extensions Hiding Malware via Steganography
India’s Meerut Development Authority Website Defaced With Pro-Pakistan Messages

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: