The Gentlemen isn’t a sideshow—it’s a fast, adaptive ransomware operation with scale. New reporting shows the crew began as a double-extortion affiliate, leveraging resources from RaaS programs like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis). Today, it’s operating its own program—and it’s effective.
PRODAFT’s detailed report tracks the group as Phantom Mantis and attributes leadership to a Russian-speaking actor labeled LARVA-368, known as hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. The Gentlemen has been active since March 2025, claiming 478 victims to date per Ransomware.Live.
“In July 2025, Phantom Mantis transitioned into The Gentlemen, an independent partnership program no longer dependent on other RaaS groups,” PRODAFT said. “Additionally, LARVA-368 relies heavily on artificial intelligence for the development and maintenance of ransomware and tools, as well as for assistance with post-exploitation procedures.”
Operator, identity, and evolution
LARVA-368 is assessed to have previously worked with the Embargo (aka Primeval Mantis) ransomware group before launching an operation under the ArmCorp name, which was rebranded to The Gentlemen four months later.
The individual’s identity was outed by journalist Brian Krebs as 36-year-old Alexander Andreevich Yapaev (Япаев Алексанр Андреевич) from Izhevsk, Russia. PRODAFT told The Hacker News its findings align with that persona with “high confidence.”
Dark Atlas reporting in August 2025 detailed a shift that coincided with a payment dispute between LARVA-368 and Qilin—allegations of an exit scam defrauding $48,000.
PRODAFT noted, “Although Phantom Mantis was a very active affiliate group with over 20 targets registered on its affiliate panel in less than 30 days, the group’s admin (LARVA-368) and LARVA-367 (aka DevMan), a former Phantom Mantis’s member, claimed that Pestilent Mantis was scamming affiliates and that there was an alleged ‘backdoor’ within the Pestilent Mantis’s affiliate panel victim chats.” The company added it could not confirm those claims and that the allegations may have been disinformation intended to recruit affiliates.
The crew has paid for Premium accounts on underground forums to boost visibility and fend off competition. Communications and technical support are handled by a separate Russian-speaking persona named The Gentlemen Data.
Operation profile and TTPs
- LevelBlue’s Cybereason team describes The Gentlemen as a “highly adaptive, fast-moving ransomware operation” that blends mature ransomware techniques with RaaS features, double extortion, cross-platform lockers, flexible propagation, and affiliate support.
- The group has emerged as one of the most active actors, accounting for 10% of ransomware activity in April 2026. “The Gentlemen follows an enterprise-focused chain beginning with initial access, via vulnerable internet-facing services or stolen credentials,” NCC Group said. “Analysis suggests The Gentlemen can adapt and change tactics during an attack, such as manipulating GPOs, compromising privileged accounts, and using custom methods to bypass endpoint protections.”
- Victim geography: only about 13% in the U.S.; the majority in Thailand, the U.K., Brazil, Germany, and India.
- LARVA-368 supports affiliates via The Gentlemen IM app, including supplying EDR “killers” that bypass defenses using the bring your own vulnerable driver (BYOVD) technique.
- Support channels include Tox, SimpleX Chat, and Ricochet Refresh.
- Affiliate gatekeeping: candidates must provide at least 1 GB of exfiltrated victim data to access the panel. The panel offers user management, target configuration, and per-target ransomware builds.
- Five ransomware variants are offered for Windows, Linux, ESXi, Windows XP+, and Logical Volume Manager (LVM).
- Profit split: 90% to affiliates, 10% to the operator.
- Initial access commonly via edge devices—VPN appliances, firewalls, and other internet-facing systems—with focus on Cisco and Fortinet FortiGate.
- Tooling for intrusion: red-team utilities like NetExec, RelayKing, TaskHound, PrivHound, and CertiHound for AD discovery, certificate abuse, privilege escalation, and file share discovery; evasion tools such as EDRStartupHinder, gfreeze, glinker, and DumpBrowserSecrets; Velociraptor for C2.
- Defense evasion includes attempts to clear Windows System, Application, and Security logs, disable Microsoft Defender, and add AV exclusions, per Huntress.
- Cryptography: a hybrid scheme pairing X25519 key exchange with XChaCha20 symmetric encryption.
- Microsoft tracks the cluster as Storm-2697 and reports the ransomware is written in Go and obfuscated with Garble. “When enabled with the –spread argument, it turns the malware from a single-host encryptor into a self-propagating worm that attempts to deploy its encryptor to every reachable system on the network,” the company said. “If the –wipe argument is provided, The Gentlemen ransomware performs an additional post-encryption routine to eliminate recoverable artifacts from disk.”
- ZeroFox assesses a multi-channel extortion model that pairs ransomware with email outreach and phone-based pressure.
- Development velocity is high—ZeroFox notes a same-day patch shipped after a public decryptor appeared in April 2026.
- Dwell time from initial access to encryption ranges from two to six weeks, with particular focus on organizations running VMware infrastructure.
Leaked chats and exposed toolkit
Last month, a leak of an internal Rocket.Chat database (3,366 messages, Nov 2025–late Apr 2026) shed light on operations: regular exploitation of known flaws in VMware Aria Operations, Fortinet, Cisco, and Microsoft software, and a clear division of roles across the crew.
Check Point reported, “The group actively tracks and evaluates modern vulnerabilities, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073, and combines them with technique-driven paths like backup and management-controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline.”
In March 2026, Hunt.io identified an open directory at “176.120.22[.]127:80” hosted by bulletproof provider Proton66, exposing 126 files that comprised a complete ransomware operator toolkit attributed to a The Gentlemen affiliate—covering reconnaissance, privilege escalation, evasion, credential theft, lateral movement, persistence, and pre-encryption staging.
As PRODAFT summarized: “LARVA-368 is a threat actor specializing in extortion-related activities and has been active since at least 2020. The expertise acquired through previous collaborations with various RaaS groups provided the technical foundation necessary to establish The Gentlemen RaaS.”
Bottom line
This is enterprise-grade ransomware with scale, speed, and a worm-capable encryptor. Expect adaptable tradecraft, multi-channel pressure, rapid iteration, and weeks of dwell time before detonation—all grounded in the facts above.
Reference: View article