---
title: "The Gentlemen"
type: "threat_actor"
source: "Mallory Threat Intelligence"
url: "https://mallory.ai/actors/019abb07-733a-7e38-ae2d-cd735f8140b3"
---

# The Gentlemen

| Field | Value |
| --- | --- |
| Also known as | the_gentlemen |
| Updated | 2026-07-02 |

## Overview

The Gentlemen is a financially motivated ransomware-as-a-service (RaaS) operation that emerged in mid-to-late 2025 and rapidly became one of the most active ransomware groups by victim count in 2026. Multiple reports in the content describe it as having splintered from the Qilin ecosystem after a payment dispute, with prior lineage tied to the ArmCorp affiliate crew; PRODAFT also tracks the operation as Phantom Mantis. Microsoft tracks the group as Storm-2697. The group operates an aggressive affiliate model, repeatedly described as offering affiliates 90% of ransom payments, and has recruited experienced operators from other ransomware programs including DragonForce, LockBit, and other established crews. Internal leaks cited in the content indicate a nine-member core team, centralized target distribution, and centralized support for affiliates. The Gentlemen targets organizations globally across many sectors, including critical infrastructure, manufacturing, healthcare, energy, government, transportation, education, financial services, IT services, construction, logistics, and business services. Reported victim geography spans dozens of countries, with repeated mentions of activity in Thailand, Brazil, the United States, the United Kingdom, France, Germany, India, China, Indonesia, and Taiwan. The group claimed responsibility for the June 2026 attack on Mackay Sugar in Australia. Initial access methods described in the content include exploitation of internet-facing systems and edge devices, especially VPNs and firewalls, including Fortinet and Cisco appliances; use of unpatched VPNs, exposed RDP, remote management tools, and stolen or weak credentials; and likely cooperation with initial access brokers. Specific reporting also cites use of credentials harvested by infostealers, abuse of compromised Outlook Web Access accounts, and exploitation of Active Directory weaknesses and certificate services misconfigurations in at least one intrusion. Observed tradecraft includes living-off-the-land techniques and use of legitimate administrative tools such as PsExec and AnyDesk; internal reconnaissance with SharpADWS, NetScan, Advanced IP Scanner, LDAP enumeration, and netsh packet capture; lateral movement via Group Policy, NETLOGON, PsExec, and worm-like propagation; and data exfiltration for double extortion. The group’s extortion model relies on both encryption and theft of data, with leaked chats exposing negotiation tactics and use of stolen data to pressure victims. A defining characteristic of The Gentlemen is extensive defense evasion through bring-your-own-vulnerable-driver (BYOVD) techniques to disable EDR and AV products. Reporting states the group centrally equips affiliates with a standardized EDR-killer suite led by the in-house GentleKiller framework, with multiple variants abusing vulnerable or malicious kernel drivers and targeting hundreds of security-related processes across dozens of products. Additional tools observed in Gentlemen intrusions include HexKiller, ThrottleBlood, HavocKiller, Windows Kernel Explorer, OpenArk64, and attempts to disable Microsoft Defender and uninstall Kaspersky. One incident described abuse of the Kontron ktapi.sys driver to gain kernel-level capabilities and terminate protected EDR processes. The ransomware tooling described in the content includes a mature cross-platform Go-based locker for Windows, Linux, ESXi, NAS, and BSD, plus a smaller C-based ESXi locker and an emerging Windows-focused C-based ransomware implant. The Go variant uses Curve25519/X25519 with XChaCha20, supports self-propagation and GPO-based deployment, can stop VMs and services, alter ACLs, remove shadow copies, clear logs, wipe free space, and drop README-GENTLEMEN.txt ransom notes while sometimes changing the victim desktop wallpaper. A custom Go backdoor communicating with 81.177.215.15:9443 was also observed in at least one intrusion. The content also states that The Gentlemen uses AI-assisted tooling. Reports specifically mention use of ChatGPT, Gemini, and Claude for development, leaked chats supporting that usage, and discussion of using open-weight models for coding and analysis of stolen data. Attribution reporting in the content links the group’s founder/administrator—using aliases including hastalamuerte, Zeta88, ArmCorp, nobody0, santamuerte, and bu4vs—to Russian national Alexander Andreevich Yapaev of Izhevsk, Russia. PRODAFT tracks this persona as LARVA-368. The content describes The Gentlemen as a Russian-speaking cybercrime operation rather than a state actor.

## Associated malware (9)

- The Gentlemen
- PsExec
- EtherRAT
- TukTuk
- HexKiller
- HavocKiller
- ThrottleBlood
- GentleKiller
- SYSTEMBC

## Exploited vulnerabilities (5)

- CVE-2021-36942 (exploited in the wild)
- CVE-2024-55591 (exploited in the wild)
- CVE-2020-1472 (exploited in the wild)
- CVE-2025-33073 (exploited in the wild)
- CVE-2025-32433 (exploited in the wild)

## MITRE ATT&CK techniques (58)

- `T1570` Lateral Tool Transfer
- `T1486` Data Encrypted for Impact
- `T1133` External Remote Services
- `T1112` Modify Registry
- `T1190` Exploit Public-Facing Application
- `T1021` Remote Services
- `T1657` Financial Theft
- `T1078` Valid Accounts
- `T1068` Exploitation for Privilege Escalation
- `T1562.001` Disable or Modify Tools
- `T1106` Native API
- `T1489` Service Stop
- `T1562` Impair Defenses
- `T1040` Network Sniffing
- `T1059` Command and Scripting Interpreter
- `T1018` Remote System Discovery
- `T1222` File and Directory Permissions Modification
- `T1090` Proxy
- `T1082` System Information Discovery
- `T1070` Indicator Removal
- `T1033` System Owner/User Discovery
- `T1059.001` PowerShell
- `T1059.003` Windows Command Shell
- `T1482` Domain Trust Discovery
- `T1484.001` Group Policy Modification
- `T1016` System Network Configuration Discovery
- `T1497` Virtualization/Sandbox Evasion
- `T1071` Application Layer Protocol
- `T1547.001` Registry Run Keys / Startup Folder
- `T1518` Software Discovery
- `T1053` Scheduled Task/Job
- `T1046` Network Service Discovery
- `T1490` Inhibit System Recovery
- `T1087` Account Discovery
- `T1105` Ingress Tool Transfer
- `T1588.003` Code Signing Certificates
- `T1036` Masquerading
- `T1027.002` Software Packing
- `T1539` Steal Web Session Cookie
- `T1027` Obfuscated Files or Information
- `T1211` Exploitation for Defense Evasion
- `T1553.002` Code Signing
- `T1070.004` File Deletion
- `T1583` Acquire Infrastructure
- `T1649` Steal or Forge Authentication Certificates
- `T1041` Exfiltration Over C2 Channel
- `T1110.003` Password Spraying
- `T1047` Windows Management Instrumentation
- `T1021.002` SMB/Windows Admin Shares
- `T1048` Exfiltration Over Alternative Protocol
- `T1003.006` DCSync
- `T1555` Credentials from Password Stores
- `T1021.001` Remote Desktop Protocol
- `T1070.001` Clear Windows Event Logs
- `T1136.002` Domain Account
- `T1567` Exfiltration Over Web Service
- `T1537` Transfer Data to Cloud Account
- `T1586.002` Email Accounts

---

*Canonical page: https://mallory.ai/actors/019abb07-733a-7e38-ae2d-cd735f8140b3*
*Live, continuously-updated view in the Mallory app: https://app.mallory.ai/actors/019abb07-733a-7e38-ae2d-cd735f8140b3*

Mallory is an agentic threat-intelligence platform. This page is the public view; Mallory correlates the same intelligence against your assets, vendors, and active adversary campaigns. Start a free trial at https://mallory.ai/pricing.