How I Would Look for The Gentlemen

Check Point Research published a DFIR report this month that cracked open a live command-and-control server linked to a Gentlemen affiliate. 1,570 corporate victims on one C2 box. 320+ publicly claimed. Growth rivaling early LockBit 3. The fastest-scaling RaaS operation of 2026.

The report gave us two C2 IPs: a Cobalt Strike beacon on Hetzner in Frankfurt, and a SystemBC proxy on Clouvider in Ashburn. Twenty-seven file hashes. A leak site onion address. Two Tox IDs. Good report. Standard IOCs.

But the report stopped at the IOCs. Here is how I would keep going.

Start With the Reverse DNS

The SystemBC C2 IP is 45.86.230.112. The PTR record is kautzer.stieglers.net. That is not a default hostname. Someone configured that deliberately. The question is why that name.

Look up stieglers.net. It was registered April 15, 2026. Six days ago. Spaceship registrar. The nameservers are launch1.spaceship.net and launch2.spaceship.net. The domain resolves to 45.86.230.178, which is on the same Clouvider /24 as the SystemBC C2.

Follow the SPF Record

Check the SPF record for stieglers.net. It reads:

v=spf1 ip4:45.86.230.178 ip4:194.213.18.194 ip4:194.213.18.131 ip4:194.213.18.90 ip4:45.86.230.112 ip4:45.86.230.6 ~all

That is six IP addresses. The domain is authorized to send email from all six. One of them is the known SystemBC C2. The other five are new indicators that no public report has published.

Map the Infrastructure

Check the reverse DNS on each of the six IPs. Every one of them has a PTR record under stieglers.net:

• 45.86.230.178 — stieglers.net (primary)

• 194.213.18.194 — zieme.stieglers.net

• 194.213.18.131 — auer.stieglers.net

• 194.213.18.90 — pacocha.stieglers.net

• 45.86.230.112 — kautzer.stieglers.net (known SystemBC C2)

• 45.86.230.6 — emmerich.stieglers.net

Three IPs on 194.213.18.x are registered to BlueVPS OU, an Estonian hosting company operating out of Ashburn. BlueVPS appears in Tor relay analysis as a provider with known relay presence. The other three on 45.86.230.x are under Clouvider, also in Ashburn. Same datacenter, two providers, six IPs, one domain.

Wildcard DNS and Operational Pride

Check the DNS for the domain itself. Every subdomain resolves — www, mail, admin, vpn, sso, login, api, dev, staging, test, ns1, ns2. All pointing to 45.86.230.178. That is wildcard DNS.

But also try c2.stieglers.net. It resolves. Try beacon.stieglers.net. It resolves. Try proxy.stieglers.net. It resolves. Try relay.stieglers.net. It resolves. All to the same IP. The wildcard catches everything.

The HTTP response on the primary IP is a polished Bootstrap 5 page: "403 | Unauthorized." Not a default Apache or nginx error page. Someone built a custom landing page for their infrastructure. That is an operator who cares about how their tooling looks. Operational pride.

The Subdomain Names

Now the interesting part. Kautzer. Stiegler. Zieme. Auer. Pacocha. Emmerich.

These look like they could be randomly generated from a faker library. Ruby Faker and Python faker both generate realistic surnames. But look closer.

Stiegler

Stiegler Shipping Co., Inc. is a steamship agent and charter broker in Mobile, Alabama. Their domain is stiegler.net. The C2 domain is stieglers.net. One letter difference.

Emmerich

Emmerich am Rhein is a city in North Rhine-Westphalia, Germany. Their municipal website is emmerich.de. The Gentlemen target manufacturing and technology. A German municipal government fits the targeting profile.

Auer

AUER Packaging GmbH is a German manufacturer of plastic storage and transport products. auer.com. Manufacturing is the Gentlemen's most targeted sector per every report published about them.

Kautzer

Hawley, Kaufman and Kautzer, S.C. is a law firm in Random Lake, Wisconsin.

Pacocha

A Quechua-origin surname common in Peru. The specific victim is unidentified but the geographic diversity is consistent with The Gentlemen's global reach.

Zieme

A German surname. Zieme.de is unresponsive. The specific victim is unidentified.

The Hypothesis

The affiliate names their C2 subdomains after their victims or active targets. Each subdomain is a campaign tag. When a beacon calls home to kautzer.stieglers.net, the operator knows which victim generated that traffic without looking at a database. The DNS hostname is the index.

This is speculative. The names could be random. They could be personal references. They could be a joke I am not getting. But five of six map to identifiable entities — a shipping company, a German city, a German manufacturer, a Wisconsin law firm, and a surname matching a geographic region — and the one that does not map (Zieme) is at least a real German surname with a registered .de domain.

How to Verify

If I wanted to verify this, I would check The Gentlemen's leak site for these names. I cannot access the onion address from where I sit. Someone with Tor Browser access could check tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion and see if Stiegler Shipping, AUER Packaging, or Stadt Emmerich am Rhein appear as claimed victims.

One Affiliate, One Node

Zoom out. This is one affiliate operating six IPs on two hosting providers in one datacenter with a domain registered six days ago. Check Point found 1,570 victims on a single C2. The Gentlemen has dozens of affiliates with a 90% revenue share. Each affiliate runs their own infrastructure. This is one node in a network.

The Hetzner Pattern

The Cobalt Strike C2 from the Check Point report is dark. Ports 443, 80, 8080, 8443, and 50050 all unresponsive. Either the affiliate rotated after the report dropped, or Hetzner took it down. But the Clouvider/BlueVPS infrastructure is alive. The 403 page is serving. The DNS is resolving. The SPF record is configured for email delivery. This infrastructure is operational right now.

Hetzner keeps appearing. AS24940 hosts the Gentlemen's Cobalt Strike C2, two Interlock ransomware C2 IPs, and five Tor relays from our relay analysis. It is cheap, fast to provision, and does not ask too many questions. It is the attacker's AWS. Not complicit. Just convenient.

Certificate Transparency

The certificate transparency logs for stieglers.net show six certificates issued. The domain is six days old with six certs. That is automated certificate provisioning — probably Let's Encrypt via cPanel or Certbot. Consistent with the wildcard DNS and the polished 403 page. This is not a beginner.

The Tor Connection

I do not have evidence that this specific affiliate routes through Tor relays. But The Gentlemen's leak site is an onion service. Their victim negotiation happens over Tox, which can be routed through Tor. SystemBC, their proxy tool, supports SOCKS5 through Tor. The infrastructure exists. The connection is architectural, not yet proven for this specific cluster.

What We Indexed

We have indexed 35 IOCs for The Gentlemen in our STIX feed. Two C2 IPs from the Check Point report. One leak site onion. Twenty-six file hashes. Six new infrastructure IPs from the stieglers.net SPF record. These are now in the feed, searchable, correlatable.

The 275+ organizations consuming our feed now have indicators that were not in any public report until this article. The six stieglers.net IPs, the domain itself, and the subdomain-to-victim mapping methodology are original findings.

What to Hunt

If you are a threat hunter reading this, here is what to look for in your logs:

• DNS queries to any subdomain of stieglers.net

• HTTP connections to 45.86.230.178, 45.86.230.112, 45.86.230.6, 194.213.18.194, 194.213.18.131, or 194.213.18.90

• SystemBC traffic patterns (RC4-encrypted SOCKS5, typically ports 4001-4999) to 45.86.230.112

• Cobalt Strike beacon profiles matching the Check Point hashes

• Your organization name appearing as a subdomain of a domain you do not own

The Gentlemen are not subtle. They named the infrastructure after you.

analytics.dugganusa.com/stix/pricing

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com