INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Infostealers, AI, and 90% Affiliate Cut Fuel Gentlemen's Rise

| 2026-06-15 06:58 CRITICAL MEDIUM
JSON
Executive Summary AI-generated
The Gentlemen ransomware group has emerged as a formidable force in the world of cybercrime, with their tactics and techniques (T&T) continuing to evolve. Their ability to scale quickly and efficiently is due in part to their use of advanced tools such as infostealers and AI-powered extortion methods. This sophistication has allowed them to target victims across multiple countries, including Thailand, Brazil, the UK, France, India, Germany, Italy, Japan, Taiwan, and Spain. The group's willingness to get personal with their targets is also a key factor in their success, making them one of the most prolific ransomware brands of the year.
Technical Mitigations AI-generated
* Implement a robust patch management system to ensure timely updates and security patches for all systems, including those used by the Gentlemen group. * Use secure authentication protocols, such as multi-factor authentication (MFA) or token-based authentication, to prevent unauthorized access to sensitive areas of the network. * Regularly monitor and analyze traffic patterns, including dark-web and infostealer monitoring, to detect potential threats and identify vulnerabilities in the Gentlemen operation's infrastructure. * Conduct regular security audits and penetration testing to identify weaknesses in the Gentlemen group's systems and procedures, and implement remediation measures as needed.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
QilinQilinEmbargoEmbargoBlack BastaBlack Basta CVE-2025-32433CVE-2025-32433 CVE-2024-55591CVE-2024-55591 CVE-2025-33073CVE-2025-33073
Target & Sectors
NORTH_AMERICA NORTH_AMERICA LATAM LATAM DACH DACH ASEAN ASEAN energyenergy logisticslogistics technologytechnology defensedefense manufacturingmanufacturing healthcarehealthcare
Incident Timeline
‎February 2025
The Gentlemen group used stolen data and their own contact list to target victims across 66 countries, with the ransomware attack resulting in 483 high-value access thefts within a year.
tactic Phishing
First, the group studied the February 2025 Black Basta chat leak and treated it as a training manual, copying phishing and mailbox-abuse workflows rather than building their own from scratch.
malware Black Basta
First, the group studied the February 2025 Black Basta chat leak and treated it as a training manual, copying phishing and mailbox-abuse workflows rather than building their own from scratch.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking,  The Gentlemen ransomware)
victims 483 victims
The result is 483 victims across 66 countries in under a year, assembled by a team small enough to share one table.
organisation Microsoft
Microsoft has separately documented a self-propagating Go-based encryptor attributed to the group, but the real leverage increasingly comes from the stolen data and the victim’s own contact list, not the locked files.
organisation MFA
Move high-value access to hardware-backed or passkey authentication that doesn’t produce replayable session cookies, because stolen cookies defeat SMS and push-based MFA entirely.
organisation Harden Active Directory
Harden Active Directory against ZeroLogon and PetitPotam, segment the network so one compromised host can’t reach everything, and keep offline tested backups while assuming data was stolen regardless of whether files were encrypted.
organisation ZeroLogon
Harden Active Directory against ZeroLogon and PetitPotam, segment the network so one compromised host can’t reach everything, and keep offline tested backups while assuming data was stolen regardless of whether files were encrypted.
‎March 2025
The Gentlemen group used AI to infect its victims with ransomware.
organisation Ransomware
The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date, per data from Ransomware.
victims 478 Victims
The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date, per data from Ransomware.
‎2025/06/11
Threat actors used the Gentlemen group's ransomware to extort affiliates, fueling their rise as a highly adaptive and fast-moving operation.
tactic Ransomware
Some of the other salient aspects of the extortion scheme compiled from various reports are as follows - In an analysis of the ransomware in late last year, LevelBlue's Cybereason team described The Gentlemen as a "highly adaptive, fast-moving ransomware operation" that combines mature ransomware techniques with RaaS features, double extortion, cross-platform lockers, and flexible propagation, and affiliate support.
tactic Extortion
Some of the other salient aspects of the extortion scheme compiled from various reports are as follows - In an analysis of the ransomware in late last year, LevelBlue's Cybereason team described The Gentlemen as a "highly adaptive, fast-moving ransomware operation" that combines mature ransomware techniques with RaaS features, double extortion, cross-platform lockers, and flexible propagation, and affiliate support.
organisation LevelBlue
Some of the other salient aspects of the extortion scheme compiled from various reports are as follows - In an analysis of the ransomware in late last year, LevelBlue's Cybereason team described The Gentlemen as a "highly adaptive, fast-moving ransomware operation" that combines mature ransomware techniques with RaaS features, double extortion, cross-platform lockers, and flexible propagation, and affiliate support.
‎July 2025
Phantom Mantis transitioned into The Gentlemen, an independent partnership program in Switzerland.
source_region Switzerland
"In July 2025, Phantom Mantis transitioned into The Gentlemen, an independent partnership program no longer dependent on other RaaS groups," the Swiss cybersecurity company said.
‎August 2025
Threat actors used the Gentlemen group's rise to target Qilin through an AI-powered infostealer.
malware Qilin
" As detailed by Dark Atlas in August 2025, the shift coincided with a payment dispute between LARVA-368 and Qilin, with the threat actor accusing the RaaS operation of carrying out an exit scam and defrauding them of $48,000.
organisation LARVA-368
" As detailed by Dark Atlas in August 2025, the shift coincided with a payment dispute between LARVA-368 and Qilin, with the threat actor accusing the RaaS operation of carrying out an exit scam and defrauding them of $48,000.
‎September 2025
The Gentlemen group used ransomware to target 483 victims, with approximately 380 of them being listed on their dark-web leak site by June 13, 2026.
tactic Ransomware
The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone.
victims 483 victims
The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone.
general_metric 380 leak site
The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone.
‎November 7, 2025
Threat actors used a 90% affiliate cut fuel to target The Gentlemen group's rise.
‎November 2025
Threat actors used a 90% affiliate cut from the Gentlemen group's access to a chat database of nearly 3,366 messages.
organisation VMware Aria Operations
Chat database used by the group - comprising 3,366 messages between November 2025 to late April 2026 - has shed further light on the group's inner workings, including its use of known security flaws in VMware Aria Operations, Fortinet, Cisco, and Microsoft software, while painting a picture of a criminal enterprise whose members have a clear division of roles and responsibilities.
general_metric 3,366 comprising messages
Chat database used by the group - comprising 3,366 messages between November 2025 to late April 2026 - has shed further light on the group's inner workings, including its use of known security flaws in VMware Aria Operations, Fortinet, Cisco, and Microsoft software, while painting a picture of a criminal enterprise whose members have a clear division of roles and responsibilities.
general_metric 2026 late April
Chat database used by the group - comprising 3,366 messages between November 2025 to late April 2026 - has shed further light on the group's inner workings, including its use of known security flaws in VMware Aria Operations, Fortinet, Cisco, and Microsoft software, while painting a picture of a criminal enterprise whose members have a clear division of roles and responsibilities.
‎March 2026
Threat actors used a 90% affiliate cut fuel to target the Gentlemen group by exploiting an open directory on Proton66 hosting Russian bulletproof infrastructure.
tactic Ransomware
In March 2026, Hunt.io said it discovered an open directory hosted at "176.120.22[.]127:80" on the Russian bulletproof hosting provider Proton66 that exposed 126 files containing a complete ransomware operator toolkit attributed to a The Gentlemen RaaS affiliate.
target_region Russian Federation
In March 2026, Hunt.io said it discovered an open directory hosted at "176.120.22[.]127:80" on the Russian bulletproof hosting provider Proton66 that exposed 126 files containing a complete ransomware operator toolkit attributed to a The Gentlemen RaaS affiliate.
data_breach 126 files
In March 2026, Hunt.io said it discovered an open directory hosted at "176.120.22[.]127:80" on the Russian bulletproof hosting provider Proton66 that exposed 126 files containing a complete ransomware operator toolkit attributed to a The Gentlemen RaaS affiliate.
‎April 2026
The Gentlemen group, an active threat actor that emerged as one of the most active ransomware attackers in April 2026.
tactic Ransomware
The group has emerged as one of the most active threat actors, accounting for 10% of ransomware activity in April 2026.
general_metric 10 %
The group has emerged as one of the most active threat actors, accounting for 10% of ransomware activity in April 2026.
‎April 30, 2026
The Gentlemen group used the infostealer to target 2GO, a Philippine logistics firm.
victims 44 listed victims
Manufacturing is the top targeted sector, followed by technology, business services, and healthcare with 44 listed victims.
financial 20 dollar
The leaked chats explain why: operators were told to prioritise what they called Tier 1 to 3 countries and Latin America, and to weigh operational pain over raw revenue, reasoning that a 20 million dollar utility can pay faster than a 200 million dollar manufacturer if the lock genuinely halts the business.” reads the report published by The RansomNews research team.
financial 200 dollar
The leaked chats explain why: operators were told to prioritise what they called Tier 1 to 3 countries and Latin America, and to weigh operational pain over raw revenue, reasoning that a 20 million dollar utility can pay faster than a 200 million dollar manufacturer if the lock genuinely halts the business.” reads the report published by The RansomNews research team.
organisation Active Directory
Operators scanned for and exploited internet-facing vulnerabilities including the FortiOS authentication-bypass flaw CVE-2024-55591 , alongside older Active Directory weaknesses like ZeroLogon and PetitPotam .
organisation PetitPotam
Operators scanned for and exploited internet-facing vulnerabilities including the FortiOS authentication-bypass flaw CVE-2024-55591 , alongside older Active Directory weaknesses like ZeroLogon and PetitPotam .
‎2026/05/12
Threat actors used a Gentlemen group affiliate to exploit vulnerabilities in Rocket's internal systems and infect its users with infostealers.
‎May 2026
The Gentlemen group's internal chat logs were leaked, revealing nine core members and access models built using AI-assisted tooling.
‎June 13, 2026
The Gentlemen, a ransomware operation, targeted 483 victims on their dark-web leak site by June 13, 2026.
tactic Ransomware
The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone.
victims 483 victims
The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone.
general_metric 380 leak site
The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone.
‎2026/06/15
Phantom Mantis, an affiliate group of The Gentlemen ransomware, launched a multi-channel extortion operation using red team utilities like NetExec and RelayKing to infect its targets.
victims 483 victims
Infostealers, AI, and a 90% Affiliate Cut Fuel The Gentlemen group’s Rise The Gentlemen ransomware used infostealer credentials, AI tools, and affiliates to hit 483 victims across 66 countries in under a year.
victims 478 Victims
The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm.
organisation LockBit
A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).
infrastructure Windows
Phantom Mantis provides five versions of ransomware that are designed for Windows, Linux, ESXi, Windows XP+, and Logical Volume Manager (LVM).
Microsoft, which is tracking the cluster under the moniker Storm-2697, said the ransomware is written in Go and obfuscated with Garble to target the Windows environment.
The attacks also attempt to clear System, Application, and Security Windows Event Logs, disable Microsoft Defender, and add antivirus exclusions.
infrastructure Linux
Phantom Mantis provides five versions of ransomware that are designed for Windows, Linux, ESXi, Windows XP+, and Logical Volume Manager (LVM).
organisation Logical Volume
Phantom Mantis provides five versions of ransomware that are designed for Windows, Linux, ESXi, Windows XP+, and Logical Volume Manager (LVM).
organisation Microsoft
Microsoft, which is tracking the cluster under the moniker Storm-2697, said the ransomware is written in Go and obfuscated with Garble to target the Windows environment.
organisation ZeroFox
" According to ZeroFox, the ransomware crew likely runs a multi-channel extortion operation, combining ransomware attacks with email outreach and phone-based pressure tactics targeting victims.
organisation affiliates
The group courts affiliates with an aggressive profit-sharing model: 90% for affiliates and 10% for the operator.
organisation CVE-2025
Image Source: Ransom-ISAC "The group actively tracks and evaluates modern vulnerabilities, including CVE-2024-55591 , CVE-2025-32433 , and CVE-2025-33073 , and combines them with technique-driven paths like backup and management-controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline," Check Point said .
"The group actively tracks and evaluates modern vulnerabilities, including CVE-2024-55591 , CVE-2025-32433 , and CVE-2025-33073 , and combines them with technique-driven paths like backup and management-controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline," Check Point said .
organisation NTLM
Image Source: Ransom-ISAC "The group actively tracks and evaluates modern vulnerabilities, including CVE-2024-55591 , CVE-2025-32433 , and CVE-2025-33073 , and combines them with technique-driven paths like backup and management-controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline," Check Point said .
"The group actively tracks and evaluates modern vulnerabilities, including CVE-2024-55591 , CVE-2025-32433 , and CVE-2025-33073 , and combines them with technique-driven paths like backup and management-controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline," Check Point said .
organisation ArmCorp
According to a detailed report published by PRODAFT, the group, which it tracks as Phantom Mantis, is led by a Russian-speaking cybercriminal it calls LARVA-368, who goes by the online aliases hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte.
organisation Infection
Infection chains involve the use of red team utilities like NetExec, RelayKing, TaskHound, PrivHound, and CertiHound to perform Active Directory discovery, certificate abuse, privilege escalation, and file share discovery.
organisation NetExec
Infection chains involve the use of red team utilities like NetExec, RelayKing, TaskHound, PrivHound, and CertiHound to perform Active Directory discovery, certificate abuse, privilege escalation, and file share discovery.
organisation TaskHound
Infection chains involve the use of red team utilities like NetExec, RelayKing, TaskHound, PrivHound, and CertiHound to perform Active Directory discovery, certificate abuse, privilege escalation, and file share discovery.
organisation PrivHound
Infection chains involve the use of red team utilities like NetExec, RelayKing, TaskHound, PrivHound, and CertiHound to perform Active Directory discovery, certificate abuse, privilege escalation, and file share discovery.
organisation CertiHound
Infection chains involve the use of red team utilities like NetExec, RelayKing, TaskHound, PrivHound, and CertiHound to perform Active Directory discovery, certificate abuse, privilege escalation, and file share discovery.
organisation System
The attacks also attempt to clear System, Application, and Security Windows Event Logs, disable Microsoft Defender, and add antivirus exclusions.
organisation Security Windows Event Logs
The attacks also attempt to clear System, Application, and Security Windows Event Logs, disable Microsoft Defender, and add antivirus exclusions.
organisation Microsoft Defender
The attacks also attempt to clear System, Application, and Security Windows Event Logs, disable Microsoft Defender, and add antivirus exclusions.
infrastructure Fortigate
Initial access is obtained via edge devices such as VPN appliances, firewalls, and other internet-facing systems, with a specific focus on platforms like Cisco and Fortinet FortiGate.
organisation The Hacker News
PRODAFT told The Hacker News that its findings match the same persona with "high confidence.
organisation the Pestilent Mantis's
"Although Phantom Mantis was a very active affiliate group with over 20 targets registered on its affiliate panel in less than 30 days, the group's admin (LARVA-368) and LARVA-367 (aka DevMan ), a former Phantom Mantis's member, claimed that Pestilent Mantis was scamming affiliates and that there was an alleged 'backdoor' within the Pestilent Mantis's affiliate panel victim chats," PRODAFT noted.
victims 20 targets
"Although Phantom Mantis was a very active affiliate group with over 20 targets registered on its affiliate panel in less than 30 days, the group's admin (LARVA-368) and LARVA-367 (aka DevMan ), a former Phantom Mantis's member, claimed that Pestilent Mantis was scamming affiliates and that there was an alleged 'backdoor' within the Pestilent Mantis's affiliate panel victim chats," PRODAFT noted.
organisation NCC Group
"The Gentlemen follows an enterprise-focused chain beginning with initial access, via vulnerable internet-facing services or stolen credentials," NCC Group said .
organisation EDR
LARVA-368 uses The Gentlemen IM app accounts to support affiliates regarding encryption and any intrusion-related issue, such as providing EDR killers to bypass security solutions via the bring your own vulnerable driver (BYOVD) technique.
organisation VMware
The average dwell time of an intrusion ranges from two to six weeks from initial access to encryption, with the group particularly focusing on organizations running VMware infrastructure.
data_breach 1 GB
Potential affiliates are required to provide the administrator at least 1GB of data exfiltrated from a victim to gain access to the affiliate panel, a tactic designed to prevent researchers and law enforcement authorities from gaining access to the infrastructure under the guise of an affiliate.
Tactical Metrics
Metrics
victims
44
Listed Victims
Manufacturing is the top targeted sector, followed by technology, business services, and healthcare with 44 listed victims.
Metrics
victims
483
Victims
Infostealers, AI, and a 90% Affiliate Cut Fuel The Gentlemen group’s Rise The Gentlemen ransomware used infostealer credentials, AI tools, and affiliates to hit 483 victims across 66 countries in under a year.
The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone.
The result is 483 victims across 66 countries in under a year, assembled by a team small enough to share one table.
Metrics
financial
20,000,000
Dollar
The leaked chats explain why: operators were told to prioritise what they called Tier 1 to 3 countries and Latin America, and to weigh operational pain over raw revenue, reasoning that a 20 million dollar utility can pay faster than a 200 million dollar manufacturer if the lock genuinely halts the business.” reads the report published by The RansomNews research team.
Metrics
financial
200,000,000
Dollar
The leaked chats explain why: operators were told to prioritise what they called Tier 1 to 3 countries and Latin America, and to weigh operational pain over raw revenue, reasoning that a 20 million dollar utility can pay faster than a 200 million dollar manufacturer if the lock genuinely halts the business.” reads the report published by The RansomNews research team.
Metrics
data_breach
126
Files
In March 2026, Hunt.io said it discovered an open directory hosted at "176.120.22[.]127:80" on the Russian bulletproof hosting provider Proton66 that exposed 126 files containing a complete ransomware operator toolkit attributed to a The Gentlemen RaaS affiliate.
Metrics
victims
478
Victims
The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm.
The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date, per data from Ransomware.
Metrics
infrastructure
‎Windows
Affected Product
Phantom Mantis provides five versions of ransomware that are designed for Windows, Linux, ESXi, Windows XP+, and Logical Volume Manager (LVM).
Microsoft, which is tracking the cluster under the moniker Storm-2697, said the ransomware is written in Go and obfuscated with Garble to target the Windows environment.
The attacks also attempt to clear System, Application, and Security Windows Event Logs, disable Microsoft Defender, and add antivirus exclusions.
Metrics
infrastructure
‎Linux
Affected Product
Phantom Mantis provides five versions of ransomware that are designed for Windows, Linux, ESXi, Windows XP+, and Logical Volume Manager (LVM).
Metrics
infrastructure
‎Fortigate
Affected Product
Initial access is obtained via edge devices such as VPN appliances, firewalls, and other internet-facing systems, with a specific focus on platforms like Cisco and Fortinet FortiGate.
Metrics
victims
20
Targets
"Although Phantom Mantis was a very active affiliate group with over 20 targets registered on its affiliate panel in less than 30 days, the group's admin (LARVA-368) and LARVA-367 (aka DevMan ), a former Phantom Mantis's member, claimed that Pestilent Mantis was scamming affiliates and that there was an alleged 'backdoor' within the Pestilent Mantis's affiliate panel victim chats," PRODAFT noted.
Metrics
data_breach
1
Gb
Potential affiliates are required to provide the administrator at least 1GB of data exfiltrated from a victim to gain access to the affiliate panel, a tactic designed to prevent researchers and law enforcement authorities from gaining access to the infrastructure under the guise of an affiliate.
Intelligence Sources
The Hacker News 2026-06-11
The Hacker News 2026-06-11
Security Affairs 2026-06-15