IOC Radar
TLP:WHITE3 IOCs

The Gentlemen ransomware: Dissecting a self-propagating Go encryptor

MT
Microsoft Threat Intelligence
Published May 28, 2026Original Report

Threat Actors

Malware Families

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYPlayINFRASTRUCTUREunknownCAPABILITYPlayPsExecVICTIMunknown
Adversary(1)
Infrastructure
Capability(2)
Victim

Attack Flow6 steps · MITRE ATT&CK mapped

ExecutionTA0002·T1059
1/6
Command and Scripting Interpreter
ActionControl execution via command-line
The ransomware operator controls the encryptor via command-line arguments, including a password for execution and optional parameters for encryption scope, speed, and lateral movement.

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise3

TypeIndicatorConfidenceScoreFirst Seen
SHA25622b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
exploitfile-hashintel-blog
Medium
53
Jun 2, 26
SHA256fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68
file-hashintel-blogmalware
Medium
53
Jun 2, 26
SHA256078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
file-hashintel-blogmalware
Medium
53
Jun 2, 26

IOC Relationship Graph

IOC Relationship Graph3 total IOCs
SHA256
SHA2563Actors1Malware2REPORTThe Gentlemen ransomware: PlayPlayPsExec
scroll to zoom · drag to pan · click IOC to open