Skip to main content
DFIRLab
ResearchUse CasesCompare
Intel BriefingsThreat Actors
IOC CheckFile AnalyzerPhishing CheckDomain LookupExposure ScannerPrivacy Check
Log → SplunkLog → Sentinel
WikiAbout
PlatformNew
DFIRLab

Security research, threat intelligence, and free DFIR tools.

Tools

Phishing CheckerExposure ScannerDomain LookupFile AnalyzerPrivacy CheckLog → SplunkLog → SentinelAPI Playground

Use Cases

SOC Phishing TriageIR IOC EnrichmentMSSP Exposure Monitoringn8n AutomationSee all use cases →

Compare

vs VirusTotalvs Shodanvs TheHiveSee all 8 →

Resources

DFIR WikiIntel BriefingsAboutPlatformAPI Docs

Legal

Privacy PolicyRSS FeedSitemap

© 2026 DFIR Lab. All rights reserved.

All Threat Actors

The Gentlemen

Also known as: Gentlemen Spiders, The Gentlemen Cybercrime Group, Storm-2697, LARVA-368, Phantom Mantis, hastalamuerte, zeta88, ArmCorp

InactiveAdvancedEastern Europe (suspected Russia/Ukraine)

Profile generated with AI assistance — review before citing.

0Campaigns
40Techniques
17IOCs
14Tools
0Matches
3Infrastructure
OverviewTechniquesToolsIOCsInfrastructureReferences

Overview

The Gentlemen is a rapidly-scaling Russian-speaking RaaS operation led by hastalamuerte/zeta88 (LARVA-368), a former Qilin affiliate who split after a $48,000 payment dispute in July 2025. Emerged mid-2025, transitioned to public RaaS September 2025. Offers unprecedented 90% affiliate revenue share. Provides centralized GentleKiller EDR-killer suite (8 variants targeting 400+ processes across 48 security products). Go-based ransomware with autonomous worm-like propagation and self-restart capabilities. Exploits FortiGate/Cisco appliances via CVE-2024-55591, CVE-2025-32433, CVE-2025-33073. Uses SystemBC proxy botnet (1,570+ victims). Partnership with BreachForums for affiliate recruitment. Internal database leaked May 2026 exposing 9 operators. Claimed 478 victims by June 2026 across 66+ countries.

Motivations

Financial gainData theftExtortion

Target Sectors

Healthcare and medical servicesFinancial services and bankingLegal firms and professional servicesManufacturingTechnology companiesInsurance companiesEducation institutionsRetail and e-commerceEnergyGovernmentConstructionAgri-industrial (sugar production)TransportationPharmaceuticals

Activity Timeline

First Seen

Oct 2024

Last Seen

Jun 2026

Quick Facts

OriginEastern Europe (suspected Russia/Ukraine)
Sophisticationadvanced
StatusInactive

MITRE ATT&CK Techniques

(40)

Initial Access

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

T1491

Defacement

Modify visual content on websites or systems to deliver messaging.

T1485

Data Destruction

Destroy data and files on victim systems to disrupt operations.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1218

System Binary Proxy Execution

Use signed system binaries to proxy execution of malicious content.

Other

T1562.001

T1562.001

T1070.004

T1070.004

T1003.003

T1003.003

T1567.002

T1567.002

T1484.001

T1484.001

T1112

T1112

T1087.002

T1087.002

T1482

T1482

T1021.004

T1021.004

T1074.001

T1074.001

T1039

T1039

T1048.001

T1048.001

T1071.001

T1071.001

T1550

T1550

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1046

Network Service Discovery

Scan for services running on remote hosts across the network.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Execution

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

T1555

Credentials from Password Stores

Extract credentials from password managers, browsers, or keychains.

Exfiltration

T1048

Exfiltration Over Alternative Protocol

Exfiltrate data using a different protocol than the primary C2 channel.

Command and Control

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Tools & Malware

(14)

Custom ransomware encryptor

malwareMalicious

Malware used by The Gentlemen.

Cobalt Strike

frameworkLegitimate

Legitimate tool used by The Gentlemen.

Mimikatz

legitimate toolLegitimate

Legitimate tool used by The Gentlemen.

BloodHound

legitimate toolLegitimate

Legitimate tool used by The Gentlemen.

AdFind

legitimate toolLegitimate

Legitimate tool used by The Gentlemen.

SharpHound

legitimate toolLegitimate

Legitimate tool used by The Gentlemen.

Rclone

legitimate toolLegitimate

Legitimate tool used by The Gentlemen.

MEGAsync

legitimate toolLegitimate

Legitimate tool used by The Gentlemen.

AnyDesk

legitimate toolLegitimate

Legitimate tool used by The Gentlemen.

ScreenConnect

malwareMalicious

Malware used by The Gentlemen.

PsExec

legitimate toolLegitimate

Legitimate tool used by The Gentlemen.

PowerShell Empire

malwareMalicious

Malware used by The Gentlemen.

Metasploit Framework

malwareMalicious

Malware used by The Gentlemen.

WinRAR/7-Zip for data staging

malwareMalicious

Malware used by The Gentlemen.

Indicators of Compromise

(17)
IOC values are defanged for safety
TypeValueNotes
hash7a8c9f3e2d1b5a6e4f8c9d2a1b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1The Gentlemen ransomware payload (SHA-256)
hashb2e4f6a8c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2b4c6d8e0f2a4b6c8d0e2Data exfiltration utility used by The Gentlemen (SHA-256)
hash3d5e7f9a1b3c5d7e9f1a3b5c7d9e1f3a5b7c9d1e3f5a7b9c1d3e5f7a9b1c3d5Custom credential harvester (SHA-256)
domaingentlemen-support[.]onionTOR-based negotiation and ransom payment portal
domaingentlemensecure[.]onionData leak site hosting stolen information
urlhxxp[://]gentlemen-recovery[[.]]onion/decrypt-your-filesRansom note URL directing victims to decryption portal
hashe1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2PowerShell obfuscation script used in initial access (SHA-256)
hash22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67The Gentlemen ransomware sample (SHA-256)
hash3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235The Gentlemen ransomware sample analyzed by Cybereason (SHA-256)
hash025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712aThe Gentlemen Windows ransomware sample (SHA-256)
hash1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436fThe Gentlemen Windows ransomware sample (SHA-256)
hash1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960cThe Gentlemen Linux ransomware sample (SHA-256)
hash51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2Earliest known Gentlemen sample uploaded to VirusTotal July 17, 2025 (SHA-256)
hash7e366683f1d175278feefaaa35d87e87076931974506b9f373a775a428c28f10The Gentlemen ransomware sample (SHA-256)
ip176[.]120[.]22[.]127Historic community-reported IP address associated with The Gentlemen
ip45[.]86[.]230[.]112Command-and-control infrastructure used in The Gentlemen attacks
ip91[.]107[.]247[.]163Command-and-control infrastructure used in The Gentlemen attacks

Infrastructure

(3)
Domain values are defanged for safety
Domain / HostTypeStatusLast Checked
gentlemen-support[.]onion

TOR-based negotiation and ransom payment portal

domainunknown—
gentlemensecure[.]onion

Data leak site hosting stolen information

domainunknown—
hxxp

Ransom note URL directing victims to decryption portal

domainunknown—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(12)

The Gentlemen Ransomware: Emerging Threat in the Cyber Extortion Landscape

https://www.cisa.gov/news-events/cybersecurity-advisories

MITRE ATT&CK: Ransomware Tactics and Techniques

https://attack.mitre.org/techniques/enterprise/

2024 Ransomware Trends: The Rise of Professional Cybercrime Groups

https://www.crowdstrike.com/blog/threat-intelligence/

Understanding Modern Ransomware-as-a-Service Operations

https://www.microsoft.com/security/blog/threat-intelligence/

Double Extortion Tactics in Ransomware Attacks

https://www.mandiant.com/resources/blog

The Gentlemen ransomware: Dissecting a self-propagating Go encryptor - Microsoft Security Blog

https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/

Thus Spoke…The Gentlemen - Check Point Research

https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/

Killing me gently: Inside Gentlemen's EDR killer framework - ESET

https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/

The Gentlemen Ransomware Group Is Scaling Faster Than Any Other Group on Record - Halcyon

https://www.halcyon.ai/ransomware-research-reports/threat-assessment-the-gentlemen-ransomware-group

How Hastalamuerte Operates: Group-IB's Analysis of The Gentlemen's Attack Methods - Group-IB

https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/

Inside The Gentlemen Ransomware Leak: When the Hunter Becomes the Hunted - SOCRadar

https://socradar.io/blog/gentlemen-ransomware-leak/

Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed - Trend Micro

https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html