This report details a multi-stage intrusion involving EtherRAT and the AI-generated TukTuk malware framework, culminating in the deployment of The Gentlemen ransomware. The threat actor initially gained access through a malicious MSI masquerading as the RAMMap utility, subsequently utilizing the Ethereum blockchain via EtherHiding to dynamically update command-and-control configurations. This resilient infrastructure leveraged a mix of SaaS platforms, blockchain smart contracts, and Cloudflare tunnels to evade traditional network defenses.
Following initial access, the attackers conducted extensive host and domain reconnaissance before deploying TukTuk through DLL sideloading of legitimate binaries like Greenshot and SyncTrayzor. The intrusion moved laterally using compromised service accounts and remote management tools like GoTo Resolve, ultimately leading to large-scale data exfiltration via Rclone to Wasabi cloud storage. The campaign concluded with the domain-wide deployment of ransomware via Group Policy Objects after disabling security protections and clearing forensic artifacts.
Top comments (0)