Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
First reported
Last updated
Happening score
H score 43
2 unique sources, 2 articles

Summary

Hide ▲

The Gentlemen ransomware gang is using a legitimate vulnerable driver to defeat enterprise defenses, weaponizing ThrottleStop.sys as ThrottleBlood.sys to kill AV and EDR processes through a bring-your-own-vulnerable-driver attack. Trend Micro said the group also uses All.exe, PowerRun.exe, and Allpatch2.exe to bypass security tools, and that the behavior is tied to CVE-2025-7771 in ThrottleStop. The campaign, first observed this summer, is moving toward targeted, vendor-specific bypasses against enterprise networks.

Related Happenings

Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure

Campaign
First: 20.04.2026 23:02 Last: 20.04.2026 23:02 Sources 1

How related: A rapidly expanding ransomware-as-a-service (RaaS) operation has claimed more than 320 victims, with the bulk of attacks occurring in early 2026.

About this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...

Open Happening

PowMix phishing campaign targeting Czech workforce

Campaign
First: 16.04.2026 20:52 Last: 16.04.2026 20:52 Sources 1

About this happening: The **PowMix** campaign is actively targeting the **Czech Republic’s workforce**, raising the risk of **remote access** and **remote code execution** on compromised systems. The i...

Open Happening

Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery

Security Tool/Service
First: 08.04.2026 12:16 Last: 08.04.2026 12:16 Sources 1

About this happening: **Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...

Latest development: 23.05.2026 14:55

Anthropic said Project Glasswing has uncovered more than 10,000 high- or critical-severity vulnerabilities across widely used software since the program launched last month, including 6,202 high/critical flaws affecting more than 1,000 open-source projects, 1,726 validated true positives, 1,094 high/critical flaws, a critical WolfSSL flaw tracked as CVE-2026-5194 with CVSS score 9.1, 97 upstream patches, and 88 advisories.

Open Happening

Storm-1175 high-tempo Medusa ransomware campaign

Campaign
First: 07.04.2026 13:02 Last: 07.04.2026 13:02 Sources 1

About this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...

Open Happening

Medusa ransomware post-compromise deployment

Malware Activity
First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

Open Happening

Timeline

  1. 21.04.2026 17:00 2 articles · 1mo ago

    The Gentlemen RaaS expands into enterprise environments

    Initial Disclosure

    The Gentlemen ransomware-as-a-service operation was described as a rapidly expanding affiliate program that first emerged in mid-2025, recruited technically skilled partners on underground forums, and moved into enterprise environments by early 2026. Check Point researchers said the group had claimed more than 320 victims, distributed Go-based ransomware for Windows, Linux, NAS and BSD plus a separate C-based ESXi encryptor, and was linked during incident response to SystemBC and a related command-and-control server showing more than 1570 infected systems globally, concentrated in the US, UK and Germany.

    Show sources
    Open in new tab
  2. 11.09.2025 23:42 1 articles · 8mo ago

    The Gentlemen weaponizes ThrottleStop.sys to evade enterprise defenses

    Technical Analysis Update

    Trend Micro described The Gentlemen ransomware gang's evolving evasion toolkit against enterprise defenses, saying the group weaponizes ThrottleStop.sys as ThrottleBlood.sys to exploit CVE-2025-7771 for kernel-level termination of AV and EDR processes, uses All.exe, PowerRun.exe, and Allpatch2.exe to bypass security controls, and has shifted toward targeted, vendor-specific bypasses; Kaspersky Lab linked the flaw to a recent ransomware incident in Brazil.

    Show sources
    Open in new tab