IOC Radar
SHA1MediumSignal 88/100

c12c4d58541cc4f75ae19b65295a52c559570054

Location
ThailandThailand
First Seen
Sep 10, 2025
Last Seen
May 26, 2026
Sep 10
First Seen
294d ago
May 26
Last Seen
36d ago
8
Reports
source reports
88%
Confidence
medium
Found in 8 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
88%
Signal Score
88 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

232 techniques

Feed Intelligence Summary

8 reports88% confidence
8
Source reports
88%
Confidence score
Category tags
abuseaccess attemptsack scanactive scanactive scanningadaptive malwareai-driven phishing attackanti-av evasionapplication layer protocolasiaauthenticationauthentication abuseauthentication attackauthentication attemptsauthentication failureautomated attackautomotive manufacturingbad reputationbrute forcebrute force attackbrute force attemptbrute_forcebuilding constructionchild protectionchild safetycloud infrastructurecode executioncommand and controlcommand executioncommunication protocolcompromised hostcompromised systemconstruction materialsconstruction safetyconstruction technologycredential accesscredential brute forcecredential brute forcingcredential harvestingcredential stuffingcredential_accesscustom toolsdata encryptiondata exfiltrationdata store exposuredata theftddosdeathdefense evasiondenial of servicednsdns attackdriver abuseeggstreme malwareelectronic health recordselectronics manufacturingencryptionenterprise targetingenumerationexecutable fileexfiltrationexploit attemptexploitationexploitation activityexploitation attemptsextortionfile-hashfin scanfirewall alertftpftp brute forcegroup policy manipulationhealth care and social assistancehealth information technologyhealthcare information systemshospital managementhttp brute forcehttp scannerhttpsidentity & access exploitationimap brute forceindicatorindustrial automationindustrial iotindustrial productioninitial accessinjection activityinsurance carriers and related activitiesintrusion detectioniociot securitykillavlateral movementlogin attacklogin attemptlogin attemptsmalicious ip blockingmalicious login attemptsmalicious softwaremalwaremalware communicationmanufacturing technologymedia coveragemedical servicesmicrosoft 365multiple protocolsnetwork activitynetwork attacksnetwork discoverynetwork enumerationnetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork layer protocolnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnetwork trafficnetwork_reconnaissancenew zealandnorth americanull scanoceaniapassword attackpassword attackspassword sprayingpasswordattackpatient carephishingphishing attackpop3 brute forcepossible ddos preparationpossible distributed attackpossible malicious activitypossible reconnaissancepossible reconnaissance activitypotential breachpotential exploit targetingpotential intrusionprivilege escalationprocess injectionprocess manufacturingprotocol exploitationprotocol scanningquality controlransomwarereconnaissancereconnaissance activityremote accessremote access attemptsremote servicesresearchedresource developmentrloginscannersecurity operationsservice enumerationservice exploitation attemptservice scanservice_enumerationshai-hulud campaignsmb brute forcesmb scanningsmtpsmtp brute forcesocial engineeringsocial media exploitationsocial servicessoftware exploitationssh attackstorm-2246supply chain attacksupply chain managementsuspected intrusion attemptsynsyn scansystem accesssystem discoverysystem disruptiont1003t1005t1014t1016t1016.001t1016.002t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.006t1027t1027.001t1027.002t1027.007t1036t1036.003t1036.005t1036.007t1037t1039t1040t1046t1047t1048t1048.001t1053t1053.005t1055t1055.001t1055.002t1055.004t1056t1056.001t1056.004t1059t1059.001t1059.003t1059.004t1068t1069.002t1070.001t1070.004t1071t1071.001t1071.004t1071.005t1072t1074t1074.001t1074.002t1076t1077t1078t1078.002t1078.003t1081t1082t1083t1087t1087.001t1087.002t1090t1090.001t1090.002t1095t1098t1098.001t1098.002t1098.003t1105t1106t1110t1110.001t1110.002t1110.003t1110.004t1112t1113t1114t1114.001t1119t1120t1124t1127t1127.001t1129t1133t1134t1134.001t1134.002t1134.004t1135t1136t1140t1185t1189t1190t1195.002t1197t1199t1202t1203t1204t1204.002t1205t1205.001t1205.002t1210t1211t1212t1213t1213.001t1213.002t1213.003t1218t1218.001t1218.002t1218.004t1218.005t1218.007t1219t1221t1482t1484.001t1486t1489t1490t1499.001t1499.002t1499.003t1555t1555.003t1562t1562.001t1562.002t1562.004t1563t1564t1564.001t1564.004t1565t1566t1566.001t1566.002t1566.003t1567t1567.002t1569t1569.002t1573t1573.001t1573.002t1574t1574.001t1574.002t1574.007t1574.008t1583t1583.001t1583.002t1583.003t1583.004t1583.005t1583.006t1583.007t1584t1584.001t1584.002t1584.003t1584.004t1585t1585.001t1585.002t1585.003t1586t1586.001t1586.002t1587t1587.001t1587.002t1588t1588.001t1588.002t1588.003t1589t1589.002t1590t1590.001t1590.002t1590.003t1591t1591.001t1591.002t1592t1592.001t1592.002t1592.003t1593t1594t1595t1595.001t1595.002t1595.003t1596t1596.001t1596.002t1597t1597.001t1597.002t1598t1598.001t1598.002t1598.003t1599t1600t1601t1602t1608t1608.001t1608.002t1608.003t1608.004t1609t1610t1611t1612t1613t1614t1615tcp protocoltcp scantcp scanningtelnet threattftp brute forcethailandthe gentlementhe gentlemen groupthe gentlemen ransomwarethreat actorthreat intelligencetor nodeudp port scanudp scanunauthenticated access attemptsunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized login attemptsunauthorized_accessunidentified malwareunited statesunknown threat actorvalid accountsvictim of abusevnc protocolweb trafficweek3.pdfxamzexpires300xmas scan

Activity Timeline

1 total obs
May 26May 26

Threat Activity Heatmap

· Peak: 2026-05-26
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
88
SIGNAL
Signal Score
88%
Confidence
8
Reports
First seenSep 10, 2025
Last seenMay 26, 2026

VirusTotal

Not checked

WHOIS

references
https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 9 months ago · Last seen 1 month ago
Appeared in 8 threat reports