Gentlemen Ransomware Deploys Modular EDR-Killing Framework with Cross-Gang Tools The Gentlemen ransomware operation has adopted a sophisticated, modular approach to evading endpoint detection and response (EDR) systems, leveraging tools sourced from multiple criminal groups. According to an analysis by cybersecurity firm ESET, the gang’s arsenal includes GentleKiller a custom-built EDR killer with at least eight variants alongside borrowed tools like HexKiller, ThrottleBlood, and HavocKiller, previously used by other ransomware gangs. GentleKiller employs the bring your own vulnerable driver (BYOVD) technique, using eight distinct vulnerable drivers to gain kernel-level privileges. Its target list spans over 400 processes across 48 security vendors, including Microsoft, CrowdStrike, SentinelOne, and ESET itself. The tool impersonates legitimate software, such as Kaspersky and Valorant, and uses commercial packers like Enigma and Themida for obfuscation. The modular design allows affiliates to swap drivers without rewriting core code, complicating defenses static blocklists may catch one variant while leaving others operational. Beyond GentleKiller, the gang incorporates tools from rival groups, including HexKiller (linked to Warlock), ThrottleBlood (used by MesudaLocker and DragonForce), and HavocKiller (seen in multiple ransomware campaigns). This tool-sharing creates redundancy, attribution challenges, and tactical flexibility for affiliates. ESET also identified OxideHarvest, a Rust-based credential stealer likely developed externally. The gang’s targeting strategy includes exploiting FortiGate configurations, as seen in the compromise of Romanian energy provider Oltenia. A SystemBC proxy botnet, comprising over 1,570 corporate hosts, provides persistent access for EDR-killer-assisted attacks. The overlap between SystemBC detections and Gentlemen ransomware activity suggests energy-sector defenders should treat such infections as potential indicators of compromise. ESET’s findings highlight the gang’s operational persistence, with 478 victims documented before the modular framework was fully analyzed. The interchangeable nature of the tools combined with stolen digital signatures and rapid driver swaps makes detection and attribution increasingly difficult. Defenders are advised to audit driver blocklists against all eight GentleKiller variants, flag multi-gang EDR killer signatures in incidents, and harden FortiGate configurations to reduce exposure.

AI-Powered Cyber Threats Reshape the Security Landscape The rapid adoption of artificial intelligence (AI) has escalated cyber threats, enabling more sophisticated, automated, and damaging attacks. According to the Global Cybersecurity Outlook 2026 from the World Economic Forum, AI has introduced new attack vectors, increasing both the frequency and severity of cyber incidents. A stark example emerged in April when Anthropic opted not to publicly release its Claude Mythos large language model after tests revealed thousands of critical vulnerabilities in major operating systems and browsers. Instead, the company launched Project Glasswing, restricting Mythos to vetted partners like Apple, Microsoft, and Cisco to develop defensive measures against potential misuse by threat actors. ### Rising Risks and Financial Fallout Corporate concerns over cyber risk are intensifying. The Bank of England’s Systemic Risk Report for late 2025 found that 86% of companies ranked cyber risk among their top five threats up from 72% earlier in the year. A Proofpoint survey of 1,600 CISOs revealed that 66% experienced material data losses in the past year, a jump from 46% in 2024. In India, 99% of CISOs reported system compromises in the last 12 months. The financial toll is staggering. Cybercrime costs reached $10.5 trillion in 2025, with projections hitting $15.6 trillion by 2029. Ransomware payments surged, with the median demand increasing 368% between 2025 and 2026 to nearly $60,000. Despite stagnant ransom payments post-2023, the number of reported attacks continued to climb. ### Key Vulnerabilities: Identity, Supply Chains, and Human Error Cyber threats exploit three primary weaknesses: 1. Legitimate Identity Abuse – CrowdStrike’s 2026 Global Threat Report found that 82% of intrusions involved no malware, instead relying on stolen credentials or trusted systems to blend into normal activity. 2. Supply Chain and Third-Party Risks – The Verizon Data Breach Investigations Report 2025 noted that 30% of breaches involved third parties, double the previous year’s rate. High-profile incidents, like the 2020 SolarWinds attack, demonstrated how compromised software updates can create widespread backdoors. 3. Internet-Facing Systems – Exploits of public-facing applications rose 44% in a year, with 40% of initial breaches originating from such systems. Many vulnerabilities required no authentication, making them prime targets. Human error remains a persistent weak point. The Verizon report found that 60% of breaches involved human factors, from phishing to poor digital hygiene. Remote work has further complicated security, with 40% of UK workers operating in hybrid or fully remote setups, expanding attack surfaces beyond traditional firewalls. ### AI’s Dual Role: Accelerating Attacks and Defenses AI has lowered the barrier for cybercriminals, enabling faster, more automated attacks. CrowdStrike reported an 89% year-over-year increase in AI-driven adversary activity, with average eCrime breakout times dropping to 29 minutes (down from 98 minutes in 2020). Some intrusions achieved data exfiltration in just four minutes. AI also aids defenders. Anthropic’s Mythos, though withheld from public release, helps vetted partners identify and patch vulnerabilities. However, the cat-and-mouse dynamic persists Sumsub’s CTO warned of potential gaps where new fraud techniques temporarily outpace detection systems. ### Notable Incidents and Lessons - Marks & Spencer (April 2025) – A breach by the hacking group Scattered Spider cost the retailer £300 million in lost profits and £600 million in market value. The attack reportedly exploited IT help desk workers through social engineering. - ByBit (February 2025) – A supply-chain compromise led to $1.5 billion in stolen cryptocurrency after North Korean attackers distributed trojanized software. - CrowdStrike Outage (2024) – A faulty software update caused the largest global IT disruption to date, affecting 8.5 million Windows systems across airlines, hospitals, and governments highlighting the risks of over-reliance on single vendors. ### Emerging Threats and Defensive Shifts AI-generated deepfakes and synthetic identities are becoming more convincing, with Sumsub noting that LLMs can now fabricate entire identities for verification bypass. Meanwhile, state-sponsored actors, like North Korea’s operatives, have used fake job applications to infiltrate Western companies. To counter these threats, experts emphasize: - Zero-trust architecture – Treating identity systems as critical infrastructure. - Supply chain scrutiny – Contracts with third parties must include breach notifications, AI usage disclosures, and liability clauses. - AI-driven defenses – Leveraging AI for vulnerability detection while maintaining human oversight to avoid over-reliance on automated systems. As AI continues to reshape cyber warfare, organizations must prioritize speed, resilience, and foundational security balancing innovation with the risks of an increasingly interconnected digital landscape.

Critical Path-Traversal Vulnerability in CrowdStrike LogScale Exposes Sensitive Files CrowdStrike has disclosed a critical unauthenticated path-traversal vulnerability (CVE-2026-40050) in its LogScale platform, allowing remote attackers to read arbitrary files from affected servers without authentication. The flaw, rated 9.8 (CRITICAL) on the CVSS v3.1 scale, stems from two weaknesses: CWE-306 (Missing Authentication for Critical Function) and CWE-22 (Improper Pathname Limitation). The vulnerability resides in a cluster API endpoint within LogScale Self-Hosted versions 1.224.0–1.234.0 (GA) and 1.228.0–1.228.1 (LTS). If exposed, attackers could traverse the server’s directory structure to access sensitive files. LogScale SaaS customers and Next-Gen SIEM users are unaffected, as CrowdStrike deployed network-layer mitigations across all SaaS clusters on April 7, 2026, and found no evidence of exploitation. Discovered internally through CrowdStrike’s product testing program, the flaw has no known active exploitation in the wild. The company continues to monitor SaaS environments for suspicious activity. Affected organizations running self-hosted LogScale instances are advised to upgrade immediately to one of the following patched versions: - 1.235.1 or later - 1.234.1 or later - 1.233.1 or later - 1.228.2 (LTS) or later CrowdStrike confirmed that the updates introduce no performance impact on LogScale operations. Self-hosted users should also review logs for signs of unauthorized access or file exfiltration.

Ransomware Attackers Exploit Overlooked Machine Identities, Widening Security Gaps A growing blind spot in ransomware defense strategies is leaving organizations vulnerable to prolonged attacks, with adversaries increasingly targeting machine identities such as service accounts, API tokens, and certificates to move laterally within networks undetected. Research from Gartner and CrowdStrike reveals that attackers spend days to months harvesting these credentials before deploying ransomware, often evading traditional detection methods. ### Key Vulnerabilities & Attack Trends - Machine identities are the weakest link: Unlike human credentials, compromised service accounts and API tokens rarely trigger alerts, allowing attackers to persist in networks. 76% of organizations fear ransomware spreading via unmanaged hosts over SMB network shares, yet most incident response playbooks fail to address non-human credentials. - Rapid deployment, high costs: Over 50% of ransomware attacks now deploy within one day of initial access. Recovery costs average 10 times the ransom demand, with CrowdStrike estimating $1.7 million in downtime per incident rising to $2.5 million for public sector organizations. - Paying ransoms offers no guarantee: 93% of organizations that paid still had data stolen, and 83% were attacked again. Nearly 40% could not fully restore data from backups, underscoring the futility of ransom payments. ### Critical Gaps in Incident Response - Playbooks ignore machine credentials: The most widely used ransomware containment frameworks including Gartner’s template focus on resetting human and device accounts but omit service accounts, API keys, and tokens. This oversight allows attackers to regain access even after initial remediation. - Detection logic lags behind threats: 85% of security teams admit traditional methods can’t keep pace with modern attacks. Only 53% have implemented AI-powered threat detection, leaving anomalous machine behavior such as unusual API call volumes or tokens used outside automation windows unmonitored. - AI adoption exacerbates risks: 87% of organizations prioritize agentic AI, which introduces autonomous machine identities that authenticate and act independently. Yet only 55% enforce formal guardrails, creating new attack surfaces. ### Industry-Specific Preparedness Failures - Manufacturing & public sector lag behind: Despite 60% of public sector organizations rating themselves as "very prepared," only 12% recovered within 24 hours after an attack. Among manufacturers, 40% suffered significant operational disruption. - Persistent entry points remain unaddressed: Only 38% of organizations fixed the specific vulnerability exploited in their last ransomware attack. The rest invested in general security improvements without closing the original breach vector. - Exposure management is inadequate: Nearly half of organizations lack a cybersecurity exposure score, and only 27% rate their risk assessment as "excellent." Stale service accounts some tied to former employees remain the easiest entry point for attackers. ### The Urgency of Machine Identity Governance Gartner warns that poor IAM practices are a primary starting point for ransomware, with previously compromised credentials frequently sold on the dark web. Yet most playbooks fail to inventory or reset machine identities during containment, leaving trust chains intact even after network isolation. The preparedness gap is widening: Ivanti’s 2026 report found that readiness deficits across ransomware, phishing, and supply chain attacks have grown by 10 points year-over-year. With 82 machine identities for every human user 42% of which have privileged access organizations must map ownership, enforce rotation policies, and integrate machine identity detection into incident response before the next attack.

Black Basta Ransomware Adopts New "All-in-One" Attack Tactic with Embedded BYOVD Exploit The Black Basta ransomware group, linked to the threat actor Cardinal, has introduced a significant evolution in its attack methodology by embedding a Bring-Your-Own-Vulnerable-Driver (BYOVD) exploit directly into its ransomware payload. This marks a departure from traditional ransomware operations, where attackers typically deploy separate tools to disable security software before encryption. In this campaign, Black Basta leverages the NsecSoft NSecKrnl driver, which contains a critical vulnerability (CVE-2025-68947). The flaw allows the driver to execute privileged commands without proper permission checks, enabling the ransomware to issue Input/Output Control (IOCTL) requests that terminate high-level security processes. Targeted defenses include solutions from Sophos, Symantec, CrowdStrike, and Microsoft Defender (MsMpEng.exe). Once security measures are neutralized, the ransomware encrypts files and appends the “.locked” extension. This tactic embedding defense evasion within the ransomware itself is rare, previously observed only in Ryuk (2020) and Obscura (2025). The approach offers two key advantages for attackers: stealth, by reducing the number of files dropped on the victim’s system, and speed, minimizing the window between disabling defenses and executing encryption. Researchers also noted prolonged dwell time in compromised networks, with suspicious activity detected weeks before ransomware deployment. The resurgence of Cardinal follows a period of inactivity after internal chat logs were leaked in February 2025 by a hacker known as ExploitWhispers, who claimed retaliation for Black Basta’s attacks on Russian banks. The leak led to police raids in Ukraine and the identification of an alleged leader, Oleg Evgenievich Nefedov. Despite law enforcement pressure, the group’s technical innovation suggests continued adaptation. BYOVD attacks remain a favored method among threat actors due to their reliance on legitimate, signed drivers, which evade detection. The integration of evasion and encryption into a single payload may set a new standard in ransomware operations, reflecting a broader trend of defense impairment as a critical component of modern ransomware attacks.

CrowdStrike confirmed that internal screenshots were leaked by a terminated employee to the Scattered Lapsus$ Hunters cybercrime collective and published on Telegram. The incident involved an insider allegedly paid $25,000 by ShinyHunters for access, including SSO authentication cookies. However, CrowdStrike detected the unauthorized activity and revoked the insider’s access before any critical systems or customer data were compromised. The company stated that no breach of its systems occurred, and no customer data was exposed.The leak was part of a broader extortion campaign by Scattered Lapsus$ Hunters, a collective linked to high-profile breaches at companies like Google, Cisco, and Jaguar Land Rover (which suffered $220M in damages). The group has also targeted Salesforce, FedEx, Disney, and Marriott through voice-phishing and ransomware-as-a-service (RaaS) platforms like ShinySp1d3r. While the incident involved insider-driven data exposure, CrowdStrike maintained that its core security infrastructure remained intact, and law enforcement was engaged for further investigation.

A supply chain attack (dubbed Shai-Halud) compromised multiple npm packages maintained under CrowdStrike’s official publisher account. Threat actors injected a malicious `bundle.js` script into packages like `@crowdstrike/commitlint`, `@crowdstrike/falcon-shoelace`, and others, which executed covertly upon installation. The payload deployed TruffleHog—a legitimate secret-scanning tool—to harvest developer credentials, API keys, cloud tokens, and CI/CD secrets from infected systems. Exfiltrated data was sent to a hardcoded attacker-controlled webhook (`hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7`). The attack also created unauthorized GitHub Actions workflows in victim repositories, risking further compromise. While CrowdStrike removed the malicious versions and rotated keys, the breach exposed internal development environments, CI/CD pipelines, and potentially proprietary code or customer-integrated systems. The incident mirrors prior attacks on libraries like `tinycolor`, highlighting systemic risks in open-source supply chains. Organizations using these packages were urged to uninstall affected versions, rotate all exposed secrets, and audit systems for unauthorized modifications. CrowdStrike confirmed the Falcon sensor platform remained unaffected, but the attack undermined trust in their open-source tooling and posed operational, reputational, and security risks for dependent enterprises.

Security researchers at SEC Consult uncovered a vulnerability in CrowdStrike's Falcon Sensor, named 'Sleeping Beauty,' that let attackers bypass detection mechanisms and execute malicious applications. Attackers could suspend EDR processes to evade detection once they obtained SYSTEM permissions on Windows, using Process Explorer to suspend Falcon processes. Though CrowdStrike initially did not consider it a security vulnerability, the issue allowed the execution of typically blocked malicious tools. Eventually, CrowdStrike corrected the flaw by preventing process suspension, acknowledging the oversight after researchers discovered the change.

On January 7, 2025, CrowdStrike fell victim to a sophisticated phishing campaign that abused its recruitment branding, leading potential job applicants to inadvertently install a cryptominer, specifically the XMRig. The attackers crafted convincing phishing emails, promising the prospects a junior developer position and directing them to a fraudulent website. This site offered a fake 'employee CRM application,' which was, in reality, malware in the guise of a Windows executable. The attackers included evasion techniques to avoid detection, and upon passing these checks, the malware proceeded to use the victim's resources to mine cryptocurrency. This not only misused the company's resources but also possibly damaged its reputation among potential job applicants.

CrowdStrike Report Reveals Alarming Surge in AI-Driven Cyber Threats CrowdStrike’s latest Global Threat Report highlights a dramatic acceleration in cyber intrusions, with attackers leveraging AI to shrink the window between initial access and lateral movement. In 2025, the average "breakout time" for eCrime actors dropped to just 29 minutes a 65% improvement from the previous year. The fastest observed intrusion saw data exfiltration begin within four minutes, while one attack achieved lateral movement in 27 seconds. AI has become a cornerstone of modern cyber operations, with adversaries increasing AI-enabled attacks by 89% year-on-year. Underground forums show a 550% surge in discussions about ChatGPT, as threat actors experiment with mainstream AI tools to bypass safeguards. Beyond tooling, attackers are directly targeting AI systems: malicious prompts were injected into generative AI platforms at over 90 organizations, enabling credential and cryptocurrency theft. Vulnerabilities in AI development platforms have also been exploited to deploy ransomware and establish persistence, while rogue AI servers impersonate trusted services to intercept sensitive data. The report ties faster breakout times to attackers abusing trusted identities, SaaS applications, and cloud infrastructure, which blend into legitimate activity and reduce defenders’ response windows. Cloud-conscious intrusions rose 37%, driven largely by state-linked actors, with intelligence-gathering operations in cloud environments surging 266%. Pre-disclosure exploitation remains a critical threat, with 42% of vulnerabilities weaponized before public disclosure often via zero-days for initial access, remote code execution, or privilege escalation. CrowdStrike identified 24 new adversary groups in 2025, bringing the total tracked to 281, spanning nation-state and eCrime actors. Social engineering tactics have also evolved, with a 563% increase in fake CAPTCHA lures and a 141% rise in spam emails. State-linked activity saw significant growth, particularly from China and North Korea. China-nexus operations increased 38%, with the logistics sector facing an 85% spike in targeting. 67% of vulnerabilities exploited by these actors provided immediate system access, and 40% targeted internet-facing edge devices. North Korea-linked incidents surged 130%, with the group FAMOUS CHOLLIMA more than doubling its activity. DPRK actors used AI-generated personas to scale insider operations, while PRESSURE CHOLLIMA was linked to a $1.46 billion cryptocurrency theft the largest single financial heist on record. Other notable threats include Russia-nexus FANCY BEAR, which deployed LLM-enabled malware (LAMEHUG) for automated reconnaissance, and the eCrime actor PUNK SPIDER, which used AI-generated scripts to accelerate credential theft and erase forensic evidence. CrowdStrike warns that the AI arms race is compressing attack timelines, turning enterprise AI systems into both tools and targets for adversaries. The report is based on intelligence from 280+ tracked adversaries, forecasting continued acceleration in AI-driven intrusions and direct exploitation of AI platforms.

The global crash was triggered by a kernel driver update in CrowdStrike's Falcon software, causing system outages worldwide. Healthcare services were impeded, delaying patient communications and appointments. Emergency services, including 911, suffered from disrupted lines. TV stations like Sky News in the UK temporarily ceased live broadcasts. The issue demanded manual device recovery, which included system reboots, impacting businesses and public bodies. The scale of the event marked a significant setback in operational continuity, service provision, and public trust.

CrowdStrike, a leader in cloud-delivered endpoint protection, faced a sophisticated cyber attack aiming to compromise its sensitive data and internal systems. The attack showcased the evolving tactics, techniques, and procedures (TTPs) of adversaries targeting cybersecurity firms. The attackers attempted to exploit vulnerabilities and deploy malware to access customer information and proprietary data. Through rapid detection and response, CrowdStrike was able to mitigate the attack, minimizing the impact on its operations and customer data. This incident underscores the continuous threats faced by cybersecurity providers and the importance of adopting a comprehensive cybersecurity strategy that includes real-time threat intelligence, advanced monitoring, and the implementation of a Zero Trust architecture to reduce the risk of such attacks.

OrBit Linux Rootkit Evolves Over Four Years, Becomes Shared Tool for Cyber Threats A stealthy Linux rootkit known as OrBit has been actively abused by threat actors for over four years, evolving from a custom-built tool into a widely adopted malware framework. Initially documented in 2022, OrBit was later revealed to be a repackaged version of Medusa, an open-source LD_PRELOAD rootkit published on GitHub in late 2022. Rather than developing new malware, attackers have modified and redeployed this publicly available codebase with varying configurations, credentials, and evasion techniques. ### How OrBit Operates OrBit functions as a userland rootkit, hijacking the system’s dynamic linker (ld.so) to inject a malicious shared library into every running process. This allows it to: - Intercept authentication flows by hooking into Pluggable Authentication Modules (PAM), capturing SSH and sudo credentials. - Store stolen credentials in hidden directories (e.g., `/lib/libseconf/`). - Hide its presence by manipulating over 40 libc functions, masking files, processes, and network connections from administrators. Unlike traditional malware, OrBit operates as a passive implant, avoiding direct command-and-control (C2) communication. Instead, attackers access compromised systems via a hidden SSH backdoor. ### Evolution and Variants Researchers have identified two primary variants of OrBit: 1. Lineage A – A full-featured version with credential harvesting, network hiding, packet capture, and backdoor access. 2. Lineage B – A lighter variant with reduced functionality, likely designed to minimize detection. Over time, attackers have rotated credentials, adjusted installation paths, and introduced compatibility fixes (e.g., a custom `xread` function to prevent system instability). Key developments include: - 2025: Introduction of audit log evasion and an advanced PAM hook capable of manipulating authentication outcomes. - 2025: Shift to a multi-stage infection chain, including a dropper and infector that spreads via cron jobs and downloads payloads from remote domains a first for OrBit. - 2026: Continued refinement, with infrastructure overlaps observed with the RHOMBUS botnet. ### Widespread Adoption by Threat Actors OrBit is no longer tied to a single group. Multiple threat actors have deployed it, including: - BLOCKADE SPIDER (ransomware-linked) - UNC3886 (state-backed espionage group) This adoption highlights a broader trend: Linux environments, including critical infrastructure and virtualized systems, are increasingly targeted by shared malware toolkits. ### Detection and Indicators of Compromise (IOCs) Despite superficial changes (e.g., file paths, passwords), OrBit’s core behaviors remain consistent. Defenders are advised to monitor for: - Hidden filesystem artifacts (e.g., `/lib/libseconf/`). - Credential harvesting activity via PAM hooks. - Known hashes (see partial list below). #### Sample IOCs (SHA-256) | Hash | Year | Role | Lineage | |------|------|------|---------| | `40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020` | 2022 | Payload | A | | `3ba6c174a72e4bf5a10c8aaadab2c4b98702ee2308438e94a5512b69df998d5a` | 2023 | Payload | B | | `a61386384173b352e3bd90dcef4c7268a73cd29f6ae343c15b92070b1354a349` | 2024 | Payload | A | | `04c06be0f65d3ead95f3d3dd26fe150270ac8b58890e35515f9317fc7c7723c9` | 2025 | Infector | | | `d7b487d2e840c4546661f497af0195614fc0906c03d187dc39815c811ea5ec3f` | 2026 | Payload | A | OrBit’s persistence and adaptability underscore the growing sophistication of Linux-targeted threats, with attackers leveraging open-source tools to evade detection and maintain long-term access.