Cyber Threat Intelligence Report | 5/4/2026 | PacketWatch

This week, we briefed our clients on the second-most-active Ransomware-as-a-Service organization, The Gentleman. We describe their observed TTPs.

 KEY TAKEAWAYS 

• New RaaS group The Gentleman has rapidly become one of the most prolific ransomware groups of 2026. Learn their TTPs so you can defend your organization.

• Critical and high-severity vulnerabilities in cPanel, Progress MOVEit, Linux, and GitHub, plus updates to CISA KEV, patch now!

The Gentlemen RaaS

New research released from Check Point details the operations of a rapidly growing Ransomware-as-a-Service (RaaS) operation known as The Gentlemen. The group originally surfaced in mid-2025, and has since claimed over 320 victims on its darkweb leak site, which ranks them #2 as the most active group in 2026. RaaS groups typically attract affiliates with an 80/20 revenue split, but The Gentlemen offer an attractive 90/10 split, which can offer an explanation for the rapid rise and proliferation of their attacks.

During a recent incident response engagement, Check Point researchers were able to gain access to a live command-and-control (C2) server operated by one of The Gentleman's affiliates, which showed over 1,570 compromised corporate victims. As ransomware leak sites tend to only show victims who refused to pay the ransom, this proverbial peek behind the curtain shows the true extent of their current campaign. The majority of the victims reside in the United States, with manufacturing, technology, and healthcare as the top 3 targeted industry verticals.

This article will review the notable tactics, techniques, and procedures (TTPs) of The Gentleman observed by Check Point's reporting.

Initial Access

The Gentleman targets exposed and vulnerable internet-facing devices, such as VPNs, remote access gateways, and firewall management portals. This shows that victims of The Gentleman tend to be targets of opportunity.

Command and Control & Persistence

A variety of notable tools were used during this section of the attack chain. Early in the engagement, the threat actor deployed Cobalt Strike payloads to facilitate command execution on infected hosts. The threat actor then attempts to deploy SystemBC, a malicious tool that can execute commands and download additional malicious tools. A key feature of SystemBC is the use of SOCKS5 proxies, which help the threat actor hide malicious C2 traffic. If execution of SystemBC is blocked, The Gentleman will rotate to non-malicious remote access tools such as AnyDesk. These benign remote access tools are often repurposed by threat actors to maintain stealthy access to target systems.

Defense Evasion & Propagation

The Gentlemen used PowerShell commands to attempt to disable Windows Defender real-time monitoring and add the ransomware executable and the entire C:\ drive to Defender's exclusion list. They used WMI to perform environment checks to search for other antivirus tools. They were also observed using cmd.exe to modify registry keys and local firewall rules to enable Remote Desktop to facilitate lateral movement.

Credential Access & Discovery

Check Point noted the use of Mimikatz for credential harvesting. One compromised endpoint contained Mimikatz output containing domain accounts and stored credentials from Credential Manager. The threat actor also ran a series of commands via cmd.exe to query the target environment:

• cmd.exe /C query session
• cmd.exe /C nltest /domain_trusts
• cmd.exe /C nltest /dclist
• cmd.exe /C net group "Domain Admins" /domain
• cmd.exe /C net group "Enterprise Admins" /domain

Impact

The ransomware executable was deployed across the environment via Group Policy. The deployment was configured so that the ransomware binary was executed on domain-joined systems during policy refresh. This effectively enabled simultaneous encryption across the environment.

How to Protect Your Organization

The TTPs for The Gentleman align with the majority of modern ransomware groups. There is no technique leveraged by the group that is truly unique to them. General cybersecurity hygiene and best practices will go a long way toward thwarting these types of attacks:

• External-facing infrastructure such as VPNs, firewalls, and remote access gateways should be fully patched, properly configured, and leverage multi-factor authentication (MFA).
• MFA and privileged access controls should be leveraged as much as possible throughout the environment.
• Maintain network segmentation.
• Use network monitoring tools such as PacketWatch to detect suspicious C2 traffic (SOCKS, unauthorized RMM tools) and lateral movement (anomalous RDP).
• Ensure fully up-to-date EDR is deployed to every possible endpoint.
• Maintain and regularly test isolated backups.

Resources:

• https://research.checkpoint.com/2026/dfir-report-the-gentlemen/
  

• https://blog.checkpoint.com/research/the-gentlemen-a-new-ransomware-threat-climbing-the-charts-fast/
  

• https://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html

Vulnerability Roundup

Critical Authentication Bypass in cPanel and WHM

On April 28, cPanel released a fix for a critical authentication bypass vulnerability in cPanel, WHM, and WP Squared. cPanel is a web-based control panel that allows administrators to manage web hosting accounts and servers. Recent Shodan scans show there are over 1.5 million cPanel instances exposed online. The vulnerability, tracked as CVE-2026-41940, has been potentially exploited since at least February 23, 2026. Proof of concept code is now in the wild, allowing any threat actor to quickly develop exploits. The following list shows vulnerable releases and their corresponding fixed version:

• cPanel/WHM 11.110.0 → fixed in 11.110.0.97
• cPanel/WHM 11.118.0 → fixed in 11.118.0.63
• cPanel/WHM 11.126.0 → fixed in 11.126.0.54
• cPanel/WHM 11.132.0 → fixed in 11.132.0.29
• cPanel/WHM 11.134.0 → fixed in 11.134.0.20
• cPanel/WHM 11.136.0 → fixed in 11.136.0.5
• WP Squared 11.136.1 → fixed in 11.136.1.7

Administrators are urged to patch as soon as possible. cPanel also strongly recommends restarting the 'cpsrvd' service after installing the latest release. If patching is not possible, it is recommended to block external access to ports 2083, 2087, 2095, and 2096, or stop the 'cpsrvd' and 'cpdavd' cPanel internal core services. The cPanel advisory also contains a detection script that can assist in looking for indicators of compromise.

• https://www.bleepingcomputer.com/news/security/critical-cpanel-and-whm-bug-exploited-as-a-zero-day-poc-now-available/

• https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

• https://nvd.nist.gov/vuln/detail/CVE-2026-41940

Critical Authentication Bypass in Progress MOVEit

Progress recently disclosed a critical authentication bypass vulnerability as well as a privilege escalation vulnerability in their MOVEit Automation platform. Tracked as CVE-2026-4670 and CVE-2026-5174, respectively, successful exploitation can lead to "unauthorized access, administrative control, and data exposure." Per the advisory, the vulnerabilities affect the following versions:

• MOVEit Automation <= 2025.1.4
• MOVEit Automation <= 2025.0.8
• MOVEit Automation <= 2024.1.7

Administrators are urged to patch as soon as possible, as MOVEit vulnerabilities have been targeted in the past by ransomware groups.

• https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174
  

• https://www.bleepingcomputer.com/news/security/moveit-automation-customers-warned-to-patch-critical-auth-bypass-flaw/
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-4670
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-5174

Copy Fail' Privilege Escalation Flaw in Linux

A new local privilege escalation vulnerability has been discovered in Linux. Tracked as CVE-2026-31431, codenamed "Copy Fail", this vulnerability is present in effectively all Linux distributions since 2017, including major distributions such as Amazon Linux, RHEL, SUSE, and Ubuntu. Successful exploitation allows any unprivileged local user to gain root privileges. A simple 732-byte Python script, which is publicly available on GitHub, is all that is required for exploitation. Administrators are urged to update all Linux instances as soon as possible. 

• https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html
  
• https://copy.fail/
  
• https://nvd.nist.gov/vuln/detail/CVE-2026-31431

GitHub Critical RCE Flaw

Security researchers at Wiz recently disclosed a high-severity remote code execution vulnerability in GitHub Enterprise Server. According to the security advisory, the vulnerability tracked as CVE-2026-2854, allows for an attacker with 'push' access to a repository to achieve remote code execution on the instance. The vulnerability affects github.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server. The following are the fixed versions of GitHub Enterprise Server that were released to address the vulnerability: 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later. According to GitHub's blog, there has been no evidence that this vulnerability was exploited prior to disclosure. However, administrators are urged to patch as soon as possible. 

• https://github.com/advisories/GHSA-64fw-jx9p-5j24
  

• https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/
  

• https://thehackernews.com/2026/04/researchers-discover-critical-github.html
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-2854 

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2026-31431 - Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability
• CVE-2026-41940 - WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
• CVE-2026-32202 - Microsoft Windows Protection Mechanism Failure Vulnerability
• CVE-2024-1708 - ConnectWise ScreenConnect Path Traversal Vulnerability
• CVE-2024-57726 - SimpleHelp Missing Authorization Vulnerability
• CVE-2024-57728 - SimpleHelp Path Traversal Vulnerability
• CVE-2024-7399 - Samsung MagicINFO 9 Server Path Traversal Vulnerability
• CVE-2025-29635 - D-Link DIR-823X Command Injection Vulnerability
• CVE-2026-39987 - Marimo Remote Code Execution Vulnerability
• CVE-2026-33825 - Microsoft Defender Insufficient Granularity of Access Control Vulnerability
• CVE-2024-27199 - JetBrains TeamCity Relative Path Traversal Vulnerability
• CVE-2025-32975 - Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
• CVE-2026-20128 - Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
• CVE-2025-48700 - Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
• CVE-2023-27351 - PaperCut NG/MF Improper Authentication Vulnerability
• CVE-2025-2749 - Kentico Xperience Path Traversal Vulnerability
• CVE-2026-20133 - Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability
• CVE-2026-20122 - Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Visit our Cyber Threat Profile Blog for detailed intelligence profiles.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.