Skip to content
The Nexus
Group profile93 claimed in last 30d139 total tracked

thegentlemen

Forward this

The Gentlemen is a RaaS group that emerged in July, August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1, 570 linked victims.

First seen: May 18 · 17:17 UTCLast seen: Jul 6 · 01:50 UTCTracked since: 2025-09-09
Sectors hit
  • Unspecified27
  • Manufacturing19
  • Business Services18
  • Technology15
  • Healthcare14
  • Transportation/Logistics10
  • Consumer Services9
  • Agriculture and Food Production7
Countries hit
  • United States27
  • France11
  • Germany11
  • United Kingdom6
  • Taiwan5
  • Thailand4
  • Poland4
  • Japan4
  • Italy4
  • India4
MITRE ATT&CK · observed TTPs12 tactics

Tactics and techniques attributed to THEGENTLEMEN by ransomware.live's curated TTP catalog. Identifiers link to the canonical MITRE ATT&CK reference for each tactic or sub-technique.

  • TA0001Initial Access
    • T1078Valid Accounts

      Use of valid accounts for initial access.

    • T1078.002Valid Accounts: Domain Accounts

      Use of valid domain accounts for initial access.

    • T1133External Remote Services

      openconnect used to authenticate to FortiGate SSL VPN (--protocol=fortinet). Actors connect post-credential-acquisition to enumerate internal network routes.

    • T1190Exploit Public-Facing Application

      Exploitation of public-facing applications for initial access.

    • T1566Phishing

      Spear-phishing via compromised corporate OWA mailboxes. ZIP payloads containing LNK files disguised as PDF/DOC/XLS or malicious Office documents sent from legitimate company email accounts to bypass spam filters.

  • TA0002Execution
    • T1047Windows Management Instrumentation

      NetExec (nxc) with -X/-x flags for remote PowerShell/CMD execution over WMI/SMB. TrustedSec Titanis used for WMI-based remote execution via NTLM hashes.

    • T1059Command and Scripting Interpreter

      Use of command and scripting interpreters for execution.

    • T1059.001Command and Scripting Interpreter: PowerShell

      Use of PowerShell for execution.

    • T1059.003Command and Scripting Interpreter: Windows Command Shell

      Use of Windows Command Shell for execution.

    • T1072Software Deployment Tools

      Ransomware locker and EDR killers deployed domain-wide via GPO (deploy_gpo.ps1). GPO configured to run binaries at startup on all domain-joined machines.

  • TA0003Persistence
    • T1136Create Account

      Creation of accounts for persistence.

    • T1543Create or Modify System Process

      Velociraptor deployed as a SYSTEM-level Windows service via MSI (Server.Utils.CreateMSI artifact) for persistent beacon access.

    • T1547Boot or Logon Autostart Execution

      Boot or logon autostart execution for persistence.

  • TA0004Privilege Escalation
    • T1068Exploitation for Privilege Escalation

      Exploitation of vulnerabilities for privilege escalation.

    • T1187Forced Authentication

      PetitPotam coercion via NXC coerce_plus module to trigger NTLM authentication from domain hosts toward attacker-controlled relay listener.

    • T1557Adversary-in-the-Middle

      Responder (SMB/HTTP disabled) combined with ntlmrelayx targeting LDAP for machine account creation. RelayKing used to scan SMB/LDAP/MSSQL/HTTP/RPC/WinRM relay opportunities.

  • TA0005Defense Evasion
    • T1027Obfuscated Files or Information

      Obfuscation of files or information to evade detection.

    • T1070Indicator Removal

      Automated post-compromise script clears all Windows Event Logs via wevtutil, removes RDP MRU registry keys, deletes .rdp files, empties Recycle Bin, and clears RDP/SMB/WinRM logs.

    • T1090Proxy

      ProxyChains (Windows/Linux), SSH dynamic port forwarding (-NfD 1080), ProxyJump multi-hop pivoting. Self-hosted double-VPN with WireGuard/OpenVPN and Amnezia VPN for operator anonymity.

    • T1112Modify Registry

      Modifying the registry for defense evasion.

    • T1484.001Domain Policy Modification: Group Policy Modification

      Modification of Group Policy for defense evasion.

    • T1562Impair Defenses

      Impairing defenses to avoid detection.

    • T1562.001Impair Defenses: Disable or Modify Tools

      BYOVD drivers ($3500-$5000 darknet), EDRStartupHinder, GFreeze/GLinker against CrowdStrike, IFEO registry redirecting EDR processes to calc.exe, WMI GlobalLogger/WPR symlink attacks to overwrite EDR binaries on boot.

  • TA0006Credential Access
    • T1003OS Credential Dumping

      XenAllPasswordPro deployed via SMB for mass browser credential harvesting across all hosts. KslDump/KslKatz for LSASS dumping. Velociraptor for full memory dumps without AV detection. Pass-the-Hash via xfreerdp.

    • T1110Brute Force

      Custom FortiGate panel bruter on dedicated hardware (dual Xeon, 120GB RAM) targeting non-standard ports. Credential spraying with known default passwords. Hydra for email spraying. Hash cracking via crackmd5.ru and chamd5.org.

    • T1552Unsecured Credentials

      FortiGate configuration files exfiltrated containing plaintext LDAP credentials, local VPN user passwords, and IPSec pre-shared keys. MANSPIDER used to search SMB shares for credential files.

    • T1555Credentials from Password Stores

      DumpBrowserSecrets used for browser credential and session cookie theft. Cookies imported via Cookie-Editor extension to hijack authenticated M365/CRM/email sessions.

  • TA0007Discovery
    • T1018Remote System Discovery

      gogo internal port scanner across /24 subnets (ports 22, 53, 80, 88, 389, 443, 445, 636, 3389, 1433, 5985) with 100 threads and ICMP ping. NetExec for SMB/WinRM/LDAP host enumeration.

    • T1046Network Service Discovery

      Discovery of network services.

    • T1069Permission Groups Discovery

      BloodHound/CertiHound for AD and AD CS (ESC1-ESC17) enumeration. ADFind and ldapdomaindump for group/permission mapping. PrivHound for LPE vector identification within AD.

    • T1087Account Discovery

      Discovery of accounts within the environment.

    • T1087.002Account Discovery: Domain Account

      Discovery of domain accounts within the environment.

    • T1482Domain Trust Discovery

      Discovery of domain trust relationships.

    • T1526Cloud Service Discovery

      AWS S3 buckets and EKS clusters enumerated post-access. Censys, Shodan, ZoomInfo, and c99.nl API used for external recon of VPN endpoints and subdomains.

  • TA0008Lateral Movement
    • T1021Remote Services

      Use of remote services for lateral movement.

    • T1021.001Remote Services: Remote Desktop Protocol

      Use of RDP for lateral movement.

    • T1021.002Remote Services: SMB/Windows Admin Shares

      Use of SMB/Windows Admin Shares for lateral movement.

    • T1021.004Remote Services: SSH

      Use of SSH for lateral movement.

    • T1563Remote Service Session Hijacking

      Browser session cookies stolen via DumpBrowserSecrets and replayed via Cookie-Editor to hijack authenticated web application sessions (email, M365, CRM portals).

  • TA0009Collection
    • T1005Data from Local System

      XenAllPasswordPro HTML credential reports collected per host. SQL database full dumps via phpMyAdmin exported to SFTP. File system enumeration targeting CRM code, backups, and financial data.

    • T1039Data from Network Shared Drive

      Collection of data from network shared drives.

    • T1074Data Staged

      Staging of collected data prior to exfiltration.

    • T1074.001Data Staged: Local Data Staging

      Local staging of collected data prior to exfiltration.

    • T1114Email Collection

      Corporate OWA mailboxes accessed via purchased stealer logs (snusbase.com) to harvest internal communications, credentials, and sensitive documents.

  • TA0010Exfiltration
    • T1048Exfiltration Over Alternative Protocol

      Exfiltration of data over encrypted channels.

    • T1048.001Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol

      Exfiltration over symmetric encrypted non-C2 channels.

    • T1537Transfer Data to Cloud Account

      rclone to actor-controlled SFTP servers with high-parallelism (--transfers 16 --multi-thread-streams 8 --buffer-size 256M). Observed volumes: 13GB NAS, 3+TB Docker/Nexus, 100+GB Confluence/JIRA.

  • TA0011Command and Control
    • T1071Application Layer Protocol

      Use of application layer protocols for C2 communication.

    • T1071.001Application Layer Protocol: Web Protocols

      Use of web protocols for C2 communication.

    • T1219Remote Access Software

      Use of remote access software for C2.

    • T1572Protocol Tunneling

      SSH dynamic SOCKS proxies (ssh -NfD 1080) for network pivoting. ProxyChains (Windows/Linux) tunneling attack tools through SOCKS5 proxies acquired from spam/malware affiliates.

    • T1573Encrypted Channel

      Cloudflare Tunnels blend C2 with legitimate HTTPS traffic. Chisel-ng (Rust, SSH-over-WebSocket-over-TLS) for reverse tunnels. Velociraptor C2 over TLS with signed MSI beacons.

  • TA0040Impact
    • T1486Data Encrypted for Impact

      Encryption of data for extortion.

    • T1489Service Stop

      Stopping services to maximize impact.

    • T1490Inhibit System Recovery

      Veeam backup jobs stopped and tape media long-erased (Erase-VBRTapeMedium -Long). Docker and QEMU VMs killed pre-encryption. vCenter used to reset ESXi root passwords. Database services (MySQL, PostgreSQL, MongoDB, Redis, MSSQL) stopped before encryption.

    • T1491Defacement

      Data deleted from CRM web panels and databases. chmod -R 777 applied to NAS filesystems to facilitate locker access and destroy access controls.

Recent claimed victims
United StatesJul 7 · 18:35 UTC

Shamrock Holdings Inc.

www.zoominfo.com
HealthcareJul 7 · 18:34 UTC

Medic Rescue

www.medicrescue.org
Transportation/LogisticsUnited KingdomJul 7 · 18:34 UTC

LogiQuip

logiquip.com
Public SectorUnited StatesJul 7 · 18:34 UTC

Virginia Historical Society

virginiahistory.org
Transportation/LogisticsMalaysiaJul 7 · 18:34 UTC

Quanterm Logistics Sdn Bhd

quanterm.com
Financial ServicesOmanJul 7 · 18:33 UTC

Arabia Falcon Insurance Company SAOG

afic.om
Transportation/LogisticsFranceJul 7 · 18:33 UTC

Ce Ratp Comite D entreprise Ratp

ceratp.fr
GermanyJul 7 · 18:32 UTC

Keifert

keifert.de
EnergyGermanyJul 7 · 18:32 UTC

Kosmos

kosmos.de
ConstructionEgyptJul 7 · 18:32 UTC

EBNY Development

ebny.com.eg
Agriculture and Food ProductionGermanyJul 7 · 18:31 UTC

Tonnies Group

toennies.de
ManufacturingParaguayJul 7 · 18:31 UTC

Automovil Supply S.A

supply.com.py
ManufacturingTaiwanJul 7 · 18:31 UTC

Excel Cell Electronic

ece.com.tw
Public SectorIndiaJul 7 · 18:30 UTC

CSIR Structural Engineering Research Centre

serc.res.in
Business ServicesPhilippinesJul 7 · 18:30 UTC

Jump Solutions Inc

jumpsolutions.ph
EnergyGermanyJul 7 · 18:29 UTC

MBT Energy

mbt-energy.com
TechnologyHong Kong SAR ChinaJul 7 · 18:29 UTC

Pro-Tech Technology

ptt-asia.com
Business ServicesUnited StatesJul 7 · 18:29 UTC

Technical Solutions Group

tsgpc.com
GermanyJul 1 · 22:21 UTC

Immling

immling.de
JapanJul 1 · 22:20 UTC

DHC Corporation

dhc.co.jp
Consumer ServicesUnited Arab EmiratesJul 1 · 22:20 UTC

Steegaa Interior

steegaa.com
TechnologyTaiwanJul 1 · 22:20 UTC

Climax Technology

climax.com.tw
HealthcareFranceJul 1 · 22:20 UTC

Centre Ophtalmologique dErmont

ophtalmologie-ermont.com
Business ServicesThailandJul 1 · 22:20 UTC

Comp Trading Co

ctc.co.th
Consumer ServicesItalyJul 1 · 22:19 UTC

Mondottica

mondottica.com
Business ServicesFranceJul 1 · 22:19 UTC

OSP HOLDING FRANCE

ospholding.com
Agriculture and Food ProductionItalyJul 1 · 22:19 UTC

NATURGHIACCIO

naturghiaccio.it
TechnologyPolandJul 1 · 22:19 UTC

MakoLab

makolab.com
EnergyCzechiaJul 1 · 22:19 UTC

EMAS Group

emas.cz
Public SectorUnited StatesJul 1 · 22:18 UTC

The City of Boyne City

cityofboynecity.com
Business ServicesSwitzerlandJul 1 · 22:18 UTC

Oron Law Firm

zoominfo.com
NicaraguaJul 1 · 22:18 UTC

Wacha Justen

nwohlaw.com
United StatesJul 1 · 22:17 UTC

CUI Agency

cuiagency.com
ConstructionCanadaJul 1 · 22:17 UTC

Melcor Developments Ltd

melcor.ca
Transportation/LogisticsFranceJul 1 · 22:17 UTC

FAC Logistique

fac-logistique.com
Consumer ServicesTaiwanJul 1 · 22:16 UTC

Pou Sheng International

pousheng.com
ManufacturingGermanyJun 28 · 18:11 UTC

Thyssenkrupp Marine Systems (TKMS) GmbH / Atlas Elektronik

www.zoominfo.com
ManufacturingFranceJun 20 · 08:54 UTC

Vera Chimie Management

verachimie.fr
Business ServicesGermanyJun 20 · 08:53 UTC

Alexander Buch Bilanzbuchhalter

buch-bilanzbuchhalter.de
Business ServicesMalaysiaJun 20 · 08:53 UTC

SGS Malaysia

sgsmalaysia.com
Consumer ServicesMexicoJun 20 · 08:52 UTC

TERRIO Therapy Fitness

terriotherapy.com
VietnamJun 20 · 08:52 UTC

Ty Thac Co

tythac.com.vn
Agriculture and Food ProductionFranceJun 20 · 08:52 UTC

Amigest

amigest.fr
TechnologySingaporeJun 20 · 08:51 UTC

Yudu Technology

yudutek.com
Business ServicesUnited StatesJun 20 · 08:51 UTC

Burris MacOmber

burrismacomber.com
Transportation/LogisticsSpainJun 20 · 08:51 UTC

Sertrans

sertrans.es
FranceJun 20 · 08:50 UTC

Cofaq

cofaq.fr
Business ServicesUnited Arab EmiratesJun 20 · 08:50 UTC

Al Khaja Holding

alkhajaholding.com
HealthcareUnited StatesJun 20 · 08:50 UTC

Athens Orthopedic Clinic

athensorthopedicclinic.com
ChileJun 15 · 13:03 UTC

Enciso Ltda

encisoltda.com
HealthcareUnited StatesJun 15 · 13:02 UTC

South Texas Spinal Clinic

spinaldoc.com
ConstructionThailandJun 15 · 13:02 UTC

Mahajak Development

mahajak.com
BelgiumJun 15 · 13:02 UTC

Calipage Humblet

humblet.calipage.be
Public SectorCroatiaJun 15 · 13:01 UTC

Ministarstvo zdravstva Republike Hrvatske

zdravlje.gov.hr
Jun 15 · 13:01 UTC

Palmer Sicard

palmerandsicard.com
Business ServicesGermanyJun 15 · 13:00 UTC

Linnecken Partner

linnecken-partner.de
THEGENTLEMEN · Underground group profile · The Nexus