TLP:WHITE — Unrestricted Distribution within the Security Community
Ransom-ISAC Technical Intelligence Report
Executive summary
JA456 is a follow-on package to the original “Gentlemen Leaks” (4 May 2026) — see Part 1: https://ransom-isac.org/blog/the-gentlemen-leak-analysis/. It appears to have been shared by the same source and was also posted on Cracked under the username n7778 (unverified).
Unlike typical leak packs focused solely on victim data, JA456 exposes operator-side artifacts: MEGA account session history and a Synology NAS shadow dump, plus screenshots taken during an apparent last-minute wipe. These artifacts provide rare visibility into tooling, timelines, and potential operator geolocation.
Why it matters / impact
- Attribution-grade infrastructure breadcrumbs: session IPs and device/tool fingerprints (MEGAsync/MEGAcmd, rclone) can be pivoted into broader infrastructure mapping and clustering.
- High-value lead: an early, pre-VPN residential Russian IP (
92.39.211.142, Izhevsk/Udmurttelecom) may reflect an operator location prior to operational hardening. This IP may also be static and have been observed across multiple campaigns. - Historical operator tooling: related infrastructure and activity has been associated with Cobalt Strike and Havoc C2 in 2023, suggesting a broader, multi-year tradecraft footprint beyond this leak set.
- Tradecraft confirmation: end-to-end exfil workflow (FortiGate access → credential tooling → lateral movement → Synology NAS staging → rclone/MEGA) aligns with modern ransomware affiliate playbooks.
- Downstream risk: confirmation of sensitive victim materials (pharma regulatory dossiers; Windows DC backup metadata including NTDS capture) indicates exposure and potential follow-on extortion/fraud risk.
What's in the package (at a glance)
- MEGA — GDPR export for a staging account used for exfiltration (sessions, IPs, tooling fingerprints).
- NAS — Synology
/etc/shadow+ screenshots documenting the NAS reset while exfiltration was still active.
What Is This
JA456 is a two-folder package dropped as a follow-on to the original Gentlemen Leaks. It contains data exfiltrated from the infrastructure of Zeta — a threat actor who was themselves compromised and wiped by The Gentlemen. The wider TheGentlemenLeak-main corpus confirms Zeta = The Gentlemen ransomware group, ranked #2 globally in 2026 (1,410 victims across 322 groups).
Package Contents
| Path | What it is |
|---|---|
MEGA/gdpr-data/ | MEGA GDPR export from Zeta's staging account |
MEGA/egypt/ | Stolen pharma regulatory docs (Egyptian pharmaceutical company) |
MEGA/Backup_2025-07-30/ | Windows VSS backup metadata from a victim DC |
NAS/1.txt | /etc/shadow from Zeta's Synology NAS |
NAS/99/ | 4 screenshots — NAS kill chain |
NAS /etc/shadow (from NAS/1.txt)
- Password-hash accounts (high signal): operator and crew/user accounts with hashes present in
/etc/shadow(excerpt below). - Locked/service accounts (low signal): Synology and service accounts typically present on DSM; shown for completeness.
Accounts with password hashes (excerpt)
┌───────────┬─────────┬────────────────────────────────┐
│ Account │ Hash │ Notes │
├───────────┼─────────┼────────────────────────────────┤
│ zeta88 │ SHA-512 │ Primary operator │
├───────────┼─────────┼────────────────────────────────┤
│ admin │ SHA-512 │ │
├───────────┼─────────┼────────────────────────────────┤
│ 3NT3R │ SHA-512 │ min_age=100000 — locked │
├───────────┼─────────┼────────────────────────────────┤
│ B1d3n │ SHA-512 │ │
├───────────┼─────────┼────────────────────────────────┤
│ C0CA │ SHA-512 │ min_age=100000 — locked │
├───────────┼─────────┼────────────────────────────────┤
│ d0wnloAd1 │ SHA-512 │ │
├───────────┼─────────┼────────────────────────────────┤
│ equal1z3r │ SHA-512 │ │
├───────────┼─────────┼────────────────────────────────┤
│ F3N1X │ SHA-512 │ min_age=100000 — locked │
├───────────┼─────────┼────────────────────────────────┤
│ Gblog88 │ SHA-512 │ │
├───────────┼─────────┼────────────────────────────────┤
│ guest │ MD5 │ Weak — legacy Synology default │
├───────────┼─────────┼────────────────────────────────┤
│ JLL │ SHA-512 │ │
├───────────┼─────────┼────────────────────────────────┤
│ LDW │ SHA-512 │ │
├───────────┼─────────┼────────────────────────────────┤
│ n0n3 │ SHA-512 │ │
├───────────┼─────────┼────────────────────────────────┤
│ PRTGRS │ SHA-512 │ min_age=100000 — locked │
├───────────┼─────────┼────────────────────────────────┤
│ W1Z │ SHA-512 │ │
└───────────┴─────────┴────────────────────────────────┘Locked / service accounts (no login, *)
anonymous, avahi, bind, daemon, dbus, dovecot, FileStation, ftp, http, HybridShare, HybridShareSystem, HyperBackup, ldap, lp, MEGAcmd, myds, mysql, nobody, ntp, OAuthService, postfix, postgres, Python2, QuickConnect, root, rpc, sc-rclone, SecureSignIn, StorageManager, SynoFinder, synoplugind, SynoRsyncd, synotss, system, SYSTEM_ADMIN, taskmgr, tokenmgr, videodriver, vmcomm
MEGA Account
[email protected] / [email protected] — alias “The G” — free tier, no contacts, no shared links.
Sessions
| IP | Country | When | Tool | Note |
|---|---|---|---|---|
| 192.42.116.104 | NL | 2026-05-01 | Firefox/Linux | LIVE — Tor exit |
| 178.130.46.120 | RU | 2025-12-18 | MEGAsync 6.2.2 / MEGAcmd 2.3.0 | Primary ops IP |
| 193.228.128.2 | RU | 2025-12-29 | rclone v1.71.0 | Their NAS |
| 194.87.31.69 | NL | 2025-10-16 | MEGAsync 6.0.0.3 | VPN/staging |
| 89.185.80.134 | US | 2025-11-14 → 2026-04-12 | — | Secondary |
| 92.39.211.142 | RU | 2025-11-14 → 2025-12-19 | — | Udmurttelecom, Izhevsk — residential |
| 2a12:a800:2:1:45:138:16:82 | DE | 2025-10-17 | — | Single event |
| 2a03:e600:100::2 | AT | 2025-10-16 | — | Single event |
92.39.211.142 is the key lead — Udmurttelecom residential ISP in Izhevsk, Udmurt Republic. Active before VPN was set up. Chat message activity peaks at 17:00 UTC (20:00 MSK), consistent with UTC+4 (Izhevsk) timezone.
Confidence & caveats
- Claims explicitly labelled as “assessment” are analytical judgments based on the artifacts described in this report.
- The Cracked username
n7778is included as unverified reporting. - IP geolocation and “residential vs. VPN” characterization is best-effort and may change with additional context (routing, CGNAT, leased blocks, VPN exit attribution).
- This report summarizes sensitive victim-side material at a high level and does not reproduce victim documents.
Timeline
| Date | Event |
|---|---|
| 2025-10-16 | Account created (NL VPN) |
| 2025-11-14 | Izhevsk IP appears |
| 2025-12-18 | MEGAsync/MEGAcmd from RU |
| 2025-12-29 | rclone — NAS live |
| 2026-04-21 | Last download |
| 2026-05-01 | GDPR pull via Tor |
Zeta's NAS
Synology SA6400 — 7 × TOSHIBA 18TB enterprise drives (~127TB) — serial 34POALFLF3XJ, firmware 1.13.2.
SFTP: 193.228.128.2:2222 user d0wnloAd1 (rclone config posted in plaintext by zeta88, 2026-02-14).
Crew accounts by onboarding date (from /etc/shadow)
| Date | Account | Notes |
|---|---|---|
| 2025-12-26 | zeta88, admin | NAS stood up |
| 2025-12-29 | MEGAcmd, sc-rclone | Exfil tools |
| 2026-01-03 → 2026-03-21 | LDW, equal1z3r, JLL, W1Z, PRTGRS, Gblog88, n0n3, 3NT3R, B1d3n, F3N1X, C0CA, d0wnloAd1 | Crew onboarding |
3NT3R, F3N1X, C0CA have min_age=100000 — password change permanently blocked.
NAS Screenshots — Kill Chain
All four taken before the reset completed. Upload speed in frame 4 confirms exfil was still running as the wipe was triggered.
667.png — Storage Manager
Storage Manager — all drives healthy
Stage 1. Hardware documented: 7 drives, all Healthy, 29°C.
3934.png — Password Prompt
Admin password entry
Stage 2. Admin credentials entered.
017.png — Factory Reset Page
Factory Reset page open — 69KB/s down / 64.2KB/s up
Stage 3. Reset page open. Network I/O active — still exfiltrating.
7199.png — Confirmation Dialog
Factory Reset confirmation — 395KB/s up / 71KB/s down
Stage 4. “Are you sure?” on screen. 395 KB/s upload — draining the last data as the reset is confirmed.
Stolen Data on the NAS
Egyptian Pharmaceutical Company
Full regulatory dossier for an azithromycin-based eye ointment (Azithromycin 10mg/gm): NODCAR submission, R&D dossier, pilot batch manufacturing (rooms B156/B142, tanks PR-2011/PR-2010, API supplier identified), pricing, product inserts, internal .msg email chain.
Email headers exposed: AD domain [REDACTED], Exchange 2019 (v15.2.986.42), Kaspersky AV, servers 192.168.2.1–4, office egress [REDACTED] (TE Data Egypt), EDA contact [REDACTED].
Domain Controller Backup (2025-07-30, pre-NAS loot)
VSS backup with NTDS backupSucceeded=yes — ntds.dit captured alongside SYSVOL (confirms DC). All domain hashes were in Zeta's possession.
TTPs
CVE-2024-55591 (FortiGate, 98 targets) → XenAllPasswordPro for creds → NetExec lateral movement → victim FortiGates reused as VPN pivots (passwords gentlemen25/gentle26) → /opt/update NAS encryptor on Synology DSM → rclone to NAS → MEGA. G-BOT custom C2 with SOCKS5.
Selected victims
Arcelik/Beko (TR) · Adaptavist Group (UK, ScriptRunner source code) · Flex Ltd (US Fortune 500) · Elundini Municipality (ZA gov) · AgroRural (PE gov) · Times Software (SG) · Ghana Bauxite · Florida Pain Management (medical PII + CC data)
Black Basta link: Matrix logs from bestflowers247.online in screenshots. zeta88 on Devman: “девмана толи приняли толи по здоровью толи ребренд — всё пропал” (“arrested, health issues, or rebranded — gone”). Devman = Oleg Nefedov, DOB 03.06.1990, BKA/Europol/Interpol warrant.
IOCs
Infrastructure & IP breakdown
Operator infrastructure
| IP | Role | What we observed |
|---|---|---|
| 178.130.46.120 | Primary operational | MEGAsync/MEGAcmd sessions (Dec 2025 → Apr 2026); file uploads (files.json); RU hosting block; Windows 10 build 19044 throughout; likely rented VPS (check Shodan/scan history) |
| 193.228.128.2 | NAS (SFTP :2222) | rclone session (2025-12-29); plaintext rclone config (host/port 2222/user d0wnloAd1); RU datacenter/hosting block; check SSH/SFTP banner on 2222 (Shodan/Censys) |
| 92.39.211.142 | Residential (Izhevsk) | Active pre-VPN hardening (Nov–Dec 2025); Udmurttelecom (Izhevsk, Udmurt Republic); likely static residential/business; high attribution value; RIPE lookup 92.39.211.0/24 for netname/org |
| 194.87.31.69 | Staging / VPN hop | Account creation IP + early uploads; NL hosting/VPS (potential bulletproof); Firefox on Windows NT 10.0 at creation; review open ports/abuse history (Shodan) |
| 45.80.158.203 | Control panel | Leak pack includes /login URL (credentials present in artifacts); likely web admin panel (C2/panel); check ports 80/443/8080 + framework fingerprints; review VT/PDNS history |
| 89.185.80.134 | Secondary (US) | Seen alongside 178.130.46.120 (Nov 2025 → Apr 2026); suggests persistent VPS/proxy hop; check VT/PDNS and scan history |
FortiGate pivot IPs (compromised victims reused as VPN)
| IP:Port | Geo (as observed) | Credential | Notes |
|---|---|---|---|
| [REDACTED]:10443 | India | gentlemen25 | BSNL block; likely business FortiGate reused as pivot; confirm banner/model/version via Shodan |
| [REDACTED]:8443 / :10443 | China | Gentlemen25 | Appears in targets CSV as [REDACTED] (FortiGate 7.0.14); confirmed compromised and repurposed |
| [REDACTED]:10443 | South Africa | gentle26 | Targets CSV: HA_Master (active); Elundini Local Municipality victim context (dc=elundini,dc=gov,dc=za); gov infra used as pivot |
| [REDACTED]:4433 | Mongolia | gentle26 | Targets CSV: FORTIGATE_TESTENV (active); confirm exposed banner/version |
| [REDACTED]:10443 | Unknown | [REDACTED] | Used by Protagor and zeta88; Android UA spoofing; not present in targets CSV; likely EU allocation — confirm FortiGate banner |
Recommended actions (defenders)
- Add the listed IOCs to monitoring/blocking where appropriate, and set alerts on new infrastructure resolving from the same clusters.
- Hunt for rclone usage and configuration artifacts on endpoints and servers (common staging/exfil indicator), alongside MEGA tooling where relevant.
- Review edge exposure and telemetry for FortiGate compromise patterns; validate credential access tooling and lateral movement artifacts.
- For impacted environments, validate potential domain compromise paths consistent with NTDS/SYSVOL access and implement credential resets and tiered admin controls.
- Treat the Izhevsk lead (
92.39.211.142) as a pivot for historical campaign linkage (including 2023 C2 tooling associations) rather than a single-point attribution indicator.
| Indicator | Value |
|---|---|
| IP primary ops | 178.130.46.120 |
| IP NAS | 193.228.128.2 |
| IP residential (Izhevsk) | 92.39.211.142 |
| IP staging | 194.87.31.69 |
| IP Tor exit | 192.42.116.104 |
| IP panel | 45.80.158.203 |
| FortiGate pivots | [REDACTED], [REDACTED], [REDACTED], [REDACTED] |
| C2 onion | xcsqtdobtmdhsjkyjz6iydfowh7bps5dd3a2xg53oirylnohednc4syd.onion |
| DLS onion | tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion |
| Extension | .i8p14s |
| Ransom note | README-GENTLEMEN.txt |
| NAS serial | 34POALFLF3XJ |
| BTC tx | 7e366683f1d175278feefaaa35d87e87076931974506b9f373a775a428c28f10 |
| [email protected] / [email protected] | |
| TOX | F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E |
| MEGA device token | K6sen1eMEcg7Iuh6p2uraDVnK4t4sjhDdhmqSGZp5uY |
Attribution (assessment)
Russia (assessment). Key lead: Izhevsk, Udmurt Republic (Udmurttelecom, 92.39.211.142). Timezone indicators are consistent with UTC+4 (Izhevsk), and Windows 10 build 19044 is observed throughout. Infrastructure suggests self-hosted VPN (AmneziaVPN / WireGuard) and compromised FortiGates used as pivots.
Additional context: 92.39.211.142 is assessed as possibly static and may have been used across multiple campaigns. Related infrastructure and activity have also been associated with Cobalt Strike and Havoc C2 in 2023, indicating a broader tradecraft footprint beyond this leak set.
Conclusion
JA456 is notable because it exposes operator-side artifacts rather than only victim-side documents. The combination of MEGA session history, NAS account artifacts, and wipe-in-progress screenshots provides rare pivots for clustering infrastructure and assessing operator location and tradecraft. We recommend treating the Izhevsk residential IP lead (92.39.211.142) as a priority pivot for additional campaign linkage and infrastructure mapping.