## EtherRat and TukTuk Malware Chain Leads to The Gentleman Ransomware Domain-Wide Deployment via Blockchain C2 Infrastructure A sophisticated intrusion chain observed in April 2026 demonstrates the growing sophistication of threat actors leveraging blockchain infrastructure for command-and-control (C2) operations. The attack initiated when threat actors distributed EtherRAT malware through a malicious MSI installer masquerading as a Sysinternals tool. What sets this campaign apart is the use of EtherHiding—a technique that leverages the Ethereum blockchain to dynamically update C2 configuration, making takedown efforts significantly more complex and enabling near-real-time infrastructure pivoting. Following initial access, the actors conducted reconnaissance before deploying the TukTuk malware framework using DLL sideloading techniques with trusted legitimate applications including Greenshot and SyncTrayzor. The malware established C2 communications through multiple SaaS platforms—ClickHouse and Supabase served as primary channels, with Ably, Dropbox, and GitHub Issues functioning as backup infrastructure. This abuse of legitimate cloud services allowed the attackers to blend traffic with normal enterprise activity. The operators then performed Kerberoasting attacks, harvested credentials via Mimikatz and LSASS memory dumping, and leveraged GoTo Resolve RMM tooling to facilitate lateral movement across the domain. The final stage involved exfiltrating data to Wasabi cloud storage using Rclone, followed by deployment of The Gentleman ransomware across the entire domain through a malicious Group Policy Object (GPO). Security teams should note the campaign's deliberate multi-platform approach—combining blockchain-based C2 configuration, SaaS platform abuse, and legitimate remote management tools creates layered obfuscation that evades traditional network-based detection. Organizations utilizing Sysinternals tools should verify binary integrity, monitor for unexpected DLL loading patterns in screen capture and file sync utilities, and implement controls around RMM tool deployment and GPO modifications. --- - **Source**: Mastodon:mastodon.social:#infosec - **Sector**: The Lab - **Tags**: ransomware, malware, threat-intelligence, blockchain-c2, etherhiding - **Credibility**: unverified - **Published**: 2026-05-11 21:18:32 - **ID**: 81960 - **URL**: https://whisperx.ai/en/intel/81960