thegentlemen
The Gentlemen is a RaaS group that emerged in July, August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1, 570 linked victims.
- Unspecified
- Manufacturing
- Business Services
- Technology
- Healthcare
- Transportation/Logistics
- Consumer Services
- Agriculture and Food Production
- TA0001Initial Access
- T1078Valid Accounts
Use of valid accounts for initial access.
- T1078.002Valid Accounts: Domain Accounts
Use of valid domain accounts for initial access.
- T1133External Remote Services
openconnect used to authenticate to FortiGate SSL VPN (--protocol=fortinet). Actors connect post-credential-acquisition to enumerate internal network routes.
- T1190Exploit Public-Facing Application
Exploitation of public-facing applications for initial access.
- T1566Phishing
Spear-phishing via compromised corporate OWA mailboxes. ZIP payloads containing LNK files disguised as PDF/DOC/XLS or malicious Office documents sent from legitimate company email accounts to bypass spam filters.
- TA0002Execution
- T1047Windows Management Instrumentation
NetExec (nxc) with -X/-x flags for remote PowerShell/CMD execution over WMI/SMB. TrustedSec Titanis used for WMI-based remote execution via NTLM hashes.
- T1059Command and Scripting Interpreter
Use of command and scripting interpreters for execution.
- T1059.001Command and Scripting Interpreter: PowerShell
Use of PowerShell for execution.
- T1059.003Command and Scripting Interpreter: Windows Command Shell
Use of Windows Command Shell for execution.
- T1072Software Deployment Tools
Ransomware locker and EDR killers deployed domain-wide via GPO (deploy_gpo.ps1). GPO configured to run binaries at startup on all domain-joined machines.
- TA0003Persistence
- T1136Create Account
Creation of accounts for persistence.
- T1543Create or Modify System Process
Velociraptor deployed as a SYSTEM-level Windows service via MSI (Server.Utils.CreateMSI artifact) for persistent beacon access.
- T1547Boot or Logon Autostart Execution
Boot or logon autostart execution for persistence.
- TA0004Privilege Escalation
- T1068Exploitation for Privilege Escalation
Exploitation of vulnerabilities for privilege escalation.
- T1187Forced Authentication
PetitPotam coercion via NXC coerce_plus module to trigger NTLM authentication from domain hosts toward attacker-controlled relay listener.
- T1557Adversary-in-the-Middle
Responder (SMB/HTTP disabled) combined with ntlmrelayx targeting LDAP for machine account creation. RelayKing used to scan SMB/LDAP/MSSQL/HTTP/RPC/WinRM relay opportunities.
- TA0005Defense Evasion
- T1027Obfuscated Files or Information
Obfuscation of files or information to evade detection.
- T1070Indicator Removal
Automated post-compromise script clears all Windows Event Logs via wevtutil, removes RDP MRU registry keys, deletes .rdp files, empties Recycle Bin, and clears RDP/SMB/WinRM logs.
- T1090Proxy
ProxyChains (Windows/Linux), SSH dynamic port forwarding (-NfD 1080), ProxyJump multi-hop pivoting. Self-hosted double-VPN with WireGuard/OpenVPN and Amnezia VPN for operator anonymity.
- T1112Modify Registry
Modifying the registry for defense evasion.
- T1484.001Domain Policy Modification: Group Policy Modification
Modification of Group Policy for defense evasion.
- T1562Impair Defenses
Impairing defenses to avoid detection.
- T1562.001Impair Defenses: Disable or Modify Tools
BYOVD drivers ($3500-$5000 darknet), EDRStartupHinder, GFreeze/GLinker against CrowdStrike, IFEO registry redirecting EDR processes to calc.exe, WMI GlobalLogger/WPR symlink attacks to overwrite EDR binaries on boot.
- TA0006Credential Access
- T1003OS Credential Dumping
XenAllPasswordPro deployed via SMB for mass browser credential harvesting across all hosts. KslDump/KslKatz for LSASS dumping. Velociraptor for full memory dumps without AV detection. Pass-the-Hash via xfreerdp.
- T1110Brute Force
Custom FortiGate panel bruter on dedicated hardware (dual Xeon, 120GB RAM) targeting non-standard ports. Credential spraying with known default passwords. Hydra for email spraying. Hash cracking via crackmd5.ru and chamd5.org.
- T1552Unsecured Credentials
FortiGate configuration files exfiltrated containing plaintext LDAP credentials, local VPN user passwords, and IPSec pre-shared keys. MANSPIDER used to search SMB shares for credential files.
- T1555Credentials from Password Stores
DumpBrowserSecrets used for browser credential and session cookie theft. Cookies imported via Cookie-Editor extension to hijack authenticated M365/CRM/email sessions.
- TA0007Discovery
- T1018Remote System Discovery
gogo internal port scanner across /24 subnets (ports 22, 53, 80, 88, 389, 443, 445, 636, 3389, 1433, 5985) with 100 threads and ICMP ping. NetExec for SMB/WinRM/LDAP host enumeration.
- T1046Network Service Discovery
Discovery of network services.
- T1069Permission Groups Discovery
BloodHound/CertiHound for AD and AD CS (ESC1-ESC17) enumeration. ADFind and ldapdomaindump for group/permission mapping. PrivHound for LPE vector identification within AD.
- T1087Account Discovery
Discovery of accounts within the environment.
- T1087.002Account Discovery: Domain Account
Discovery of domain accounts within the environment.
- T1482Domain Trust Discovery
Discovery of domain trust relationships.
- T1526Cloud Service Discovery
AWS S3 buckets and EKS clusters enumerated post-access. Censys, Shodan, ZoomInfo, and c99.nl API used for external recon of VPN endpoints and subdomains.
- TA0008Lateral Movement
- T1021Remote Services
Use of remote services for lateral movement.
- T1021.001Remote Services: Remote Desktop Protocol
Use of RDP for lateral movement.
- T1021.002Remote Services: SMB/Windows Admin Shares
Use of SMB/Windows Admin Shares for lateral movement.
- T1021.004Remote Services: SSH
Use of SSH for lateral movement.
- T1563Remote Service Session Hijacking
Browser session cookies stolen via DumpBrowserSecrets and replayed via Cookie-Editor to hijack authenticated web application sessions (email, M365, CRM portals).
- TA0009Collection
- T1005Data from Local System
XenAllPasswordPro HTML credential reports collected per host. SQL database full dumps via phpMyAdmin exported to SFTP. File system enumeration targeting CRM code, backups, and financial data.
- T1039Data from Network Shared Drive
Collection of data from network shared drives.
- T1074Data Staged
Staging of collected data prior to exfiltration.
- T1074.001Data Staged: Local Data Staging
Local staging of collected data prior to exfiltration.
- T1114Email Collection
Corporate OWA mailboxes accessed via purchased stealer logs (snusbase.com) to harvest internal communications, credentials, and sensitive documents.
- TA0010Exfiltration
- T1048Exfiltration Over Alternative Protocol
Exfiltration of data over encrypted channels.
- T1048.001Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Exfiltration over symmetric encrypted non-C2 channels.
- T1537Transfer Data to Cloud Account
rclone to actor-controlled SFTP servers with high-parallelism (--transfers 16 --multi-thread-streams 8 --buffer-size 256M). Observed volumes: 13GB NAS, 3+TB Docker/Nexus, 100+GB Confluence/JIRA.
- TA0011Command and Control
- T1071Application Layer Protocol
Use of application layer protocols for C2 communication.
- T1071.001Application Layer Protocol: Web Protocols
Use of web protocols for C2 communication.
- T1219Remote Access Software
Use of remote access software for C2.
- T1572Protocol Tunneling
SSH dynamic SOCKS proxies (ssh -NfD 1080) for network pivoting. ProxyChains (Windows/Linux) tunneling attack tools through SOCKS5 proxies acquired from spam/malware affiliates.
- T1573Encrypted Channel
Cloudflare Tunnels blend C2 with legitimate HTTPS traffic. Chisel-ng (Rust, SSH-over-WebSocket-over-TLS) for reverse tunnels. Velociraptor C2 over TLS with signed MSI beacons.
- TA0040Impact
- T1486Data Encrypted for Impact
Encryption of data for extortion.
- T1489Service Stop
Stopping services to maximize impact.
- T1490Inhibit System Recovery
Veeam backup jobs stopped and tape media long-erased (Erase-VBRTapeMedium -Long). Docker and QEMU VMs killed pre-encryption. vCenter used to reset ESXi root passwords. Database services (MySQL, PostgreSQL, MongoDB, Redis, MSSQL) stopped before encryption.
- T1491Defacement
Data deleted from CRM web panels and databases. chmod -R 777 applied to NAS filesystems to facilitate locker access and destroy access controls.