Full Report
The EtherRAT malware family was first reported by Sysdig back in December 2025. At that time, the initial access vector was exploitation of CVE-2025-55182 (React2Shell) targeting Linux servers. In March 2026, a Windows variant campaign was reported by Atos, with their investigation showing evidence of activity going back to the previous December. In April, we […] The post Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware appeared first on The DFIR Report.
Analysis Summary
# Incident Report: EtherRat and TukTuk C2 Leading to The Gentleman Ransomware
## Executive Summary
In April 2026, a sophisticated multi-stage intrusion occurred involving the deployment of EtherRAT, the AI-generated TukTuk malware framework, and GoTo Resolve RMM. The attack progressed from initial access via a spoofed Sysinternals tool to data exfiltration and the final deployment of The Gentleman Ransomware. The campaign is notable for its use of blockchain-based infrastructure (Ethereum and Arweave) and AI-generated command-and-control (C2) components.
## Incident Details
- **Discovery Date:** April 2026
- **Incident Date:** April 2026
- **Affected Organization:** Not disclosed
- **Sector:** Various (targets of spoofed administrative tools)
- **Geography:** Global/Unspecified
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Phishing/Drive-by Download (GitHub Facade)
- **Details:** The threat actor used a malicious MSI installer (`RAMMap.msi`) masquerading as a Microsoft Sysinternals tool.
### Lateral Movement
- **Details:** Following initial infection, the attackers utilized the legitimate Remote Monitoring and Management (RMM) tool **GoTo Resolve** (`smokymo.msi`) to maintain persistent access and move laterally across the compromised environment.
### Data Exfiltration/Impact
- **Details:** Attackers utilized their RMM access to exfiltrate sensitive data. The intrusion culminated in the deployment of **The Gentleman Ransomware**, resulting in organizational data encryption.
### Detection & Response
- **How it was discovered:** Initial detection was triggered by the installation of a non-standard MSI masquerading as system utilities and subsequent suspicious beaconing to cloud services.
- **Response actions taken:** Analysis of the TukTuk framework and EtherRAT configuration files; tracking of Ethereum-based C2 infrastructure.
## Attack Methodology
- **Initial Access:** Spoofed administrative tools (GitHub facades) and exploitation of CVE-2025-55182 (in earlier variants).
- **Persistence:** Installation of GoTo Resolve RMM and EtherRAT.
- **Defense Evasion:** Use of legitimate-looking MSIs, AI-generated malware (TukTuk) to bypass signature-based detection, and hosting C2 on reputable cloud providers.
- **Discovery:** Use of TukTuk and EtherRAT for system reconnaissance.
- **Lateral Movement:** GoTo Resolve RMM.
- **Exfiltration:** Leveraged RMM tools and cloud-based C2 channels.
- **Impact:** Encryption via The Gentleman Ransomware.
## Impact Assessment
- **Financial:** High (Ransomware demands and business interruption).
- **Data Breach:** Confirmed (Exfiltration observed prior to encryption).
- **Operational:** Significant disruption due to ransomware locking critical server infrastructure.
- **Reputational:** Variable based on the scale of data leaked.
## Indicators of Compromise
### Network Indicators
- `flez.westus3.azure.clickhouse[.]cloud`
- `borjumaniya[.]store`
- `vngz3ntdrb.us-east1.gcp.clickhouse[.]cloud`
- `muurfzqprzmdkzoibxaz.supabase[.]co`
- `ep-lively-cherry-a80bmwii.eastus2.azure.neon[.]tech`
### File Indicators (Hashes)
- **RAMMap.msi:** `d9487fdc097f770e5661f9e5dee130068cb179d33716abff1a21c8cb901f25a6`
- **EtherRAT (MVnVmUYj.cmd):** `8c2665adf8bfab65463f2a9bd1b7bb0231de3f5c1e6a2e51479e44aaac2e7bf0`
- **TukTuk (log4net.dll):** `19021e53b9929fdf4b7d0e0707434d56bb73c1a9b7403c8837b44d1c417198dc`
- **GoTo Resolve (smokymo.msi):** `1795eacd2c58894ccdd6be8854fe6456c3b069a3a873432343b57b475b256aee`
### Behavioral Indicators
- Ethereum contract interactions for C2 routing (`0xdf0b...`, `0x5953...`).
- Unusual use of Arweave Drive-IDs for payload delivery.
## Response Actions
- **Containment:** Revocation of compromised RMM credentials and blocking of identified C2 domains.
- **Eradication:** Removal of malicious MSI installations and associated Windows services created by EtherRAT.
- **Recovery:** Full restoration from backups following ransomware impact.
## Lessons Learned
- **AI-Generated Malware:** The arrival of AI-generated frameworks like TukTuk suggests threat actors are rapidly iterating to bypass traditional EDR.
- **Blockchain C2:** The use of Ethereum contracts for C2 makes traditional IP/Domain blocking less effective, as the "source of truth" moves to the blockchain.
- **RMM Abuse:** Legitimate tools like GoTo Resolve continue to be a primary vector for exfiltration and lateral movement.
## Recommendations
- **Application Whitelisting:** Restrict the execution of MSI files and administrative tools to verified, signed installers from known publishers.
- **RMM Monitoring:** Implement strict monitoring and alerting for the installation of unauthorized RMM tools (GoTo Resolve, AnyDesk, etc.).
- **Vulnerability Management:** Ensure all Linux and Windows servers are patched against CVE-2025-55182.
- **Behavioral Analysis:** Shift focus from static IOCs to behavioral detection, such as identifying unusual outbound traffic to cloud database providers (ClickHouse, Supabase, Neon) from endpoints.