logo

Go-Based Gentlemen Ransomware Uses PsExec, WMIC, and PowerShell Remoting for Network Propagation

ID: 036332fe-5daa-5f56-8f7b-460cc625e364

STIX ID: report--036332fe-5daa-5f56-8f7b-460cc625e364

Feed Name: GBHackers

Threat Score
80/100

Date Published: 2026-07-06

Date Updated: 2026-07-06

Author: Mayura Kathir

...
...

**Executive summary:** 'Gentlemen' is a Go-based ransomware-as-a-service (RaaS) active since mid-2025 that employs per-file ephemeral Curve25519 and XChaCha20 encryption, aggressive defense-evasion (disabling Defender, deleting shadow copies and logs, terminating backup/EDR services), worm-like self-propagation across networks using up to 21 remote-execution vectors, and data exfiltration for double extortion; it targets Windows systems across education, transportation, healthcare, and financial sectors worldwide and is distributed via an affiliate program.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.