IOC Radar
SHA256MediumSignal 87/100

51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2

Location
PeruPeru
First Seen
Sep 17, 2025
Last Seen
May 27, 2026
Sep 17
First Seen
273d ago
May 27
Last Seen
20d ago
12
Reports
source reports
87%
Confidence
medium
Found in 12 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
87%
Signal Score
87 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

66 techniques

Feed Intelligence Summary

12 reports87% confidence
12
Source reports
87%
Confidence score
Category tags
abuseabusech-threatfox-c2cactive scanactive scanningaffiliate-programalienvault_ransomwareapacapt activityashen lepusbabukbabykbad reputationbitcoin addressbitcoinaddressbotnetbotnet activitybrute forcebyovdc2ciscocobalt strikecommand & controlcommand and controlcommand executioncredential accesscredential stuffingcredential theftcredential-theftcryptocurrencycsirt-americas malwaredata encryptiondata exfiltrationdata store exposuredata theftdata-exfiltrationdata-leakdefense evasiondefense-evasiondetect-debug-environmentdistributed attacksdll hijackingdouble extortiondragonforcedual extortiondual-extortiondust specterelectronic health recordsencryptionesxieuropeevasionexeexecutable fileexfiltrationexploitexploitation activityextortionfile-hashfortiosgentlemen linuxgentlemen ransomwaregpo modificationgroup policyhealth care and social assistancehealth information technologyhealthcare information systemshospital managementidentity & access exploitationidleimpair defensesindicatorinfostealerinhibit system recoveryinitial accessinjection activityjameswt_wtlateral movementlateral-movementlinuxloaderlocal diskslockbit 5.0luca stealermakop ransomwaremalicious powershell activitymalicious softwaremalwaremalware distributionmedical servicesmedusamobile threatmoonrise ratnetwork drivesnetwork scanningngate android malwarenoescapentlm-relayoperating systempatient carepayloadpeexeperuphatom ravenprocess injectionpublicpython malwareqilinraasransom houseransomwareransomware activityransomware infectionransomware operationsransomware-as-a-serviceratreconnaissanceremote servicesresearchedruby jumperscheduled tasksscripting attacksshared secretsneaky malwaresouth americastealersubkeysystem disruptionsystembct1003t1018t1021t1021.001t1021.002t1027t1041t1047t1048t1049t1053t1053.005t1055t1059t1059.001t1059.003t1059.006t1068t1069.001t1070t1070.001t1070.004t1071t1071.001t1078t1078.002t1082t1083t1086t1098t1105t1110t1110.001t1112t1133t1135t1136.002t1190t1204t1204.002t1210t1218t1219t1222t1484.001t1486t1489t1490t1496t1499.002t1499.003t1543.003t1547t1547.001t1550t1560t1562t1562.001t1565t1566t1569.002t1574t1595t1595.001t1595.002t1595.003the gentlementhhaibethreat actortor nodetox-idsunited kingdomunknown groupunsigned driversvasa lockervulnerability scanwin32 malwarewindows malwarewmixchacha20xloader

Activity Timeline

1 total obs
May 27May 27

Threat Activity Heatmap

· Peak: 2026-05-27
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
87
SIGNAL
Signal Score
87%
Confidence
12
Reports
First seenSep 17, 2025
Last seenMay 27, 2026

VirusTotal

Not checked

WHOIS

description
The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 9 months ago · Last seen 20 days ago
Appeared in 12 threat reports