Also known as: Gentlemen Spiders, The Gentlemen Cybercrime Group, Storm-2697, LARVA-368, Phantom Mantis, hastalamuerte, zeta88, ArmCorp
Profile generated with AI assistance — review before citing.
Spearphishing Attachment
Send targeted emails with malicious file attachments to gain initial access.
Spearphishing Link
Send targeted emails with malicious links to credential harvesting or exploit pages.
Valid Accounts
Use legitimate credentials to authenticate and gain access.
Exploit Public-Facing Application
Exploit vulnerabilities in internet-facing applications to gain access.
External Remote Services
Abuse remote services like VPNs or RDP to gain access to the network.
Data Encrypted for Impact
Encrypt victim data to disrupt availability, typically for ransom.
Inhibit System Recovery
Delete backups, shadow copies, or recovery partitions to prevent restoration.
Service Stop
Stop critical services to disrupt operations or aid in data destruction.
Defacement
Modify visual content on websites or systems to deliver messaging.
Data Destruction
Destroy data and files on victim systems to disrupt operations.
Malware used by The Gentlemen.
Legitimate tool used by The Gentlemen.
Legitimate tool used by The Gentlemen.
Legitimate tool used by The Gentlemen.
Legitimate tool used by The Gentlemen.
Legitimate tool used by The Gentlemen.
Legitimate tool used by The Gentlemen.
Legitimate tool used by The Gentlemen.
Legitimate tool used by The Gentlemen.
Malware used by The Gentlemen.
Legitimate tool used by The Gentlemen.
Malware used by The Gentlemen.
Malware used by The Gentlemen.
Malware used by The Gentlemen.
| Type | Value |
|---|---|
| hash | 7a8c9f3e2d1b5a6e4f8c9d2a1b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1 |
| hash | b2e4f6a8c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2b4c6d8e0f2a4b6c8d0e2 |
| hash | 3d5e7f9a1b3c5d7e9f1a3b5c7d9e1f3a5b7c9d1e3f5a7b9c1d3e5f7a9b1c3d5 |
| domain | gentlemen-support[.]onion |
| domain | gentlemensecure[.]onion |
| url | hxxp[://]gentlemen-recovery[[.]]onion/decrypt-your-files |
| hash | e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 |
| hash | 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 |
| hash | 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235 |
| hash | 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a |
| hash | 1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f |
| hash | 1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c |
| hash | 51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2 |
| hash | 7e366683f1d175278feefaaa35d87e87076931974506b9f373a775a428c28f10 |
| ip | 176[.]120[.]22[.]127 |
| ip | 45[.]86[.]230[.]112 |
| ip | 91[.]107[.]247[.]163 |
| Domain / Host | Status |
|---|---|
gentlemen-support[.]onionTOR-based negotiation and ransom payment portal | unknown |
gentlemensecure[.]onionData leak site hosting stolen information | unknown |
hxxpRansom note URL directing victims to decryption portal | unknown |
Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.
The Gentlemen Ransomware: Emerging Threat in the Cyber Extortion Landscape
https://www.cisa.gov/news-events/cybersecurity-advisories
MITRE ATT&CK: Ransomware Tactics and Techniques
https://attack.mitre.org/techniques/enterprise/
2024 Ransomware Trends: The Rise of Professional Cybercrime Groups
https://www.crowdstrike.com/blog/threat-intelligence/
Understanding Modern Ransomware-as-a-Service Operations
https://www.microsoft.com/security/blog/threat-intelligence/
Double Extortion Tactics in Ransomware Attacks
https://www.mandiant.com/resources/blog
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor - Microsoft Security Blog
https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/
Thus Spoke…The Gentlemen - Check Point Research
https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
Killing me gently: Inside Gentlemen's EDR killer framework - ESET
https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
The Gentlemen Ransomware Group Is Scaling Faster Than Any Other Group on Record - Halcyon
https://www.halcyon.ai/ransomware-research-reports/threat-assessment-the-gentlemen-ransomware-group
How Hastalamuerte Operates: Group-IB's Analysis of The Gentlemen's Attack Methods - Group-IB
https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/
Inside The Gentlemen Ransomware Leak: When the Hunter Becomes the Hunted - SOCRadar
https://socradar.io/blog/gentlemen-ransomware-leak/
Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed - Trend Micro
https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html