The Gentlemen ransomware group uses a password-protected Go implant that establishes a persistent bidirectional TCP connection via the Yamux library to a C2 at 81.177.215.15:9443. The backdoor collects hostname, domain, UUID, and local IPs, sends them as JSON, then waits for operator commands: 'c' executes shell commands via cmd.exe, 's' opens a SOCKS proxy for network pivoting. Kaspersky observed reconnaissance commands like whoami, net group "Domain Admins" /domain, and directory listings sent immediately after connection.
Custom Go Backdoor Bypasses Sandboxes with Hardcoded Password
The Go implant refuses to run unless given the password CbdU8EgF. This anti-sandbox trick stops automated analysis dead. It uses the WMI query SELECT UUID FROM Win32_ComputerSystemProduct to fingerprint the victim. The Yamux library multiplexes the TCP stream, enabling simultaneous command execution and proxy traffic over a single C2 channel. Kaspersky found the binary obfuscated with a previously unknown Go obfuscator that renames symbols and alters function signatures.
Lateral Movement via Group Policy and PsExec
The ransomware spreads through two methods. With the --gpo flag, it copies itself to the NETLOGON share, creates a fake system update policy disabling Windows Defender, and forces gpupdate /force on all domain computers. With --spread, it downloads PsExec from live.sysinternals.com, enumerates domain computers via RSAT or NetServerEnum, pings each target (ping.exe -n 1 -w 500), and uses PsExec to execute the ransomware. Before encryption, it stops Hyper-V VMs and kills processes for backup software, databases, and Office apps.
Encryption with Curve25519-XChaCha20 and Self-Defense
Each file gets a fresh Curve25519 key pair; the shared secret is computed with the attacker's embedded public key (HvzC6Dq/siFthWSgE5ozZyQDu9cyxIoxb3NuRHI6pDM=). XChaCha20 encrypts the file contents. The ransomware changes ACLs to Everyone:F using takeown and icacls, drops README-GENTLEMEN.txt notes, and optionally wipes free space and self-deletes. Kaspersky also found a C variant still in development using AES256-GCM + RSA, with most parameters marked "not implemented". That variant communicates via email instead of Tox.
The Gentlemen group now ranks among the top 10 ransomware actors by DLS victim announcements in early 2026, targeting manufacturing, healthcare, and critical infrastructure across Brazil, China, Indonesia, Taiwan, and Thailand. With a C-based ESXi locker already active and a Windows C variant maturing, expect their custom toolset to become more dangerous.
Source: The Gentlemen are knocking: сustom backdoors and evolving tactics
Domain: securelist.com
Comments load interactively on the live page.