The “Gentlemen” Ransomware Toolkit and the Lethal z1.bat Pre-Encryption Weapon
Do Son 
Statistics tab showing all analyzed scripts classified as Malicious across Exploit and Config categories | Image: Hunt.io
Researchers have uncovered a “structured, maintained operational toolkit” belonging to an affiliate of TheGentlemen ransomware-as-a-service (RaaS) group. Discovered on March 12, 2026, by the Hunt.io research team, the toolkit was found sitting in an unauthenticated open directory on Proton66, a Russian “bulletproof” hosting provider known for supporting major malware campaigns like XWorm and SuperBlack.
Researchers noted that the directory was far from a random collection of files. Instead, it represented a meticulously organized hierarchy mapping to 21 MITRE ATT&CK techniques. From initial reconnaissance to “scorched-earth” pre-encryption preparation, the toolkit provides a window into the standard operating procedure of a modern ransomware affiliate.
Key components identified in the “64_bit_new” and “MIMIMI” directories include:
- Credential Harvesting: Mimikatz output logs containing harvested NTLM hashes and victim usernames, proving the tools were “actively used against real targets, not merely staged”.
- Privilege Escalation: Multiple versions of PowerRun, a utility that allows attackers to impersonate TrustedInstaller—the highest privilege level on Windows—to delete security services that even SYSTEM-level accounts cannot touch.
- Persistence & Remote Access: Two ngrok authentication tokens exposed in cleartext, used to establish reverse RDP tunnels that bypass inbound firewalls by appearing as legitimate outbound HTTPS traffic.
The crown jewel of the toolkit is z1.bat, a 35 KB batch script described by researchers as a “single-execution pre-ransomware deployment weapon”. While early-stage scripts like z.bat are used for stealthy, interactive reconnaissance, z1.bat is designed for maximum impact immediately before the ransomware is detonated.
According to the report:
“z1.bat is the production-grade deployment script designed to be executed immediately before ransomware launch… where stealth is no longer relevant and maximum impact is the priority”.
This script performs a staggering array of malicious actions in seconds:
- Service Destruction: Systematically stops, disables, and deletes services for 12 different security vendors, as well as Microsoft Exchange, SQL Server, and backup infrastructure like Veeam.
- Registry Annihilation: Purges registry entries for over 40 security products, some spanning nearly a decade of product releases.
- Inhibiting Recovery: Executes vssadmin.exe Delete Shadows /All /Quiet to wipe all Windows backup snapshots, ensuring victims cannot restore their files without paying.
- Backdoor Installation: Installs “Sticky Keys” accessibility backdoors (IFEO debugger redirects) to maintain SYSTEM-level access even if other tools are removed.
The toolkit contains six distinct methods for disabling Windows Defender alone. As the researchers observed:
“This is not carelessness or disorganization; it is a deliberate strategy reflecting the operator’s experience encountering diverse enterprise environments with varying security configurations”.
Because nearly every tool in the directory is a legitimate “dual-use” utility (like SoftPerfect Network Scanner or 7-Zip), detection cannot rely on simple file signatures. Security teams must instead focus on behavioral monitoring—watching for the specific, lethal sequence of these tools that signals a Gentlemen-affiliated intrusion is underway
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
