Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware

In April 2026 investigators observed a sophisticated intrusion that began with a malicious MSI masquerading as Sysinternals RAMMap to install EtherRAT using Ethereum-hosted C2 resolution; operators subsequently deployed TukTuk implants via DLL sideloading of trojanized binaries, abused SaaS platforms and RMM tooling for persistence and C2, exfiltrated large volumes of data to Wasabi, and ultimately executed The Gentlemen ransomware domain-wide. The report provides comprehensive detection and hunting guidance, ET rule suggestions, and IOCs including domains, Ethereum contracts, an Arweave Drive-Id, and multiple file hashes.