Threat Group Profile
thegentlemen
โ Active โ last 30 days
Victim claims
302
First seen
Mar 2026
Last activity
06 Jul 2026
Tracked since
Sep 2025
Group overview
The Gentlemen is a RaaS group that emerged in JulyโAugust 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against Windows, Linux, NAS, and BSD systems; a compromised C2 server in 2026 revealed more than 1,570 linked victims.
Preferred targets
Business Services ยท 47
Manufacturing ยท 47
Healthcare ยท 29
Technology ยท 28
Transportation/Logistics ยท 21
Consumer Services ยท 21
Most targeted countries
US ยท 57
DE ยท 20
FR ยท 16
TH ยท 15
GB ยท 14
IT ยท 13
Tactics & techniques (MITRE ATT&CK)
Initial Access
Valid Accounts
Valid Accounts: Domain Accounts
External Remote Services
Exploit Public-Facing Application
Phishing
Execution
Windows Management Instrumentation
Command and Scripting Interpreter
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Software Deployment Tools
Persistence
Create Account
Create or Modify System Process
Boot or Logon Autostart Execution
Privilege Escalation
Exploitation for Privilege Escalation
Forced Authentication
Adversary-in-the-Middle
Defense Evasion
Obfuscated Files or Information
Indicator Removal
Proxy
Modify Registry
Domain Policy Modification: Group Policy Modification
Impair Defenses
Impair Defenses: Disable or Modify Tools
Credential Access
OS Credential Dumping
Brute Force
Unsecured Credentials
Credentials from Password Stores
Discovery
Remote System Discovery
Network Service Discovery
Permission Groups Discovery
Account Discovery
Account Discovery: Domain Account
Domain Trust Discovery
Cloud Service Discovery
Lateral Movement
Remote Services
Remote Services: Remote Desktop Protocol
Remote Services: SMB/Windows Admin Shares
Remote Services: SSH
Remote Service Session Hijacking