The Gentlemen, a ransomware-as-a-service crew that barely existed a year ago, is now building its own tooling to stay hidden inside victim networks. Researchers at Kaspersky have published fresh analysis of the group, detailing a custom Go-based backdoor and a set of stealthy reconnaissance techniques they say have not been described publicly before.
The findings round out a fast-growing picture of a crew that has climbed into the top ten ransomware actors by victim count in the first half of 2026, despite only ramping up at the start of the year. IntelFusions has tracked the group's rise before, including its custom suite for disabling endpoint security tools; the new Gentlemen research shows that engineering effort now stretching across the whole intrusion.
How they get in
Kaspersky's researchers, Fatih Sensoy and Maher Yamout, say the group and its affiliates typically break in by exploiting internet-facing services or logging in with stolen, default or weak credentials, often against VPN gateways and firewalls. In several cases the initial access predated the ransomware by a long stretch and relied on unfamiliar tactics, which the team reads as a sign the group sometimes buys access from initial access brokers rather than always breaching victims itself.
Quiet reconnaissance and a custom backdoor
Once inside, the crew maps the network with tools like SharpADWS, which pulls detailed Active Directory data while wrapping its queries in SOAP messages to dodge standard logging. It also abuses Microsoft's built-in netsh utility to silently capture network traffic to a hidden administrative share, then mines the packets offline for unencrypted credentials. The standout is a bespoke Go-based implant the operators use as a backdoor, the kind of in-house development that points to a maturing, well-resourced operation rather than a basic affiliate.
Turning off the alarms
To clear the way for encryption, The Gentlemen lean heavily on "bring your own vulnerable driver" (BYOVD) attacks, loading legitimate but flawed drivers to shut down security software from the kernel. Kaspersky lists drivers abused from products as varied as a partition manager, anti-cheat software, and even RGB-lighting and audio utilities. The group also flips Windows Defender settings off through the registry and PowerShell, adds its own payloads to the exclusion list, and spreads the ransomware across machines using the NETLOGON share, a custom PowerShell script and the PsExec tool.
What you should do
Put multi-factor authentication on every VPN and remote-access service and retire default credentials, since that is the front door here. Enable BYOVD protections and Microsoft's vulnerable-driver blocklist, alert on tampering with Defender settings, and watch for netsh packet captures, SharpADWS-style LDAP-over-SOAP queries, and PsExec or NETLOGON-based deployment.
Indicators
Sample payload hashes (MD5): 3b46a729db7ae6af8b19711c9452194d and 02944c8a5535cdb5b2cbb893db2d5acf. Observed attacker infrastructure: 81[.]177[.]215[.]15. The crew also pulls PsExec from hxxps://live[.]sysinternals[.]com/PsExec[.]exe.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.