THEGENTLEMEN Ransomware: Critical Infrastructure Campaign — SmarterMail & Exchange Exploitation Detected

Date: 2026-05-10
Source: Security Arsenal Dark Web Intelligence Unit
Threat Level: CRITICAL

Threat Actor Profile — THEGENTLEMEN

THEGENTLEMEN operate as a sophisticated Ransomware-as-a-Service (RaaS) entity with a closed-group core development team. They distinguish themselves through professional-looking leak sites and a focus on high-value data exfiltration rather than just encryption.

• Model: RaaS with affiliate network. Recent activity suggests a "big game hunting" shift mixed with automated attacks on SMEs.
• Ransom Demands: Typically $500k - $5M USD, varying strictly based on victim revenue and data sensitivity.
• Initial Access: Heavy reliance on exploiting internet-facing applications. Current campaign is dominated by exploits against mail servers (SmarterTools, Microsoft Exchange) and firewall management consoles (Cisco FMC). Phishing is used secondary to exploits.
• Dwell Time: Average 3–7 days. This group moves laterally and exfiltrates data extremely fast once initial access is secured, often detonating encryption within 48 hours of beachhead establishment.

Current Campaign Analysis

Targeting Overview

Analysis of the last 100 postings reveals 22 confirmed victims in a short window. The May 2026 wave is characterized by a distinct focus on Manufacturing (27% of recent victims) and Construction (18%).

• Geographic Spread: Heavily concentrated in the US (35%), with significant secondary targeting in Germany and Egypt. This suggests a deliberate focus on Western industrial supply chains.
• Victim Profile:
  • SMEs: Arizona Professional Painting, Hillside Lumber (Revenue <$50M).
  • Large Enterprises: Misr Chemical Industries, TDS Telecommunications (Revenue >$500M).
  • The group is opportunistic regarding size but specific regarding sector technology stacks.

Attack Vector Correlation

The recent victim spike correlates directly with the weaponization of CVE-2025-52691 (SmarterMail) and CVE-2023-21529 (Microsoft Exchange). Victims in the Business Services and Telecommunication sectors (e.g., TDS, DEVCO) align perfectly with organizations managing large mail server footprints.

Escalation Pattern:

1. 2026-05-06: Initial exploitation of Cisco FMC and SmarterMail vulns.
2. 2026-05-08: Mass detonation and posting of 8 victims simultaneously, indicating an automated encryption trigger or an affiliate "burn weekend."

Detection Engineering

SIGMA Rules

title: SmarterMail Unrestricted File Upload Exploit
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects exploitation of CVE-2025-52691 in SmarterMail via suspicious file creation patterns in web roots.
status: experimental
date: 2026/05/10
author: Security Arsenal Research
tags:
    - attack.initial_access
    - attack.web_shell
    - cve.2025.52691
logsource:
    product: windows
    service: file
detection:
    selection:
        TargetFilename|contains:
            - 'C:\\Program Files (x86)\\SmarterTools\\SmarterMail\\MRS\\'
        TargetFilename|endswith:
            - '.aspx'
            - '.ashx'
            - '.config'
    filter:
        Image|contains:
            - 'SmarterMail.Service.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative file updates
level: critical
---
title: Microsoft Exchange Deserialization Anomaly
description: Detects suspicious deserialization activity indicative of CVE-2023-21529 exploitation.
status: experimental
date: 2026/05/10
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140 or 5145
        ShareName|contains: 'Exchange'
        RelativeTargetName|contains: 'rpc'
    condition: selection
falsepositives:
    - Low
level: high
---
title: THEGENTLEMEN Lateral Movement via PsExec
id: b2c3d4e5-6789-01bc-def2-345678901234
description: Detects the use of PsExec for lateral movement, a common THEGENTLEMEN TTP post-initial access.
status: experimental
date: 2026/05/10
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName: 'ADMIN$'
        RelativeTargetName|endswith: 'PSEXESVC.exe'
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: high

KQL (Microsoft Sentinel)

Hunts for web shell creation and suspicious process execution patterns associated with this group's toolset.

let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where (FileName in~("cmd.exe", "powershell.exe", "pwsh.exe") and ProcessCommandLine has "whoami" and InitiatingProcessFileName has "w3wp.exe")
    or (InitiatingProcessFileName has "SmarterMail" and ProcessCommandLine has "-enc")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend Hint = "Potential Web Shell or Deserialization Exploit"

PowerShell Response Script

Rapid response script to enumerate scheduled tasks and check for Volume Shadow Copy manipulation (signs of data staging).

# THEGENTLEMEN Incident Response Triage Script
Write-Host "[+] Checking for Shadow Copy Deletion Attempts..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -like '*VSS*' -and $_.Message -like '*stopped*'} | 
Select-Object TimeCreated, Message

Write-Host "[+] Enumerating Scheduled Tasks created in last 24h..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddHours(-24)} | 
Select-Object TaskName, TaskPath, Date, Author

Write-Host "[+] Checking for suspicious SmarterMail/Exchange directory modifications..." -ForegroundColor Yellow
$paths = @("C:\Program Files (x86)\SmarterTools\", "C:\Program Files\Microsoft\Exchange Server\")
foreach ($p in $paths) {
    if (Test-Path $p) {
        Get-ChildItem -Path $p -Recurse -File -ErrorAction SilentlyContinue | 
        Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24) -and $_.Extension -match '\.(aspx|ashx|config)$'} | 
        Select-Object FullName, LastWriteTime
    }
}


---

Incident Response Priorities

T-Minus Detection Checklist

1. Web Server Logs: Immediate review of IIS/SmarterMail logs for POST requests to anomalous endpoints (e.g., .ashx, .aspx) followed by high CPU usage in w3wp.exe.
2. Exchange Audit: Hunt for Cmdlet and PowerShell logs indicating the creation of new mailboxes or mail forwarding rules (often used for C2).
3. Network Traffic: Look for large outbound data transfers (FTP, RClone, Mega.io) occurring outside business hours.

Critical Assets for Exfiltration

THEGENTLEMEN historically prioritize:

• CAD/PLM Files: In manufacturing sectors (Intellectual Property).
• Client Databases: CRM and ERP systems.
• Financial Records: A/P and A/R ledgers.

Containment Actions (Ordered by Urgency)

1. Isolate: Disconnect Mail Servers (Exchange/SmarterMail) and Management Consoles (Cisco FMC) from the network immediately.
2. Suspend: Disable all service accounts with privileged access to email systems.
3. Credential Reset: Force reset for all admin passwords, specifically targeting accounts used to manage mail gateways.

Hardening Recommendations

Immediate (24 Hours)

• Patch Immediately: Apply patches for CVE-2025-52691 (SmarterMail), CVE-2026-23760 (SmarterMail Auth Bypass), and CVE-2023-21529 (Exchange). These are confirmed active exploitation vectors.
• Block External Access: If patching is delayed, place VPN and RDP behind a Zero Trust gateway. Block internet access to management interfaces (Cisco FMC) from untrusted IPs.

Short-term (2 Weeks)

• Network Segmentation: Move mail servers and management consoles to a dedicated VLAN with strict egress filtering.
• Web Application Firewall (WAF): Deploy or tune WAF rules to block known deserialization and unrestricted upload payload signatures.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub