Self-Spreading Ransomware, AI-Built Lures, and a Weaponized Update Channel All Beat the Same Control: Your Approval Chain
A self-propagating Go encryptor, AI-generated lures, and trojanized update channels point to one problem: defender approval chains move slower than attacker automation.
INTRODUCTION
This week’s most consequential development is not a new vulnerability. It is a new tempo. Four unrelated campaigns shipped capabilities that move faster than the human decision-making most defenses still depend on, and each one routed straight past the approval chain.
Storm-2697 deployed The Gentlemen, a Go-based ransomware that propagates itself across networks over SMB, WMI, and PsExec at the same time, without waiting for an operator. Russia-linked GreyVibe used ChatGPT and Gemini to generate phishing lures and custom malware at production scale against Ukrainian targets. Attackers exploited FortiClient EMS to push a credential stealer disguised as a routine endpoint update, through the management infrastructure enterprises trust to protect devices. And Iran’s Nimbus Manticore distributed trojanized Zoom installers to US firms as part of an IRGC-linked campaign following Operation Epic Fury.
The entry points varied. The tempo did not. Each campaign exploited the same defender assumption: that there would be enough time between detection and impact to convene a human decision.
If your containment playbook requires a phone call before network isolation fires, whose timeline are you optimizing for?
If you enjoy reading our newsletter, share it!
Thanks for supporting The Monday Brief.
WEEKLY SIGNALS ANALYSIS
Self-propagating ransomware eliminates the operator bottleneck that gave defenders time. Review whether your automated containment controls can isolate a spreading encryptor without waiting for SOC analyst approval. If lateral movement detection triggers an alert but not an action, your architecture concedes the network.
AI-generated lures have collapsed the cost of high-quality social engineering to near zero. Retrain phishing simulations to reflect that grammatical perfection and contextual relevance are now baseline attacker capabilities, not indicators of a sophisticated adversary.
Endpoint management infrastructure is now a delivery mechanism for attackers, not just a target. Audit the trust relationship between your EMS platform and managed endpoints. If an update pushed through FortiClient EMS executes without secondary verification, the management plane is indistinguishable from a C2 channel.
Nation-state actors are embedding malware inside software people install voluntarily. Validate download integrity for collaboration tools like Zoom at the network and endpoint level. Trojanized installers bypass every control that assumes the user chose to run a legitimate application.
What not to over-index on: how the attacker got in. The entry points varied, but the defender problem was consistent: once execution started, attacker automation moved faster than human escalation.
THIS WEEK’S SIGNALS
Signal 1: The Gentlemen Ransomware Removes the Human Operator from the Kill Chain
Why it matters: Storm-2697’s Gentlemen ransomware is a Go-based encryptor that propagates itself across networks using SMB, WMI, and PsExec simultaneously, encrypting files with per-file ephemeral keys. This eliminates the traditional bottleneck where a human operator manually moves laterally, giving defenders their narrowest response window yet.
What is being misread: Self-propagating malware is not new. The mistake is assuming that a familiar technique creates a familiar response window. The Gentlemen matters because its concurrent use of SMB, WMI, and PsExec turns a known ransomware pattern into an automation-speed containment problem. The architectural flaw is not that defenders have never seen worms before. It is that many response workflows still route worm-speed events through human-speed approval chains.
Think Red (Douglas McKee): I am not inventing wormable malware. I am counting on you treating it like a problem your playbooks already solved. Why pay operators to move laterally one host at a time when the encryptor can fan out over SMB, WMI, and PsExec in parallel? I do not need to hide if I can spread faster than your containment authority can move. Every approval step gives me another subnet. The technique is old. Your response model is the thing that has not caught up.
Act Blue (Ismael Valenzuela): The reality is that most containment workflows were designed for adversaries who move at human speed, and The Gentlemen does not. The question worth asking is whether your EDR and NDR can isolate without a human in the loop, because the kill chain on the other side already does. Microsoft Defender for Endpoint, CrowdStrike Falcon, and SentinelOne can all isolate endpoints automatically, though the trigger is a high-confidence compromise verdict, not a "concurrent lateral movement" toggle, and the maturity varies. For example, Defender's automatic device isolation is still in preview and reaches only managed workstations, so it will not by itself stop propagation to servers or unmanaged hosts, exactly where a worm over SMB, WMI, and PsExec goes. Knowing those gaps before an incident finds them is half the work. Pre-authorized network segmentation covers much of the rest, letting VLAN isolation fire on high-confidence ransomware indicators without a ticket. None of it matters, though, unless detection catches the propagation early: simultaneous SMB sessions to multiple hosts from one source within seconds, sharpened by correlation with PsExec service installation and WMI process creation. The principle is straightforward. If the attacker's kill chain is fully automated, defender containment has to be too. Any step where a human must approve before isolation executes is a step the worm will spend encrypting files.
Supporting sources:
Microsoft Security Blog: Comprehensive analysis of The Gentlemen ransomware’s self-propagation module and per-file encryption
CSO Online: Coverage of The Gentlemen’s Go-based self-propagation capabilities and lateral movement techniques
Unit 42: Analysis of the evolving cyber extortion economy and data theft trends
Signal 2: GreyVibe Uses Commercial AI to Industrialize Attack Generation Against Ukraine
Why it matters: A Russia-linked threat cluster called GreyVibe has been using ChatGPT, Gemini, and other commercial AI platforms to generate phishing lures, develop custom malware, and accelerate campaign execution against Ukrainian entities since at least August 2025. This is evidence that AI has moved from experimental attacker tool to integrated operational infrastructure.
What is being misread: Again, like Signal 1, the concept is not new. AI-assisted phishing has been part of the attacker conversation for years. The mistake is treating it as a message-quality problem instead of a campaign-scale problem. GreyVibe matters because AI collapses the cost of variation across languages, roles, target context, and tooling iterations without adding more operators. The defensive gap is any detection model that still expects reuse, templates, or recognizable campaign patterns.
Think Red (Douglas McKee): Unlike the current hot news topic, I do not need AI to find me a zero-day. I need it to remove the cost of personalization. Fifty lures, fifty tones, fifty role-specific angles, all generated faster than a human operator could write the first draft. Like always with phishing, my objective is one believable message that gets one user to trust the next step, and AI has increasingly gotten better at this while also making it scalable. The win condition here is not smarter malware. It is credibility at scale.
Act Blue (Ismael Valenzuela): AI-generated lures increasingly defeat the detection model most email security stacks were built on, which is pattern matching against known-bad templates and linguistic anomalies. The more durable approach is behavioral analysis at the gateway, weighting signals like a newly registered sender domain or no prior communication history with the recipient above content inspection, regardless of how polished the message reads. Microsoft Defender for Office 365 and Proofpoint both offer sender-reputation and behavioral scoring that can carry more weight than the content itself. That alone is not enough. When GreyVibe generates a unique lure for every target, the first reliable sensor is often the human who receives it, which makes user reporting workflows that feed directly into automated investigation worth real investment. Reporting that is frictionless, one-click in Outlook or wired into Slack for SOC triage, gets used, and closing the loop by telling reporters what came of their submission is what keeps them reporting. The principle is this. When the adversary can generate infinite unique content, detection has to pivot from inspecting the message to scrutinizing the messenger, and from waiting to be targeted to setting traps the adversary cannot see coming.
Supporting sources:
BleepingComputer: GreyVibe’s use of ChatGPT and Gemini for generating lures and custom malware tools targeting Ukraine
SecurityWeek: Analysis of GreyVibe’s AI-powered attack methodology and implications for future threat actor operations
The Hacker News: Attribution details and campaign timeline for GreyVibe operations against Ukrainian entities
Signal 3: FortiClient EMS Exploitation Turns Endpoint Management Into a Malware Delivery Channel
Why it matters: Attackers are exploiting CVE-2026-35616, an authentication bypass in FortiClient Enterprise Management Server, to push a previously undocumented credential stealer called EKZ to managed endpoints. The malware was disguised as a legitimate Fortinet endpoint update. This means the very infrastructure organizations deploy to manage and secure endpoints became the mechanism for compromising them.
What is being misread: The conventional response focuses on patching the CVE, which Fortinet addressed with hotfixes in April. That is necessary but insufficient. The deeper architectural problem is that endpoint management systems operate with implicit trust. Managed endpoints accept updates and policy changes from EMS without independent verification. Attackers who compromise the management plane inherit that trust relationship and can push arbitrary payloads to every managed device. Patching the vulnerability does not fix the trust model.
Think Red (Douglas McKee): I do not need to compromise every endpoint when I can compromise the system every endpoint already obeys. FortiClient EMS gives me distribution, legitimacy, and scale in one move. My payload arrives as an update, not an intrusion, and that changes how every control reacts to it. I am aiming for credential theft from a trusted management push. I am not bypassing your endpoint program. I am borrowing its authority.
Act Blue (Ismael Valenzuela): Endpoint management systems occupy a position of extraordinary privilege, and that privilege was designed without adversarial assumptions. CVE-2026-35616 is the immediate item: Fortinet released hotfixes in April, exploitation has been confirmed in the wild, and any unpatched EMS is the first thing worth closing. Patching is necessary but not sufficient, though. Integrity verification for binaries and scripts pushed through EMS matters just as much, with endpoints validating Fortinet's signature on vendor updates and rejecting anything that fails, and with your own internally distributed scripts signed and verified the same way. The server itself deserves domain-controller-grade scrutiny: anomalous authentication, unexpected administrative sessions, and policy pushes outside the change window are all worth alerting on. According to Arctic Wolf's analysis, the EKZ stealer was delivered through standard management channels, which means a network baseline that profiles normal EMS-to-endpoint communication is what makes the abnormal visible. The principle applies well beyond Fortinet. Any management platform with implicit push authority to endpoints is one compromise away from becoming a distribution network for the adversary.
Supporting sources:
Arctic Wolf: FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch
BleepingComputer: Details on CVE-2026-35616 exploitation and EKZ infostealer delivery via FortiClient EMS
SecurityWeek: Fortinet’s hotfix timeline and confirmation of zero-day exploitation
Help Net Security: Analysis of malicious payload presented as Fortinet endpoint update through managed VPN scripts
The Hacker News: Arctic Wolf’s campaign analysis detailing credential theft through trusted endpoint management infrastructure
Rapid Risk Radar: CVE-2026-35616
Signal 4: Iran’s Nimbus Manticore Deploys Trojanized Zoom Installers Against US Firms Post-Operation Epic Fury
Why it matters: Iran’s Nimbus Manticore, an IRGC-linked threat group, distributed trojanized Zoom installers to US organizations as part of a broader cyber campaign following the February 2026 US-Israeli strikes on Iran under Operation Epic Fury. This marks a concrete escalation from espionage-focused operations to destructive and intelligence-gathering campaigns against US private-sector targets in response to kinetic military action.
What is being misread: The framing of Iranian cyber operations as opportunistic or financially motivated obscures what is happening here. Nimbus Manticore’s targeting of US firms with trojanized collaboration software is a direct retaliatory action tied to a specific geopolitical trigger. Organizations assessing their risk based on industry vertical or data value are using the wrong model. The targeting logic is now geopolitical, not economic. Any US firm visible enough to serve as a symbolic target is in scope.
Think Red (Douglas McKee): I pick targets that depend on Zoom, because Zoom guarantees voluntary installation by the user. Nobody questions downloading Zoom. IT departments often allow it. End users install it themselves without a ticket. I host a trojanized installer on a domain that looks close enough to legitimate, and the user does my work for me. The malware runs with whatever privileges the user has, and in most organizations, that is enough to access file shares, email, and internal applications. I am not breaching a perimeter. I am riding in on a choice the user was always going to make.
Act Blue (Ismael Valenzuela): The geopolitical context matters for prioritization. Following Operation Epic Fury, Iranian APT activity is worth treating as elevated-priority for US organizations rather than routine background noise, and the practical implication is tighter control over where software comes from. Application allowlisting through Microsoft AppLocker, or endpoint privilege management from CyberArk or BeyondTrust, can block execution of any installer not sourced from a verified corporate repository or vendor-verified URL. That handles the endpoint; the network deserves attention too. DNS and proxy logs are where domains impersonating collaboration-software vendors show up first, and Nimbus Manticore's trojanized Zoom infrastructure has relied on domains built to mimic legitimate download pages. Checking your ISAC and commercial threat intelligence feeds for Nimbus Manticore IOCs is a reasonable move this week. The broader lesson outlasts this campaign: when kinetic conflict escalates, cyber retaliation tends to follow, and it tends to target whatever software the victim population installs voluntarily. Mapping your users' most commonly self-installed applications, then hardening those download channels first, is where the leverage is.
Supporting sources:
MEME OF THE WEEK
Your ransomware response playbook has an escalation matrix with four approval tiers. The Gentlemen’s propagation module has goroutines. One of these finishes first every time.
ROLE-BASED TAKEAWAYS
Executive / CISO / Board Level
Automation-speed ransomware has changed the board conversation from “how fast can we detect” to “what have we already authorized.” Ask your CISO whether network isolation triggers require human approval. If yes, that approval step is now a measurable business risk. The Gentlemen does not introduce wormable malware as a new concept. It reminds us that old propagation patterns still beat modern organizations when containment authority moves too slowly.
Geopolitical retaliation is now a board-level cyber risk input. Following Operation Epic Fury, Iranian threat groups have shifted to targeting US private-sector firms with trojanized software. If your organization has any visibility in sectors that could serve as symbolic targets, ensure your threat intelligence program is surfacing IRGC-linked IOCs to the board with the same urgency as ransomware metrics.
Endpoint management platforms carry domain-controller-level risk and should receive domain-controller-level scrutiny. The FortiClient EMS exploitation shows that a single compromised management server can distribute malware to every managed endpoint. Ensure your risk register reflects this concentration risk.
Enterprise Architect
Design Principle Impact: Zero trust must extend to management planes, not just user access. The FortiClient EMS attack exploited the implicit trust between management servers and managed endpoints. Architect secondary verification (code-signing validation, out-of-band integrity checks) for any payload delivered through endpoint management infrastructure, the same way you would validate firmware updates.
New Constraint: Segmentation must be able to activate at automation speed. The Gentlemen's concurrent SMB, WMI, and PsExec propagation means flat networks can be compromised before a human segmentation decision is made. Design and implement micro-segmentation policies that are enforced continuously, so that propagation hits boundaries it cannot cross without requiring detection or a human in the loop. Architect to cut response time with dynamic isolation as well: EDR or NDR quarantining a host automatically on high-confidence lateral movement indicators. The first shrinks the blast radius before anything fires, the second closes off whatever still moves.
Security Operations
Implementation Watch Item: Monitor for concurrent SMB session creation, WMI process execution, and PsExec service creation from a single host to multiple previously uncontacted destinations within 60 seconds. Do not treat this as generic lateral movement. Treat it as propagation behavior that should trigger containment logic.
Common Failure Mode: Automated containment policies exist in the EDR configuration but are set to “alert only” in production because a previous false positive caused a business disruption. Verify that automatic isolation is enabled, not just configured, on your endpoint protection platform this week.
Monitoring Patterns: For FortiClient EMS, watch for EMS-to-endpoint communication outside scheduled maintenance windows, unexpected binary pushes through the FortiClient management channel, and EMS administrative logins from source IPs outside approved management subnets. For GreyVibe-style AI-generated lures, track newly registered sender domains, sudden spikes in unique message variants, and high-volume targeting where each email has different wording but similar intent. For Nimbus Manticore, monitor DNS and proxy logs for domains impersonating collaboration software vendors, especially Zoom-related lookalikes.
Signal vs Noise Guidance: A single SMB connection from one endpoint to another is normal lateral business traffic. Ten or more concurrent new SMB sessions from a single source to previously uncontacted hosts within 30 seconds is a propagation indicator that warrants immediate automated isolation, not triage.
Adversarial edge item: Run a live containment drill using a benign script that simulates worm-like lateral movement indicators: rapid SMB session creation, WMI execution attempts, and PsExec-like service creation across a test segment. Measure the time from first alert to endpoint isolation. If the workflow requires a human approval step before containment, document the delay as exposure time, not process time.
Take the adversary by surprise. Plant honey shares and decoy SMB hosts that no legitimate process ever touches, so a self-propagating worm hits bait before it reaches production. Treat any SMB, WMI, or PsExec attempt against one as a zero-false-positive propagation alert that fires ahead of the concurrent-session threshold, because the worm finds the decoy while it is still hunting for real hosts.
See you next Monday!
The Monday Brief is produced by Douglas McKee and Ismael Valenzuela. The opinions expressed are our own and do not reflect those of our employers.