AI-brand impersonation malware delivery (Storm-3075, Fox Tempest)

UPDATE (originally covered 2026-05-20; consolidated in weekly W21): Microsoft Threat Intelligence published a full dissection of The Gentlemen ransomware on 2026-05-28, giving Storm-2697 a much sharper technical profile than the victim-list reporting available in week 21. The encryptor is a single-binary Go executable (obfuscated through Garble to strip symbol tables), uses Curve25519 + XChaCha20 with per-file ephemeral keys (no bulk-decryption shortcut), and ships a self-propagation module that executes a series of lateral-movement techniques in parallel per host — PsExec, WMIC, scheduled tasks, services, PowerShell remoting — maximising the probability that at least one pivot path succeeds in any AD-joined environment.

Check Point Research's 2026-05-13 writeup adds the actor-side context that Microsoft's dissection does not — Check Point counts approximately 332 victim organisations on the operator's leak site, and documents that on Domain Admin compromise The Gentlemen deploys itself across the estate through a Group Policy Object linked at all relevant OUs. Huntress Labs' 2026-05-21 IR report corroborates the defense-evasion playbook: PowerShell disables Microsoft Defender real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring), stops WinDefend, adds broad Add-MpPreference -ExclusionProcess and drive-level exclusions, disables Controlled Folder Access, and clears Security / System / Application event logs (EID 104, EID 1102). Huntress documented two April / May 2026 incidents whose entry vector was RDP with compromised credentials, lateral movement reached domain controllers via the NETLOGON share and SCCM's CcmExec.exe, and process names were masqueraded as svchost32.exe. The DFIR Report's 2026-05-11 alert confirmed a related chain in which EtherRAT (delivered via a malicious Sysinternals MSI) and TukTuk C2 preceded Gentleman deployment. Microsoft's Defender detection name is Ransom:Win64/Gentlemen.A; recommended Attack Surface Reduction posture per Microsoft's ASR rules reference is Block process creations originating from PsExec and WMI commands combined with EDR-in-block-mode enforcement.

Material new development vs. last coverage: full encryption + propagation mechanism, named-cluster identity (Storm-2697), the GPO-spread pathway documented by Check Point Research, and Check Point's count of approximately 332 victims. Detection focus: hunt for wevtutil cl Security|System|Application chained with sc stop WinDefend or msconfig; flag svchost32.exe spawned outside %SystemRoot%\System32; alert on CcmExec.exe launching non-SCCM payloads. Hardening: enforce SMB signing GPO, restrict GPO-creation rights to a hardened OU, enable Credential Guard, monitor Event ID 5136 for GPO modifications and 5140 for the hidden share SMB share.

The most consequential campaign development of the window is one no daily captured: on 2026-05-04 a rival actor leaked The Gentlemen's internal Rocket database backend on underground forums, and KELA (2026-05-20) and Check Point ("Thus Spoke The Gentlemen", 2026-05-13) published deep analyses of the resulting six-month (Nov 2025 – Apr 2026) chat archive (key: item:the-gentlemen-raas-czech-university-and-swiss-engineering-fi). The leak exposes the inner circle (admin/infrastructure alias zeta88, also operating as hastalamuerte, alongside Wick, mAst3r, Kunder and others) and — far more useful to defenders — the operation's initial-access playbook: Fortinet and Cisco edge appliances, NTLM relay, harvested OWA / M365 credential logs, and GPO-based deployment of the encryptor. A linked affiliate runs a SystemBC SOCKS5 botnet of 1,570+ victims. This is an intelligence gift: every named access path maps to an existing hunt — prioritise edge-appliance patch state, NTLM-relay hardening (SMB/LDAP signing, channel binding) and anomalous-GPO-creation monitoring. Per Check Point's Q1 data the group sits at #3 globally (§ 6) — though its victims concentrate in Thailand, Brazil and India (US ~13%), so the European and Swiss listings carried over from W21 run against its centre of gravity, which is precisely what makes a CH/EU hit worth surfacing rather than treating as background.

Unit 42 published a comprehensive write-up on Screening Serpens (a.k.a. UNC1549, Smoke Sandstorm, Nimbus Manticore) on 2026-05-22 covering operations from February through April 2026 timed to the onset of the U.S.–Israeli Middle East conflict that began 2026-02-28 (Unit 42, 2026-05-22 · Cybersecurity Dive, 2026-05-22). The group deployed new RAT variants across two malware families: MiniUpdate in four variants used between 2026-03-26 and 2026-04-17 with lures impersonating aviation, healthcare and financial-services firms, and MiniJunk V2 in two variants used between 2026-02-17 and 2026-03-27 against Middle Eastern and U.S. targets.

The technically significant evolution is AppDomainManager hijacking (T1574.014) paired with classic DLL sideloading (T1574.001): the infection chain drops a legitimate Microsoft .NET executable alongside a weaponised UpdateChecker.dll / InitInstall.dll / Updater.dll and — critically — a malicious .runtimeconfig.json that redirects the CLR's AppDomainManager loading at process startup, silently disabling ETW tracing and strong-name validation before the RAT executes. That leaves the host's EDR operating in a reduced-telemetry mode on every infected workstation. Delivery is high-touch — fake recruitment PDFs, spoofed video-conference meeting invitations, and ZIP archives containing a legitimate executable as the trigger; persistence uses scheduled tasks; C2 routes through Azure-hosted domains. Confirmed targets: U.S., Israel, UAE, plus at least two further Middle Eastern entities consistent with prior UNC1549 focus on aerospace, defence and telecommunications. The CH/EU nexus is indirect but real — Swiss aerospace and defence suppliers (RUAG, Pilatus and defence export channels) sit squarely in the sector profile, as do EU R&D firms historically swept up in Iranian collection campaigns.

Detection vantage: alert on .runtimeconfig.json writes by non-installer processes; watch the Microsoft-Windows-DotNETRuntime ETW provider for StrongNameVerification=0 startup events and CLR debug-mode initialisation; watch scheduled-task creation from processes with .dll parent images loading via rundll32.exe / svchost.exe. Hardening: enforce a code-integrity policy (UMCI + trusted-signers allowlist) so unsigned DLLs cannot load into the .NET CLR; restrict .runtimeconfig.json writes outside install paths via FIM.

Unit 42 detailed Screening Serpens using AppDomainManager hijacking to silently disable ETW and strong-name verification across six newly-documented RATs (daily 2026-05-23). The ETW-blinding plus strong-name-check bypass is the detection-relevant tradecraft — it defeats both behavioural telemetry and signature-trust controls in one step. Where AppDomainManager-redirection is not required by an application, monitor for the appDomainManagerAssembly / appDomainManagerType config and environment-variable hijack vectors.