Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware

    Tuesday, May 12, 2026 In: Threat Research Print

    Date: 05/12/2026

    Severity: High

    Summary

    The EtherRAT malware family was first identified by Sysdig in December 2025, initially exploiting CVE-2025-55182 (React2Shell) on Linux servers. In March 2026, Atos reported a Windows-based EtherRAT campaign with activity traced back to December 2025. By April, researchers observed an intrusion where EtherRAT was delivered through a malicious MSI disguised as a Sysinternals tool. The attackers later deployed the AI-generated TukTuk framework alongside GoTo Resolve for remote access and data exfiltration. Using SaaS platforms and blockchain infrastructure to evade traditional defenses, the threat actors ultimately deployed The Gentlemen ransomware.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    1rpc.io

    https://witch-skins-lip-coal.trycloudflare.com

    https://fields-pct-easier-vancouver.trycloudflare.com

    https://howto-tar-naturals-coordination.trycloudflare.com

    https://workshop-lighting-protective-customs.trycloudflare.com

    https://afford-effect-construct-tricks.trycloudflare.com

    https://rapids-lil-lending-charleston.trycloudflare.com

    https://when-architectural-cdna-faster.trycloudflare.com

    https://mode-exit-legendary-trusted.trycloudflare.com

    https://seasonal-estimation-heating-necessarily.trycloudflare.com

    https://entered-medications-motherboard-advanced.trycloudflare.com

    https://walt-messaging-affairs-occurring.trycloudflare.com

    vefbdzzuaadnascpeqcn.supabase.co

    k135neflez.westus3.azure.clickhouse.cloud

    borjumaniya.store

    vngz3ntdrb.us-east1.gcp.clickhouse.cloud

    muurfzqprzmdkzoibxaz.supabase.co

    ep-lively-cherry-a80bmwii.eastus2.azure.neon.tech

    Hash : 

    73ce2438d4ed475e03727b7b000d2794

    3d5ee8429ef00824c0351cba507dfeb92b54f83b

    d9487fdc097f770e5661f9e5dee130068cb179d33716abff1a21c8cb901f25a6

    b2d51212744f404714fd909e87254d98

    c98ee41f09ae079a5643626f57eb84f92205bb2b

    8c2665adf8bfab65463f2a9bd1b7bb0231de3f5c1e6a2e51479e44aaac2e7bf0

    c92cf9a1af5b1fe25cdcb8771ce52be4

    b44c8084b88d31113ee51758740eb84c251bdae8

    4142d5efd4ea2abab77f2f0a917610e2ff976bf9e19d7ad1e9156eccdc5412db

    77fbe265fd65c7f7b6d323fb6de6a4fd

    114ec028a3fc4ed50056ee8166b0c39acff6ff03

    2d4b4bb18b8445e49eeda571982874403befcecf78266e3d405f6529d98bee46

    f985b8d6d635c266fc4779dad77aa75c

    ba80d7b038758a129861e1e498e462cc3d68ae20

    19021e53b9929fdf4b7d0e0707434d56bb73c1a9b7403c8837b44d1c417198dc

    b188fbc6ff5557767e73e4c883a553a3

    aa9218994798ae31a19d3e7e39cfac2e2ee55840

    1795eacd2c58894ccdd6be8854fe6456c3b069a3a873432343b57b475b256aee

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://witch-skins-lip-coal.trycloudflare.com" or url like "https://witch-skins-lip-coal.trycloudflare.com" or siteurl like "https://witch-skins-lip-coal.trycloudflare.com" or domainname like "1rpc.io" or url like "1rpc.io" or siteurl like "1rpc.io" or domainname like "https://fields-pct-easier-vancouver.trycloudflare.com" or url like "https://fields-pct-easier-vancouver.trycloudflare.com" or siteurl like "https://fields-pct-easier-vancouver.trycloudflare.com" or domainname like "https://howto-tar-naturals-coordination.trycloudflare.com" or url like "https://howto-tar-naturals-coordination.trycloudflare.com" or siteurl like "https://howto-tar-naturals-coordination.trycloudflare.com" or domainname like "https://workshop-lighting-protective-customs.trycloudflare.com" or url like "https://workshop-lighting-protective-customs.trycloudflare.com" or siteurl like "https://workshop-lighting-protective-customs.trycloudflare.com" or domainname like "https://afford-effect-construct-tricks.trycloudflare.com" or url like "https://afford-effect-construct-tricks.trycloudflare.com" or siteurl like "https://afford-effect-construct-tricks.trycloudflare.com" or domainname like "https://rapids-lil-lending-charleston.trycloudflare.com" or url like "https://rapids-lil-lending-charleston.trycloudflare.com" or siteurl like "https://rapids-lil-lending-charleston.trycloudflare.com" or domainname like "https://when-architectural-cdna-faster.trycloudflare.com" or url like "https://when-architectural-cdna-faster.trycloudflare.com" or siteurl like "https://when-architectural-cdna-faster.trycloudflare.com" or domainname like "https://mode-exit-legendary-trusted.trycloudflare.com" or url like "https://mode-exit-legendary-trusted.trycloudflare.com" or siteurl like "https://mode-exit-legendary-trusted.trycloudflare.com" or domainname like "https://seasonal-estimation-heating-necessarily.trycloudflare.com" or url like "https://seasonal-estimation-heating-necessarily.trycloudflare.com" or siteurl like "https://seasonal-estimation-heating-necessarily.trycloudflare.com" or domainname like "https://entered-medications-motherboard-advanced.trycloudflare.com" or url like "https://entered-medications-motherboard-advanced.trycloudflare.com" or siteurl like "https://entered-medications-motherboard-advanced.trycloudflare.com" or domainname like "https://walt-messaging-affairs-occurring.trycloudflare.com" or url like "https://walt-messaging-affairs-occurring.trycloudflare.com" or siteurl like "https://walt-messaging-affairs-occurring.trycloudflare.com" or domainname like "vefbdzzuaadnascpeqcn.supabase.co" or url like "vefbdzzuaadnascpeqcn.supabase.co" or siteurl like "vefbdzzuaadnascpeqcn.supabase.co" or domainname like "k135neflez.westus3.azure.clickhouse.cloud" or url like "k135neflez.westus3.azure.clickhouse.cloud" or siteurl like "k135neflez.westus3.azure.clickhouse.cloud" or domainname like "borjumaniya.store" or url like "borjumaniya.store" or siteurl like "borjumaniya.store" or domainname like "vngz3ntdrb.us-east1.gcp.clickhouse.cloud" or url like "vngz3ntdrb.us-east1.gcp.clickhouse.cloud" or siteurl like "vngz3ntdrb.us-east1.gcp.clickhouse.cloud" or domainname like "muurfzqprzmdkzoibxaz.supabase.co" or url like "muurfzqprzmdkzoibxaz.supabase.co" or siteurl like "muurfzqprzmdkzoibxaz.supabase.co" or domainname like "ep-lively-cherry-a80bmwii.eastus2.azure.neon.tech" or url like "ep-lively-cherry-a80bmwii.eastus2.azure.neon.tech" or siteurl like "ep-lively-cherry-a80bmwii.eastus2.azure.neon.tech"

    Detection Query 2 :

    md5hash IN ("b2d51212744f404714fd909e87254d98","f985b8d6d635c266fc4779dad77aa75c","c92cf9a1af5b1fe25cdcb8771ce52be4","73ce2438d4ed475e03727b7b000d2794","77fbe265fd65c7f7b6d323fb6de6a4fd","b188fbc6ff5557767e73e4c883a553a3")

    Detection Query 3 :

    sha1hash IN ("ba80d7b038758a129861e1e498e462cc3d68ae20","c98ee41f09ae079a5643626f57eb84f92205bb2b","3d5ee8429ef00824c0351cba507dfeb92b54f83b","b44c8084b88d31113ee51758740eb84c251bdae8","114ec028a3fc4ed50056ee8166b0c39acff6ff03","aa9218994798ae31a19d3e7e39cfac2e2ee55840")

    Detection Query 4 :

    sha256hash IN ("d9487fdc097f770e5661f9e5dee130068cb179d33716abff1a21c8cb901f25a6","4142d5efd4ea2abab77f2f0a917610e2ff976bf9e19d7ad1e9156eccdc5412db","19021e53b9929fdf4b7d0e0707434d56bb73c1a9b7403c8837b44d1c417198dc","8c2665adf8bfab65463f2a9bd1b7bb0231de3f5c1e6a2e51479e44aaac2e7bf0","2d4b4bb18b8445e49eeda571982874403befcecf78266e3d405f6529d98bee46","1795eacd2c58894ccdd6be8854fe6456c3b069a3a873432343b57b475b256aee")

    Reference:    

    https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/


    Tags

    RansomwareReact2ShellExploitExfiltrationBlockchainSaasMalwareVulnerabilityCVE-2025RATAI

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.