The Gentlemen: A New Affiliate's Playbook
• Access: SonicWall SSL VPN spray, one password, one match out of 115,000+ usernames
• Privesc: AD CS ESC1, UnPAC the hash, DCSync
• Backups: disabled Defender, decrypted the Veeam config DB for stored creds
• Exfil: rclone over SFTP
• Deploy: pushed to every host via Group Policy
• Tradecraft: pasted Russian language AI assistant output into the console as they worked
• Outcome: only hosts without Defender Tamper Protection encrypted, so the domain was not fully impacted
breachcache.com/cases/the-gent…
A little thread exposing screenshots + comms from the Gentlemen Leaks. These provide super interesting insight into the inside operations of successful RaaS groups.
Everything from aspects of operators personal lives, their TTPs, and victims. All images shared are from the Rocket[.Chat leak
We even discovered in March they attempted to send flowers to a UK-based victim....
On 28th Feb, they recognise they're "top 2" on ransomware.live + Devman has gone ;)🚓
Translation of zeta88's first message:
"In short, Devman was either taken in, for health reasons, or because of a rebranding—it all disappeared.
And we're top 2 on RansomLive based on statistics, but not based on profit, I think."
We can see a @GangExposed tweet shared by The Gentlemen, alongside the ransomware.live stats
The threat actors IP 77.90.185[.]9 was found hosting a well known brute VPN Brute forcing tool called "VPN Brute" hosting a login portal on port 7000.
17 VPN Brute instances were found on Censys with this search:
web.endpoints.http.body_hash_sha256 = "a045f3267dd84d315eb3ffaf4827860b70665269aaeeff86cb1e381c2b7f55c4"
A recent SonicWall SSL VPN brute forcing has been observed.
A total of 24,624 POST attempts to /api/sonicos/auth on port 4433 over 10 hours. Every attempt originated from this one source IP 77.90.185[.]9.
All 24,624 attempts used the single password Spring2026!. The user names consistent of exactly 1000 common US surnames appended with first initial. Username format was .
Sample firewall log entry from the campaign:
id=firewall sn=XXXXXXXXX time="2026-05-13 04:57:11 UTC" fw=x.x.x.x pri=4 c=32 m=745 msg="User login denied - LDAP authentication failure (User: tmiller)" src=77.90.185[.]9 dst=x.x.x.x:4433
IOC:
- 77.90.185[.]9
When a brute force hit lands the SonicWall returns success=true with a bearer-token JWT scoped as API_AUTH_SSLVPN and the firewall logs an m=602 event. The response also exposes the SonicWall model in use.
Firewall success log:
id=firewall sn=XXXXXXXXX time="2026-05-13 04:57:11 UTC" fw=x.x.x.x pri=6 c=32 m=602 msg="WAN zone remote user login allowed" usr="tmiller" src=77.90.185[.]9 dst=x.x.x.x:4433
The token gives the threat actor SSL VPN access to the network which can be further established with tools like NetExtender.
Successful result:
Over 7 a month period, a Qilin affiliate exposed 5 C2 servers -> OPSEC L
-> Sliver C2 / SOCKS running on WatchGuard devices
-> Initial access primarily via WG/Fortinet exploitation
-> 3 real victims found via Qilin blog
-> 🇺🇸 & 🇩🇪 targeting
-> 7+ CVEs used
Link to blog below👇
When a Qilin affiliate makes many big #oopsies over 7 months... not knowing they are silently being tracked by us🤩
Ctrl-Alt-Intel blog coming later this week🤪
A lot of cyber folks utilize Udemy for self learning. Following the ShinyHunters breach it’s worth checking have i been pwned to see if your data was leaked.
New breach: Udemy had 1.4M email addresses leaked yesterday following an extortion attempt by ShinyHunters. Data included name, address, phone, employer info and instructor payout method. 56% were already in @haveibeenpwned. Read more: haveibeenpwned.com/Breach/Udemy
New breach: Udemy had 1.4M email addresses leaked yesterday following an extortion attempt by ShinyHunters. Data included name, address, phone, employer info and instructor payout method. 56% were already in @haveibeenpwned. Read more: haveibeenpwned.com/Breach/Udemy
14K Followers 15K FollowingMilitary family. CEO, Christian, Conservative.
Cyber Done Right! We Are The Decentralized Internet 🛜 ✝️ Defend Digital Freedom https://t.co/eK0qOO0c2G
94 Followers 232 FollowingThreat Hunting | Threat Intelligence | Intrusion Response | InfoSec Tea Time
What do you call a turtle that surfs the dark web?
9K Followers 883 FollowingBad guy chaser, writer/author, espionage & ransomware SME. Sometimes I harass my dog. He is the brains behind these projects and opinions are his.
961K Followers 2 FollowingGet the latest from Hacker News! Top 5 stories on the hour, every hour. By @riklomas from @superhi_ – unofficial and not affiliated with Y Combinator
94 Followers 232 FollowingThreat Hunting | Threat Intelligence | Intrusion Response | InfoSec Tea Time
What do you call a turtle that surfs the dark web?
13K Followers 1K FollowingCensys is the source for real-time Internet intelligence and actionable threat insights for governments, F500 companies, and leading threat intel providers
6K Followers 938 Followinghttps://t.co/9I6nRUiFjm is a service that provides threat intelligence data about observed network scanning and cyber attacks.
255K Followers 206 FollowingBreaking cybersecurity and technology news, guides, and tutorials that help you get the most from your computer. DMs are open, so send us those tips!