2026-05-226 minhigh

The Gentlemen (Ransomware) in Disguise: Defense Evasion and other TTPs

The Gentlemen ransomware operates as a Ransomware-as-a-Service (RaaS) model, utilizing affiliates who employ extensive defense evasion techniques. Recent incidents reveal attackers leveraging compromised RDP accounts, disabling Microsoft Defender via PowerShell, and establishing persistence through Scheduled Tasks that beacon to SOCKS proxy C2 servers.

Sens:■ ImmediateConf:highAnalyzed:2026-05-22Google

Authors: Harlan Carvey, Lindsey O'Donnell-Welch

ActorsThe GentlemenQilinLazarus

Defense Evasion The Gentlemen Ransomware RaaS Scheduled Tasks

Source:Huntress

IOCs · 7

cve
CVE-2024-55591
filename
G_hlm7jj_windows_amd64.exeFile encryptor executable used in the second incident.
filename
README-GENTLEMEN.txtRansom note dropped after successful encryption.
filename
svchost32.exeMalicious binary disguised as a system process to create a SOCKS proxy C2 connection.
ip
193[.]233[.]202[.]17C2 IP address for malicious Scheduled Task establishing a SOCKS proxy connection.
ip
77[.]110[.]122[.]137C2 IP address for malicious Scheduled Task establishing a SOCKS proxy connection.
sha256
f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8Hash of the Gentlemen file encryptor executable (G_hlm7jj_windows_amd64.exe).

Detection / HunterGoogle

What Happened

Cybersecurity researchers have observed a new ransomware group called 'The Gentlemen' attacking organizations in the shipping and construction industries. The attackers gain access to systems, intentionally turn off antivirus protections, and set up hidden backdoors to maintain control. This allows them to encrypt important files and demand a ransom payment. Organizations should ensure their antivirus software cannot be easily disabled and monitor for unusual scheduled tasks on their computers.

Key Takeaways

The Gentlemen is a Ransomware-as-a-Service (RaaS) operation active since mid-2025, utilizing affiliates for deployment.
Attackers heavily rely on defense evasion, specifically disabling Microsoft Defender via PowerShell and tampering with exclusions.
Persistence is achieved through noisy Scheduled Tasks that execute a disguised binary (svchost32.exe) establishing a SOCKS proxy C2 connection.
Threat actors selectively clear Security, System, and Application Windows Event Logs to hide their tracks while leaving others intact.

Affected Systems

Windows endpoints and servers
Organizations in the shipping, transportation, and construction sectors

Vulnerabilities (CVEs)

CVE-2024-55591

Attack Chain

The attackers likely gain initial access via compromised RDP accounts or edge appliance vulnerabilities. Once inside, they attempt to execute the ransomware payload, and if blocked, utilize PowerShell to disable Microsoft Defender and add path exclusions. Persistence is established by creating Scheduled Tasks that execute a disguised binary (svchost32.exe) to maintain a SOCKS proxy C2 connection. Finally, the attackers clear the Security, System, and Application Windows Event Logs to cover their tracks before successfully deploying the encryptor and dropping the ransom note.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The article does not provide specific detection rules, but Huntress has published IOCs to their threat intelligence repository on GitHub.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily capture PowerShell execution, Scheduled Task creation, and attempts to modify Windows Defender preferences. Network Visibility: Medium — Network monitoring can detect the SOCKS proxy connections to the C2 IPs on non-standard ports, though the traffic itself may be encrypted or obfuscated. Detection Difficulty: Moderate — While the attackers clear specific event logs, they leave others intact (like TaskScheduler and PowerShell logs). The noisy nature of the failing scheduled tasks provides a strong behavioral signal.

Required Log Sources

Security Event ID 1102
System Event ID 104
Microsoft-Windows-TaskScheduler/101
Microsoft-Windows-TaskScheduler/107
Microsoft-Windows-TaskScheduler/203
Microsoft Defender Event ID 1116
Microsoft Defender Event ID 1117
Microsoft Defender Event ID 1118
PowerShell Script Block Logging (Event ID 4104)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for repeated TaskScheduler event failures occurring at regular, short intervals (e.g., every 2 minutes), which may indicate a poorly configured persistence mechanism.	Windows Event Logs (Microsoft-Windows-TaskScheduler)	Persistence	Low
Look for PowerShell commands attempting to modify Microsoft Defender settings using Set-MpPreference or Add-MpPreference, specifically disabling real-time monitoring or adding exclusions for user directories.	PowerShell Script Block Logging (Event ID 4104)	Defense Evasion	Medium
Investigate the clearing of Security, System, and Application event logs occurring in close succession.	Windows Event Logs (Security, System)	Defense Evasion	Low

Control Gaps

Lack of Tamper Protection on Microsoft Defender
Insufficient monitoring of Scheduled Task creation

Key Behavioral Indicators

Execution of binaries named similarly to system processes but located in Temp directories (e.g., C:\Windows\Temp\svchost32.exe)
PowerShell commands containing DisableRealtimeMonitoring $true
Creation of scheduled tasks running as SYSTEM that execute binaries from C:\Windows\Temp

False Positive Assessment

Low. The specific combination of disabling Defender via PowerShell, dropping disguised binaries in the Temp folder, and clearing specific event logs is highly indicative of malicious activity.

Recommendations

Immediate Mitigation

Verify against your organization's incident response runbook and team escalation paths before acting.
If your EDR supports host isolation, consider isolating endpoints exhibiting signs of Defender tampering or repeated Scheduled Task failures.
Evaluate whether to block the identified C2 IP addresses at the perimeter firewall.

Infrastructure Hardening

Consider enabling Microsoft Defender Tamper Protection to prevent malicious scripts from disabling real-time monitoring or adding exclusions.
Evaluate restricting RDP access to high-value systems and enforcing MFA for all remote access.
Review and reduce your external attack surface, particularly focusing on edge appliances and patching known vulnerabilities like CVE-2024-55591.

User Protection

Consider implementing Controlled Folder Access to protect critical directories from unauthorized encryption attempts.

Security Awareness

Consider training SOC analysts to treat the clearing of Security, System, and Application logs as an immediate escalation trigger.

MITRE ATT&CK Mapping

T1059.001 - Command and Scripting Interpreter: PowerShell
T1053.005 - Scheduled Task/Job: Scheduled Task
T1562.001 - Impair Defenses: Disable or Modify Tools
T1070.001 - Indicator Removal: Clear Windows Event Logs
T1090.003 - Proxy: Multi-hop Proxy
T1486 - Data Encrypted for Impact
T1036.005 - Masquerading: Match Legitimate Name or Location

Additional IOCs

File Paths:
- C:\Windows\Temp\svchost32.exe - Path of the disguised SOCKS proxy binary used for persistence.
- C:\Windows\Temp\RbHoNVNU.tmp - Temporary file used for schtasks output redirection.
Command Lines:
- Purpose: Disable Microsoft Defender real-time monitoring and services. | Tools: powershell.exe | Stage: Defense Evasion | Set-MpPreference -DisableRealtimeMonitoring $true
- Purpose: Add Microsoft Defender exclusions for the ransomware payload. | Tools: powershell.exe | Stage: Defense Evasion | Add-MpPreference -ExclusionProcess
- Purpose: Create a scheduled task for persistence and C2 communication. | Tools: cmd.exe, schtasks.exe | Stage: Persistence | schtasks /create /tn WindowsConnSvc /tr
- Purpose: Establish a SOCKS proxy connection to the C2 server. | Tools: svchost32.exe | Stage: Command and Control | svchost32.exe client