Inside the Exposed TheGentlemen Ransomware Toolkit on Proton66

Discovery Overview

In March 2026 Hunt.io researchers identified an open directory on the Russian bullet‑proof hosting provider Proton66 (IP 176.120.22[.]127:80). The directory contains 126 files (~140 MB) that form the complete TheGentlemen ransomware operator toolkit.

Open Directory Details

The directory is structured into 18 sub‑directories and 126 files. The server was last seen active on 2026‑02‑26. Files are grouped by function and include multiple redundant variants, indicating a deliberately organized operation.

Reconnaissance and Discovery

netscan.exe

– SoftPerfect Network Scanner with a custom license and configuration file ( netscan.xml, 119 KB) and an OUI lookup table ( oui.txt, 1 MB). The scanner can enumerate IP ranges, open ports, shares, SNMP services and Active Directory structures. routeprint.cmd – An 18‑byte batch script that prints the Windows routing table, revealing network segments, gateways, interfaces and VPN tunnels for lateral‑movement planning.

Privilege Escalation

PowerRun 32‑bit (783 KB, 2 malicious tags) and 64‑bit (946 KB, 4 malicious tags). PowerRun can launch processes with the TrustedInstaller token, which exceeds SYSTEM privileges. CyberXTron attributes PowerRun.exe to TheGentlemen for hijacking execution flows.

PowerTool variants ( PowerTool64_new.exe, 4 MB; Power_Tool64.exe, 7 MB) provide process manipulation, driver unloading and kernel‑object control, extending PC Hunter capabilities.

Defense Evasion

The toolkit includes six overlapping tools and scripts to disable security controls, reflecting operational redundancy. dControl.exe (458 KB) – Sordum Defender Control v2.1 with an INI that disables Windows Defender tamper protection and command‑line scanning.

“Granular Defender” (≈2 MB) – Adjusts ASR rules, exclusion paths and cloud‑protection settings.

Hybrid batch/PowerShell Defender Kill (≈11 KB) – Modified AveYo “Toggle Defender”. It builds a .NET type at runtime, then calls kernel32!CreateProcess with a stolen TrustedInstaller token.

Registry‑based Defender destroyer (≈4 KB) – Uses reg add to disable all Defender components, logging, scheduled tasks and adds drive‑wide exclusion paths.

Targeted AV and service killer (≈6 KB) – Stops and deletes services from dozens of security vendors, database engines and backup solutions.

Defender exclusion path manager (770 KB) – Programmatically manages Windows Defender exclusions as a stealthier alternative to full disablement.

Credential Access

The MIMIMI sub‑directory holds Mimikatz binaries (x86, x64, passrecpk) and a !logs folder with real credential dumps: NTLM.txt (102 B) – Collected NTLM password hashes. user.txt (69 B) – Enumerated victim usernames. passwords.txt (2 B) – Empty password output file. result.txt (7 KB) – Full Mimikatz execution output. SHA.txt (42 B) – SHA‑1 hashes extracted from credentials.

A registry file enabling WDigest plaintext storage ( UseLogonCredential=1) is also present, a prerequisite for extracting clear‑text passwords from LSASS.

Persistence and Remote Access

NG1.bat

and NG2.bat – Each creates an ngrok reverse tunnel for RDP using a distinct authentication token. RustDesk.exe (31 MB) – Open‑source remote‑desktop client providing a tunnel independent of ngrok. rdp.exe – Lightweight RDP utility for lateral movement.

Pre‑Encryption and Support Tools

VmManagedSetup.exe

(17 KB) – Likely used for virtualization reconnaissance before encryption.

7‑Zip 64‑bit (2 MB) and 32‑bit (1 MB) – Used to compress exfiltrated data and extract payloads on the victim host.

Anti‑Forensics

clearlog.bat

implements a three‑stage evidence‑destruction routine:

Clears Windows event logs via wevtutil.exe.

Recursively deletes the recycle bin.

Removes RDP client registry entries and Default.rdp files.

Full Pre‑Encryption Deployment Script

z1.bat

(35 KB) orchestrates seven phases:

Deletes security products and stops/ disables over 30 Microsoft and third‑party services (e.g., Exchange, Oracle, MySQL, Tomcat, VMware Tools, TeamViewer, IIS).

Creates open SMB shares on every drive with full access.

Installs IFEO debuggers for “sticky‑keys” attacks.

Enables RDP.

Deletes VSS shadow copies via vssadmin.

Disables Windows Defender via multiple methods.

Launches the ransomware payload.

Technical Observations

Redundancy is a design principle: six distinct methods to disable Windows Defender reflect experience across varied enterprise environments.

Language‑fingerprint analysis shows consistent misspellings (e.g., “Delite Service”, “Sofos”), suggesting non‑native English speakers and possible exposure to Spanish‑language targets.

Ngrok tokens are stored in plain‑text batch files, prioritising operational convenience over credential security.

All tools are either legitimate dual‑use utilities (netscan, PowerRun, PC Hunter, ngrok, RustDesk, 7‑Zip) or well‑known attack tools (Mimikatz, dControl). No custom zero‑day exploits or novel malware were found.

MITRE ATT&CK Mapping

Discovery (T1046) – netscan.exe Discovery (T1016) – routeprint.cmd Privilege Escalation (T1134) – PowerRun, WinDefGpo_Reg.ps1 Defense Evasion (T1562.001) – dControl, def1.bat, z.bat, z1.bat, ConfigureDefender

Credential Access (T1003.001) – Mimikatz, enable_dump_pass.reg Persistence (T1219) – ngrok, RustDesk

Impact – Inhibit System Recovery (T1490) – z1.bat (vssadmin)

Anti‑Forensics (T1070.001) – clearlog.bat, z1.bat

Indicators of Compromise

Network: IP 176.120.22[.]127, port 80, provider Proton66 (AS198953), Russia.

Ngrok tokens: 2gkRUQNkJyaGkvuDziSq1RGIrwl_4bGyJtv6ez2Hk8Hrd5zvq and 2ozoAve91tpILCwKCbRDNz7us8e_2qLk1aLKZoV4Y6TfrcfjK.

Key binaries and scripts with sizes (e.g., dControl.exe 458 KB – Defense Evasion; PowerRun_x64.exe 946 KB – Privilege Escalation; z1.bat 35 KB – Full Pre‑Encryption Script).

Detection Recommendations

Endpoint Monitoring

Alert on execution of PowerRun.exe or any process launched with a TrustedInstaller token.

Monitor changes to Windows Defender service state or registry keys under HKLM\SOFTWARE\Policies\Microsoft\Windows Defender.

Detect batch‑based event‑log clearing and bulk service termination patterns.

Flag Mimikatz‑related behavior, especially LSASS memory access.

Watch for IFEO debugger modifications on accessibility binaries.

Alert on registry changes to UseLogonCredential for WDigest.

Detect mass creation of SMB shares with full access.

Network Monitoring

Block outbound connections to 176.120.22[.]127 and associated Proton66 infrastructure.

Monitor ngrok tunnel establishment and unusual internal scanning patterns matching SoftPerfect Network Scanner.

Generate alerts for anomalous RDP sessions.

Recovery Prevention

Alert on execution of vssadmin.exe deleting shadow copies.

Monitor bulk service disablement via sc config.

Detect modifications to the EnableLUA registry value.

Conclusion

The exposed directory confirms that an affiliate of TheGentlemen actively leveraged Proton66 infrastructure for ransomware operations. Mimikatz credential logs, exposed ngrok tokens, and the meticulously organized toolkit demonstrate real‑world attacks against genuine targets. Defenders should focus on monitoring the documented behavioral sequences—defender tampering, credential dumping, VSS deletion, and bulk service termination—to detect and disrupt this threat chain.