"The group actively tracks and evaluates modern vulnerabilities, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073," Check Point said — a phrase that captures how The Gentlemen has built a rapid, flexible ransomware business that PRODAFT and others now trace to a single Russian‑language operator and a sprawling affiliate program that has claimed 478 victims to date, according to Ransomware.Live.
Who is LARVA-368 and the Phantom Mantis lineage
PRODAFT's analysis traces The Gentlemen to an operator it labels LARVA-368, a Russian‑speaking cybercriminal who has used online aliases including hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. The group is tracked by PRODAFT as Phantom Mantis and has been active since March 2025. PRODAFT says Phantom Mantis evolved into The Gentlemen in July 2025, becoming "an independent partnership program no longer dependent on other RaaS groups."
PRODAFT assessed that LARVA-368 was previously a member of the Embargo (aka Primeval Mantis) group and initially launched an operation under the ArmCorp name before rebranding. Cybersecurity journalist Brian Krebs has identified the persona as a 36‑year‑old Alexander Andreevich Yapaev from Izhevsk; PRODAFT told The Hacker News that its findings match that persona "with high confidence."
RaaS model, affiliate rules, and commercial mechanics
The Gentlemen sells itself to affiliates through several commercial levers. Prospective affiliates must submit at least 1GB of exfiltrated data to gain panel access, a gate intended to exclude researchers and law enforcement. The affiliate panel supports user management, target configuration, and downloading of tailored ransomware. The profit split is aggressive: affiliates receive 90% of proceeds while the operator takes 10%, according to PRODAFT's compilation.
Support and communication are run through personas such as The Gentlemen Data and use Tox, SimpleX Chat, and Ricochet Refresh open‑source messaging platforms. PRODAFT also observed the group buying Premium forum accounts to boost visibility and recruit.
Capabilities: cross‑platform ransomware, worm mode, and cryptography
The Gentlemen provides five ransomware builds designed for Windows, Linux, ESXi, Windows XP+, and LVM. Microsoft, tracking the cluster as Storm‑2697, reported the ransomware is written in Go and obfuscated with Garble. Microsoft noted a command‑line flag: when enabled with the --spread argument, the binary "turns the malware from a single‑host encryptor into a self‑propagating worm that attempts to deploy its encryptor to every reachable system on the network." If run with --wipe, an additional post‑encryption routine "eliminate[s] recoverable artifacts from disk."
Cryptography in use is hybrid: X25519 key exchange combined with XChaCha20 symmetric encryption. The Gentlemen also ships tools and assistance to affiliates, including EDR killers and a bring‑your‑own‑vulnerable‑driver (BYOVD) technique to bypass endpoint protections.
Tactics, tooling, and targets
NCC Group describes The Gentlemen as following "an enterprise‑focused chain" starting with initial access via vulnerable internet‑facing services or stolen credentials, often targeting edge devices such as VPN appliances, firewalls, and platforms like Cisco and Fortinet FortiGate. PRODAFT and other firms catalog a wide toolkit: red team utilities such as NetExec, RelayKing, TaskHound, PrivHound, and CertiHound for AD discovery, certificate abuse, and privilege escalation; EDRStartupHinder, gfreeze, glinker, and DumpBrowserSecrets for defense evasion; and Velociraptor for C2.
Attacks include attempts to clear Windows event logs, disable Microsoft Defender, and create antivirus exclusions. Average dwell time from initial access to encryption is reported at two to six weeks, with a particular focus on organizations running VMware infrastructure.
Operational revelations: leaks, toolkits, and worldwide footprint
Two public disclosures have amplified visibility into the group's operations. A leaked Rocket.Chat database of 3,366 messages from November 2025 to late April 2026 revealed role separation and use of vulnerabilities in VMware Aria Operations, Fortinet, Cisco, and Microsoft software. Separately, Hunt.io found an open directory hosted at 176.120.22[.]127:80 on Proton66 that exposed 126 files attributed to a The Gentlemen affiliate, including reconnaissance, privilege escalation, credential theft, lateral movement, and pre‑encryption tools.
The Gentlemen has been highly active: LevelBlue's Cybereason team called it a "highly adaptive, fast‑moving ransomware operation" and in April 2026 the group accounted for 10% of ransomware activity, per reporting cited by PRODAFT. Only about 13% of victims are in the United States; the bulk of victims are concentrated in Thailand, the U.K., Brazil, Germany, and India. ZeroFox has described the crew as running a multi‑channel extortion operation that pairs encryption with email and phone pressure.
What this means for security teams, procurement leaders, and public‑facing organizations
- Security teams: Expect rapid redevelopment cycles — PRODAFT and others note a "highly responsive development cycle," exemplified by a same‑day patch release after a decryptor appeared in April 2026 — and watch for wormable behavior when binaries are executed with the --spread flag.
- Procurement and infrastructure owners: The group targets edge devices and VMware stacks and probes known CVEs such as CVE‑2024‑55591, CVE‑2025‑32433, and CVE‑2025‑33073; those responsible for appliances and virtualization platforms should prioritize patching and credential hygiene.
- Enterprises under extortion: The Gentlemen requires proof uploads to join its affiliate panel and offers extensive affiliate support — expect persistent follow‑up, data‑leak threats, and multi‑channel pressure combining ransomware with email and phone outreach.
The public record assembled by PRODAFT, Microsoft, Hunt.io, Check Point, NCC Group, LevelBlue's Cybereason team, ZeroFox, and others paints The Gentlemen not as an impulsive crew but as a maturing, service‑oriented criminal enterprise — one that can worm laterally, pivot quickly, and court affiliates with a profitable split. Whether organizations will blunt that momentum will hinge on patching, network segmentation, and vigilance against the kind of access and tooling the group has cataloged; the leaked artifacts now circulating make those technical counters more urgent than theoretical.
