THEGENTLEMEN Ransomware: Global Campaigns Targeting Manufacturing & Tech via Critical Infrastructure CVEs

Threat Actor Profile — THEGENTLEMEN

THEGENTLEMEN represents a sophisticated, financially motivated operation operating with a high tempo of victim postings (26 in the recent cycle). While they maintain a veneer of professional conduct (per their naming convention), their tactics align with aggressive Ransomware-as-a-Service (RaaS) affiliate models.

Model: RaaS with broad affiliate network allowing for diverse geographical targeting.
Ransom Demands: Typically ranging from $500k to $5M USD, varying strictly by victim revenue and perceived data value.
Initial Access: The group and its affiliates demonstrate a heavy reliance on exploiting external-facing infrastructure rather than pure phishing. They are actively weaponizing vulnerabilities in Email servers (Exchange, SmarterMail) and perimeter security appliances (Cisco FMC).
Extortion: Strict double-extortion protocol. Data is exfiltrated prior to encryption, with leak site postings used as leverage within 3-7 days of failed negotiation.
Dwell Time: Short averaging 3–5 days. The group moves rapidly from initial access via CVE to credential dumping and lateral movement.

Current Campaign Analysis

Based on live dark web telemetry from 2026-05-06, THEGENTLEMEN has launched a global offensive with a distinct focus on the Manufacturing and Technology sectors, alongside significant hits in Business Services.

Sectors Targeted:
- High Risk: Manufacturing (Clark Fixture, Gator Cases), Technology (DATAMATIC, Da Guan, Mediaplex).
- Secondary: Business Services (Manhattan Fire Safety, C2O Architects).
Geographic Concentration: A true "spray and pray" on vulnerable IPs globally. The US is the primary target (5 confirmed recent victims), but significant activity is detected in Italy, the UK, Belgium, and Taiwan. This suggests automated vulnerability scanning rather than human-targeted spear-phishing.
Victim Profile: Predominantly Small-to-Medium Businesses (SMBs) and mid-market enterprises. These organizations often lack robust patch management cycles for edge appliances like Exchange or Cisco Firewalls, making them ideal targets for the CVEs listed below.
CVE Correlation: The campaign coincides directly with the active exploitation of CISA Known Exploited Vulnerabilities (KEV). The victims in the Technology and Business Services sectors strongly suggest initial access was gained via:
- CVE-2023-21529 (Microsoft Exchange): Allowing remote code execution for data exfiltration.
- CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail): Targeting the Tech and Business Services sectors likely running self-hosted mail.
- CVE-2026-20131 (Cisco FMC): Potential bypass of perimeter controls facilitating lateral movement.

Detection Engineering

SIGMA Rules

YAML

---
title: Potential SmarterMail Unrestricted File Upload Exploit
description: Detects potential exploitation of CVE-2025-52691 in SmarterMail via suspicious file upload patterns or IIS logs.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
status: experimental
author: Security Arsenal Research
date: 2026/05/06
tags:
    - attack.initial_access
    - attack.web_application
    - cve.2025.52691
logsource:
    product: windows
    service: iis
    definition: 'Requirements: IIS Logs with fields cs-uri-stem and cs-method'
detection:
    selection:
        cs-method: 'POST'
        cs-uri-stem|contains:
            - '/Services/Mail.asmx'
            - '/Grid.ashx'
    filter_legit:
        cs-uri-query|contains: 'wsdl'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate admin usage of SmarterMail interfaces
level: high
---
title: Microsoft Exchange Deserialization Exploit Attempt
description: Detects suspicious PowerShell deserialization activity indicative of CVE-2023-21529 exploitation on Exchange Servers.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
status: experimental
author: Security Arsenal Research
date: 2026/05/06
tags:
    - attack.initial_access
    - attack.execution
    - cve.2023.21529
logsource:
    product: windows
    service: security
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_exchange:
        ProcessName|endswith: '\w3wp.exe'
    selection_suspicious:
        ScriptBlockText|contains:
            - 'System.Management.Automation.Serialization'
            - 'TypeConfidenceDelegate'
            - 'ExtendedTypeSystem'
    condition: all of selection_*
falsepositives:
    - Rare legitimate Exchange management scripts
level: critical
---
title: Ransomware Lateral Movement via PsExec
description: Detects the use of PsExec for lateral movement, a common TTP for THEGENTLEMEN affiliates after gaining initial access.
status: experimental
author: Security Arsenal Research
date: 2026/05/06
tags:
    - attack.lateral_movement
    - attack.execution
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
    selection_cli:
        CommandLine|contains:
            - '-accepteula'
            - '\\'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activities
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for SmarterMail exploitation signs and subsequent lateral movement
// Join IIS logs with Process creation events to see webshells spawning processes
let IIS_Suspicious = IMWebEvent
| where UriPath has_any ("Services/Mail.asmx", "Grid.ashx", "AjaxPro/") 
| where HttpMethod == "POST"
| project TimeGenerated, SourceIP, UserAgent, UriPath, SiteName;
let Process_Spawn = SecurityEvent 
| where EventID == 4688 
| where NewProcessName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.exe") 
| where ParentProcessName has_any ("w3wp.exe", "svchost.exe")
| project TimeGenerated, Computer, Account, NewProcessName, ParentProcessName;
IIS_Suspicious 
| join kind=inner (Process_Spawn) on TimeGenerated 
| extend TimeDiff = Process_Spawn_TimeGenerated - TimeGenerated 
| where TimeDiff between (0s..1m) 
| project TimeGenerated, SourceIP, Computer, Account, UriPath, NewProcessName

PowerShell Response Script

PowerShell

<#
.SYNOPSIS
    Rapid Response Hardening & Hunt for THEGENTLEMEN Indicators
.DESCRIPTION
    Checks for scheduled task persistence (common for this gang) and 
    identifies deletion of Volume Shadow Copies which precedes encryption.
#>

Write-Host "[+] Checking for suspicious Scheduled Tasks created in last 7 days..." -ForegroundColor Cyan
$DateCutoff = (Get-Date).AddDays(-7)
$SuspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.Date -ge $DateCutoff -and 
    $_.Author -notin ("Microsoft Corporation", "N/A", "System") -and 
    $_.TaskName -notmatch "Update" 
}

if ($SuspiciousTasks) {
    Write-Host "[!!!] WARNING: Suspicious tasks found:" -ForegroundColor Red
    $SuspiciousTasks | Select-Object TaskName, Author, Date, Actions | Format-List
} else {
    Write-Host "[-] No obvious suspicious tasks found." -ForegroundColor Green
}

Write-Host "[+] Checking for Shadow Copy Manipulation (Vssadmin) in Security Logs..." -ForegroundColor Cyan
try {
    $VssEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=$DateCutoff} -ErrorAction Stop |
    Where-Object { $_.Message -match 'vssadmin.exe' -and $_.Message -match 'delete' -and $_.Message -match 'shadows' }
    
    if ($VssEvents) {
        Write-Host "[!!!] CRITICAL: Vssadmin deletion commands detected. Encryption likely imminent." -ForegroundColor Red
        $VssEvents | Select-Object TimeCreated, Id, Message | Format-List
    } else {
        Write-Host "[-] No Vssadmin deletion events found." -ForegroundColor Green
    }
} catch {
    Write-Host "[-] Error reading event logs (check permissions)." -ForegroundColor Yellow
}

Incident Response Priorities

T-Minus Detection Checklist:

Exchange & Mail Server Logs: Immediately review w3wp.exe process trees and IIS logs for the week prior. Look for POST requests to anomalous URLs (related to CVE-2025-52691).
Cisco FMC Logs: Audit administrative logins and configuration changes for unauthorized access attempts matching CVE-2026-20131 patterns.
Network Traffic: Hunt for large outbound data transfers (exfiltration) occurring outside business hours, specifically to non-whitelisted cloud storage IPs.

Critical Assets for Exfiltration: THEGENTLEMEN historically prioritizes Active Directory databases (NTDS.dit), HR/Payroll files, Customer PII, and Intellectual Property (CAD/Design files for Manufacturing victims).

Containment Actions (Order of Urgency):

Isolate: Immediately disconnect any Exchange, SmarterMail, or Cisco FMC devices from the network if they are not patched against the CVEs listed above.
Disable Accounts: Suspend service accounts associated with the identified mail servers or firewall management consoles.
Block IP: Implement firewall rules to block ingress from high-risk geographic locations (MX, IT, TW) not required for business operations.

Hardening Recommendations

Immediate (24h):

Patch: Apply patches for CVE-2023-21529 (Exchange), CVE-2026-20131 (Cisco FMC), and CVE-2025-52691 / CVE-2026-23760 (SmarterMail) immediately. These are being actively exploited in the wild.
Compromise Assessment: Run credential auditing for any accounts that had administrative access to the affected mail or firewall appliances in the last 30 days.

Short-term (2 weeks):

Network Segmentation: Move Email servers and Firewall Management interfaces into dedicated management VLANs, strictly accessible only via Jump Hosts with MFA.
WAF Configuration: Deploy or tighten Web Application Firewall rules to block deserialization attacks and anomalous file upload patterns on public-facing web endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub