Threat Group Profile
thegentlemen
● Active — last 30 days
Victim claims
302
First seen
Mar 2026
Last activity
06 Jul 2026
Tracked since
Sep 2025
Group overview
The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1,570 linked victims.
Preferred targets
Business Services · 47
Manufacturing · 47
Healthcare · 29
Technology · 28
Transportation/Logistics · 21
Consumer Services · 21
Most targeted countries
US · 57
DE · 20
FR · 16
TH · 15
GB · 14
IT · 13
Tactics & techniques (MITRE ATT&CK)
Initial Access
Valid Accounts
Valid Accounts: Domain Accounts
External Remote Services
Exploit Public-Facing Application
Phishing
Execution
Windows Management Instrumentation
Command and Scripting Interpreter
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Software Deployment Tools
Persistence
Create Account
Create or Modify System Process
Boot or Logon Autostart Execution
Privilege Escalation
Exploitation for Privilege Escalation
Forced Authentication
Adversary-in-the-Middle
Defense Evasion
Obfuscated Files or Information
Indicator Removal
Proxy
Modify Registry
Domain Policy Modification: Group Policy Modification
Impair Defenses
Impair Defenses: Disable or Modify Tools
Credential Access
OS Credential Dumping
Brute Force
Unsecured Credentials
Credentials from Password Stores
Discovery
Remote System Discovery
Network Service Discovery
Permission Groups Discovery
Account Discovery
Account Discovery: Domain Account
Domain Trust Discovery
Cloud Service Discovery
Lateral Movement
Remote Services
Remote Services: Remote Desktop Protocol
Remote Services: SMB/Windows Admin Shares
Remote Services: SSH
Remote Service Session Hijacking