Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
Summary
Hide ▲
Show ▼
The Gentlemen ransomware campaign has now been tied to a ransomware attack on Oltenia Energy Complex on the second day of Christmas, disrupting ERP systems, document management, email, and the website. The company said some documents and files were encrypted, its activity was partially affected but the National Energy System was not jeopardized, and it is rebuilding affected systems from existing backups while authorities investigate whether data was stolen before encryption. This incident adds a Romanian energy victim to a campaign that has been expanding its toolkit and infrastructure and using compromised credentials, Internet-exposed services, and related tooling such as SystemBC and Cobalt Strike.
Related Happenings
Grafana Labs Says GitHub hit by cyberattack
Incident
First: 17.05.2026 10:13
Last: 17.05.2026 10:13
Sources 1
About this happening:
A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Grafana Labs Says GitHub hit by cyberattack
IncidentAbout this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
Campaign
First: 14.05.2026 17:00
Last: 14.05.2026 17:00
Sources 1
About this happening:
The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
0APT and KryBit ransomware turf war forces rebuild and rebrand pressure
Threat Actor Meta
First: 28.04.2026 16:00
Last: 28.04.2026 16:00
Sources 1
About this happening:
**0APT** and **KryBit** escalated a ransomware turf war in **April 2026** by leaking each other's operational data, defacing leak sites, and exposing infrastructure details that u...
0APT and KryBit ransomware turf war forces rebuild and rebrand pressure
Threat Actor MetaAbout this happening: **0APT** and **KryBit** escalated a ransomware turf war in **April 2026** by leaking each other's operational data, defacing leak sites, and exposing infrastructure details that u...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
How related:
A rapidly expanding ransomware-as-a-service (RaaS) operation has claimed more than 320 victims, with the bulk of attacks occurring in early 2026.
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaHow related: A rapidly expanding ransomware-as-a-service (RaaS) operation has claimed more than 320 victims, with the bulk of attacks occurring in early 2026.
About this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Storm-1175 high-velocity zero-day and N-day intrusion campaign
Campaign
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...
Storm-1175 high-velocity zero-day and N-day intrusion campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...
Timeline
-
20.04.2026 23:02 2 articles · 1mo ago
Check Point Research finds SystemBC botnet in Gentlemen ransomware activity
Technical Analysis UpdateCheck Point Research identifies a SystemBC proxy malware botnet of more than 1,570 hosts during an investigation into a Gentlemen ransomware affiliate attack, with the victim profile suggesting corporate and organizational environments rather than opportunistic consumer targeting. The researchers say an affiliate tried to use the proxy malware for covert payload delivery, link the activity to a broader toolchain that includes SystemBC and Cobalt Strike, and note that Gentlemen ransomware is actively expanding its attack toolkit and infrastructure while recruiting new affiliates via underground forums. Check Point also publishes IoCs and a YARA rule to help defenders detect related activity.
Show sources
- The Gentlemen ransomware now uses SystemBC for bot-powered attacks — www.bleepingcomputer.com — 20.04.2026 23:02
- Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak — www.darkreading.com — 13.05.2026 23:47
-
29.12.2025 16:26 1 articles · 4mo ago
Oltenia Energy Complex reports ransomware disruption
Initial DisclosureOltenia Energy Complex says a ransomware attack encrypted some documents and files and temporarily disrupted ERP systems, document management applications, the company's email service, and its website. The company says its activity was partially affected without jeopardizing the National Energy System, its IT teams started rebuilding affected systems on new infrastructure using existing backups, and the incident was reported to the National Cyber Security Directorate, the Ministry of Energy, and DIICOT.
Show sources
- Romanian energy provider hit by Gentlemen ransomware attack — www.bleepingcomputer.com — 29.12.2025 16:26