The Reveal Platform
The Gentlemen is a financially motivated Ransomware-as-a-Service (RaaS) operation that emerged in late 2025 following a public dispute between its suspected administrator, known as hastalamuerte (also observed using the alias zeta88), and members of the Qilin ransomware affiliate program. Shortly after the dispute, the actor launched an independent ransomware operation and began actively recruiting affiliates through underground cybercriminal communities.
Figure 1: The Gentlemen Ransomware Group Logo
Analysis of leaked internal communications indicates that The Gentlemen operates a structured affiliate-based business model that combines credential acquisition, remote access abuse, ransomware deployment, and double-extortion tactics. The group advertises an affiliate profit-sharing arrangement of up to 90%, positioning itself as an attractive alternative to more established ransomware programs.
A significant operational security failure in May 2026 exposed the group’s internal Rocket.Chat collaboration platform. The leak included exports from 23 chat rooms, thousands of internal messages, and hundreds of screenshots documenting day-to-day operational activity. Unlike traditional ransomware leaks that primarily expose victim data or source code, this dataset provides rare visibility into the internal decision-making processes, operational workflows, tooling preferences, affiliate ecosystem, and monetization strategies of a modern ransomware enterprise.
Analysis of the leaked communications suggests that The Gentlemen follows a structured intrusion lifecycle. Operators identify prospective targets using commercial intelligence platforms, obtain access through exposed VPN infrastructure and compromised credentials, conduct internal reconnaissance, escalate privileges, collect sensitive data, and ultimately deploy ransomware before initiating extortion negotiations. The communications further reveal evidence of affiliate coordination, credential intelligence gathering, victim valuation processes, and preparations for public data disclosure when negotiations fail.
The leak provides one of the most detailed publicly available views into the internal operations of an emerging ransomware ecosystem and offers defenders valuable insight into the tactics, techniques, and procedures (TTPs) used by The Gentlemen and its affiliates.
Analysis of the leaked Rocket.Chat dataset resulted in several notable findings:
The origins of The Gentlemen can be traced to a public dispute involving the ransomware operator hastalamuerte and representatives of the Qilin ransomware program during July 2025.
According to posts published on underground forums, the actor claimed that their team had operated as a Qilin affiliate and participated in multiple victim compromises over a period of approximately six weeks. The dispute centered on allegations that ransom negotiations had been conducted outside official affiliate channels and that the actor had not received an expected revenue share from a successful ransom payment.
Figure 2: Forum Post by “hastalamuerte” Discussing Internal Communications Leak
Translation: We worked as affiliates. We deployed 14 targets over 1.5 months. On one of the targets, the victim contacted support and said that representatives from the BHE panel reached out directly and offered $60k. We initially set $500k. We agreed with support on $200k. Then the chat supposedly disappeared. (In TOX chats don't disappear -- Qilin's explanation is in the screenshots below.) We do not agree with these explanations.
We deployed the target. We received information about the ransom. Then contact was lost from Qilin's side. We want compensation for lost profit minus their share (~$48k). (Even considering their explanation that only 2 out of 20 deals get paid -- this could have been that case.)
We don't want others' money, but we consider it unacceptable to lose our own.
There is no confidence anymore that other negotiations are not happening outside the panel.
Chat with support if needed, correspondence here with haise (as I understand, a representative of the partner program). We didn't want to make this public, but otherwise the issue is not being resolved.
We are open to comments from specialists regarding deletion of TOX chats.
We request open arbitration @admin.
We will provide TOX correspondence and target details privately.
While the accuracy of the allegations cannot be independently verified, the public disagreement provides insight into the motivations behind the formation of a separate ransomware operation. Following the dispute, the actor began establishing an independent criminal enterprise that would later become known as The Gentlemen.
With high confidence, we assess that the forum identity hastalamuerte and the Rocket.Chat administrator zeta88 are likely operated by the same individual based on observed overlaps in recruitment activity, operational discussions, and organizational leadership roles.
Following its establishment, The Gentlemen actively recruited affiliates through multiple underground communities and positioned itself as a Ransomware-as-a-Service platform focused on maximizing affiliate profitability.
The group publicly advertised a revenue-sharing model that allowed affiliates to retain up to 90% of successful ransom payments, with the remaining 10% retained by the administrators of the platform. Such a model is considerably more generous than those historically offered by many established ransomware programs and likely contributed to rapid affiliate adoption.
Figure 3: The Gentlemen RaaS Affiliate Recruitment Advertisement
The leaked communications further reveal the existence of a dedicated affiliate management ecosystem that included victim tracking capabilities, operational coordination features, and management interfaces designed to support multiple concurrent intrusion operations.
Figure 4: Screenshot of The Gentlemen RaaS Affiliate Management Portal
The platform also included mechanisms for creating and tracking victim engagements, further supporting the assessment that The Gentlemen operates as a mature affiliate-driven ransomware business rather than an informal criminal collective.
Figure 5: Target Creation Interface within The Gentlemen RaaS Portal
Unlike some ransomware groups that maintain a limited public profile, The Gentlemen appears to have invested in branding and recruitment efforts designed to attract new affiliates and increase visibility within the cybercriminal ecosystem.
Evidence from the leak indicates the group maintained social media accounts and actively promoted its ransomware program across underground communities.
Figure 6: The Gentlemen Raas X/Twitter account.
The group’s public-facing activity reflects an increasingly common trend among modern ransomware operators, who frequently adopt branding strategies similar to legitimate software companies in order to recruit affiliates and establish credibility within criminal marketplaces.
The Gentlemen operates both Tor-based and clear-web leak sites that serve as platforms for public victim disclosures and extortion activities.
The leak sites contain victim names, industry information, and descriptions of allegedly stolen data. Victim entries are frequently accompanied by countdown timers indicating when stolen information may be publicly released if negotiations fail.
Figure 7: Darkweb Extortion site
This approach is consistent with modern double-extortion operations, where the threat of public disclosure is used to increase pressure on victims in addition to file encryption.
As of June 2026, The Gentlemen’s leak infrastructure listed more than 450 victim organizations across a broad range of industries and geographic regions.
Analysis of publicly listed victims indicates concentration across several sectors:/
The diversity of victim organizations suggests that The Gentlemen does not focus exclusively on a single industry vertical and instead prioritizes organizations based on revenue potential, operational importance, and access availability.
The group has claimed victims across more than 70 countries.
The most frequently observed countries include:
The geographic diversity of victims indicates an opportunistic targeting model rather than one driven by regional or geopolitical objectives.
| Date | Event |
| July 2025 | Public dispute with Qilin |
| September 2025 | Underground forum account registration |
| October 2025 | Early recruitment activity observed |
| November 2025 | Rocket.Chat operational activity begins |
| January 2026 | Significant affiliate expansion |
| March 2026 | Peak victim growth observed |
| May 2026 | Internal Rocket.Chat platform compromised |
| June 2026 | More than 450 victims listed publicly
|
The timeline suggests that The Gentlemen progressed from a newly established ransomware operation to a large-scale affiliate ecosystem within approximately twelve months.
Operational leaks involving ransomware groups are uncommon, and most publicly available disclosures typically expose only source code, victim data, negotiation transcripts, or infrastructure details. The compromise of The Gentlemen’s internal Rocket.Chat environment is significant because it provides visibility into the organization’s day-to-day operations, internal decision-making processes, affiliate relationships, victim selection methodology, and monetization strategies.
Unlike external observations derived from leak sites or incident response engagements, the Rocket.Chat dataset captures internal communications between administrators, operators, and affiliates while operations are actively underway. This provides a rare opportunity to examine how targets were evaluated, how access was acquired, how victims were managed throughout the intrusion lifecycle, and how ransom negotiations were conducted.
The exposed communications reveal that The Gentlemen operated with a level of organizational maturity commonly associated with established Ransomware-as-a-Service programs. Operators maintained dedicated workspaces for victim tracking, access validation, malware deployment, credential acquisition, tooling discussions, and extortion planning. The communications further demonstrate collaboration among affiliates and provide insight into the group’s evolving operational practices.
From a defender’s perspective, the leak offers valuable intelligence regarding adversary workflows, operational priorities, and detection opportunities that are rarely observable through traditional incident response investigations.
Figure 8: Acknowledgement of the Gentlemen about the Leak
The leaked dataset contains exports from 23 Rocket.Chat rooms, including 22 active operational workspaces and one empty room. Collectively, the rooms contain thousands of messages exchanged between November 2025 and April 2026, providing a detailed record of the group’s activities during a period of significant operational growth.
Figure 9: Leak of 23 Rocket.Chat Rooms
The dataset captures discussions related to:
The breadth of topics discussed throughout the leak suggests that Rocket.Chat served as the group’s primary collaboration platform and operational knowledge repository.
Analysis of the exposed rooms indicates that The Gentlemen organized operations using a compartmentalized workflow model. Individual rooms were frequently dedicated to specific victims, operational functions, or administrative activities.
The largest rooms focused on:
Several rooms appear to have functioned as temporary workspaces for individual victim engagements, while others served as long-term repositories for operational guidance and tool sharing.
This structure resembles the project-management approach increasingly adopted by mature ransomware organizations, where affiliates coordinate activity through centralized collaboration platforms while maintaining operational separation between victim engagements.
Analysis of message volume and participant activity identifies several rooms that played central roles within the organization.
Room 302930 served as one of the primary administrative workspaces and contained discussions involving operational planning, victim management, and coordination between senior members.
Rooms 133148 and 843543 contained evidence of active victim compromises, ransomware deployment discussions, and negotiation activity. Communications in these rooms suggest that affiliates frequently collaborated during post-compromise operations.
Room 939364 appears to have been used for affiliate coordination, payment discussions, and victim tracking. Communications within this workspace provide insight into the relationship between administrators and operational affiliates.
Room 244725 functioned as a centralized repository for tooling recommendations, operational guidance, offensive security resources, and research materials. Importantly, the presence of a tool within this room should not be interpreted as confirmation of operational deployment.
Figure 10 : Internal Rocket.chat room analysis
Collectively, these rooms reveal a structured operational environment rather than an ad hoc collection of criminal actors.
The leaked communications reference at least nine recurring participants who appear to fulfill distinct operational roles within the organization.
While complete attribution is not possible based solely on the available evidence, communication patterns, activity levels, and operational responsibilities allow for a high-confidence assessment of organizational hierarchy.
At the center of the operation is zeta88, who appears throughout the majority of active rooms and consistently participates in victim intake, access discussions, strategic planning, extortion preparation, and affiliate coordination activities.
The frequency of participation and breadth of responsibilities strongly suggest that zeta88 functions as the primary administrator and operational leader of the organization.
Role Assessment:
Administrator and primary operator.
Observed Responsibilities:
The available evidence indicates that zeta88 exercised authority across multiple operational functions and maintained visibility into numerous active victim engagements.
Role Assessment:
Senior operator or affiliate.
Observed Responsibilities:
Protagor appears frequently during active intrusion discussions and is regularly involved in victim-specific operational activity.
Role Assessment:
Operational affiliate.
Observed Responsibilities:
Communications suggest that Wick participated directly in victim compromises and ransomware deployment workflows.
Role Assessment:
Senior affiliate and strategic contributor.
Observed Responsibilities:
qbit’s participation indicates a trusted role within the affiliate ecosystem and visibility into broader organizational decisions.
Role Assessment:
Operational affiliate.
Observed Responsibilities:
Communications frequently place mAst3r alongside Wick during active intrusion operations.
Role Assessment:
Research and targeting support.
Observed Responsibilities:
quant appears to support access development and intelligence collection activities.
Role Assessment:
Operational affiliate.
Observed Responsibilities:
Kunder participates across multiple victim-focused discussions but appears less involved in strategic decision-making.
Role Assessment:
Tooling contributor.
Observed Responsibilities:
Limited activity prevents a higher-confidence assessment.
Role Assessment:
Undetermined.
Observed Responsibilities:
Insufficient evidence exists to determine operational responsibilities.
Figure 11 : Core Members Overview
The leaked communications suggest that The Gentlemen operates through a hierarchical structure consisting of administrators, trusted operators, and affiliated intrusion teams.
Unlike loosely organized cybercriminal collectives, the group demonstrates characteristics commonly associated with mature Ransomware-as-a-Service operations, including:
This organizational model enables multiple victim engagements to occur simultaneously while maintaining centralized oversight and revenue-sharing mechanisms.
The evidence further suggests that The Gentlemen functions less as a traditional “gang” and more as a ransomware business platform that coordinates independent affiliates through a shared operational ecosystem.
Analysis of the leaked communications reveals a repeatable intrusion methodology that appears consistently across multiple victim engagements.
Although individual operations vary, observed activity generally follows the same sequence:
This lifecycle reflects contemporary double-extortion ransomware operations and demonstrates a level of procedural consistency indicative of operational maturity.
The following sections reconstruct each phase of this workflow using evidence recovered from the leaked communications and associated screenshots.
Analysis of the leaked Rocket.Chat communications reveals a structured and repeatable intrusion methodology that was observed across multiple victim engagements. While individual operations varied based on target characteristics and access opportunities, the underlying workflow remained largely consistent.
The evidence suggests that The Gentlemen follows a modern double-extortion ransomware model that combines victim profiling, credential acquisition, privileged access abuse, data theft, encryption, and extortion. Operators appear to prioritize efficiency by leveraging commercially available intelligence sources, credential repositories, and pre-existing access opportunities rather than relying exclusively on sophisticated exploitation techniques.
The following sections reconstruct the observed attack lifecycle based on communications, screenshots, victim workspaces, and operational discussions recovered from the leak.
The first stage of the intrusion lifecycle involves identifying organizations that offer the highest potential return on investment. Unlike opportunistic attacks that target any exposed organization, The Gentlemen appears to conduct preliminary victim qualification before committing resources to an operation.
Evidence from multiple Rocket.Chat rooms indicates that operators routinely collected intelligence relating to:
Commercial intelligence platforms were frequently referenced during this stage. Operators shared company profiles, revenue estimates, employee counts, and industry information when evaluating prospective victims.
One discussion involving a transportation company illustrates the group’s approach to victim qualification. While operators acknowledged that the organization’s revenue was relatively modest, they nevertheless viewed the sector itself as highly attractive from a monetization perspective.
This behavior suggests that victim selection was influenced by multiple factors rather than revenue alone. Organizations operating within sectors perceived as operationally sensitive or disruption-intolerant were often considered attractive targets regardless of size.
Assessment
With moderate confidence, we assess that The Gentlemen prioritizes victims based on a combination of:
This approach reflects a business-oriented targeting strategy rather than indiscriminate victim selection.
Figure 12 : Victim Selection Discussion (Room 100256)
MITRE ATT&CK
Following victim selection, operators focus on obtaining reliable access to the target environment.
The leak repeatedly references Fortinet SSL-VPN infrastructure, suggesting that exposed remote access services represented a primary entry vector. Multiple rooms contain VPN gateway information, connection details, access credentials, and configuration exports shared between affiliates.
In one observed example, an operator shared a complete VPN access package that included:
The level of detail provided suggests that access was often obtained prior to operational engagement and subsequently distributed among affiliates responsible for conducting the intrusion.
The communications do not consistently reveal how the original VPN access was obtained. However, the surrounding discussions indicate several possible acquisition methods:
Assessment
The available evidence strongly suggests that Fortinet SSL-VPN access served as a recurring and strategically important entry vector within The Gentlemen’s operational model.
Figure 13: Fortinet VPN Access Information Shared Between Operators (Room 843543)
MITRE ATT&CK
Beyond direct VPN access, operators actively sought additional credentials that could facilitate deeper access into victim environments.
Several conversations reference credential intelligence platforms, breach repositories, and infostealer-derived datasets. Operators routinely reviewed exposed corporate accounts and attempted to validate recovered credentials against enterprise infrastructure.
Evidence indicates that operators used credential datasets to:
Screenshots shared within the communications reveal operators reviewing breach intelligence associated with targeted organizations. Additional evidence suggests that recovered credentials were tested against Windows hosts and enterprise services before being incorporated into ongoing operations.
Validation activity frequently involved SMB authentication and Windows administrative protocols, indicating that operators sought to verify practical access rather than merely collecting credentials.
Assessment
The leak highlights the continued importance of credential theft and credential reuse within modern ransomware operations. Rather than relying exclusively on malware-based credential theft, affiliates frequently leveraged previously compromised credentials obtained through external criminal ecosystems.
Figure 14: Snusbase screenshot (credential harvesting)
Figure 15: NetExec/SMB screenshot (credential validation)
MITRE ATT&CK
After establishing reliable access, operators transitioned to internal reconnaissance activities designed to map the victim environment and identify valuable assets.
The communications reveal systematic efforts to identify:
Operators frequently shared screenshots and notes documenting internal infrastructure. Several discussions focused on identifying locations where sensitive data was likely stored, including shared drives, document repositories, finance systems, and backup environments.
The objective of this phase appears to be the development of an operational roadmap that enables subsequent privilege escalation, data theft, and ransomware deployment activities.
Assessment
The observed reconnaissance behavior reflects standard ransomware tradecraft and demonstrates an emphasis on understanding business operations rather than simply identifying technical assets.
Figure 16: Internal Reconnaissance Activities Observed
MITRE ATT&CK
Following reconnaissance, operators sought to obtain elevated privileges that would enable unrestricted access across victim environments.
Evidence recovered from multiple rooms references:
One observed discussion indicates that operators successfully modified built-in Windows administrative accounts after obtaining elevated access.
Additional communications reference administrative credentials being shared among operators involved in victim engagements, suggesting that privileged access was treated as a critical milestone prior to encryption and extortion activities.
Assessment
The communications indicate that achieving Domain Administrator-level control was frequently viewed as a prerequisite for large-scale ransomware deployment.
This level of access enables:
Figure 17: Evidence of Privileged Access and Domain Administrator Control
MITRE ATT&CK
Prior to encryption, operators conducted extensive searches for information that could be leveraged during extortion negotiations.
The leak contains numerous examples of affiliates browsing:
One observed victim workspace contained references to:
The structure of these activities indicates deliberate efforts to identify data likely to maximize extortion leverage rather than indiscriminate collection.
This phase reflects a broader shift within ransomware operations, where stolen information often carries equal or greater value than encrypted systems.
Assessment
The evidence suggests that data theft was not a secondary objective but rather an integrated component of the group’s monetization strategy.
Figure 18: Financial and Business-Critical Data Discovery Within Victim Environment
MITRE ATT&CK
Following data collection activities, operators initiated ransomware deployment across victim infrastructure.
The communications include evidence of encryption operations targeting:
Operators exchanged updates confirming successful execution of ransomware payloads and monitored encryption progress after deployment.
The available evidence demonstrates that ransomware execution occurred only after:
This sequencing reflects a disciplined operational workflow designed to maximize leverage before revealing the intrusion through encryption activity.
Assessment
The observed behavior aligns closely with contemporary double-extortion ransomware operations in which encryption serves as the final technical stage of a broader monetization process.
Figure 19: Active Encryption Process Executed Against Shared Network Storage
MITRE ATT&CK
Following successful ransomware deployment, operators transitioned to monetization activities.
The leaked communications reveal a relatively structured negotiation model in which services were offered individually or as bundled packages.
Observed pricing examples included:
| Service | Observed Price |
| Decryption | $80,000 |
| Data Deletion | $120,000 |
| Security Report | $25,000 |
| Complete Package | $100,000 |
Negotiations frequently involved counteroffers and revised pricing, indicating that ransom demands were treated as flexible starting points rather than fixed amounts.
Operators appeared willing to adjust demands based on:
Assessment
The communications indicate a mature revenue-maximization strategy rather than a rigid ransom model.
MITRE ATT&CK
When negotiations failed to produce payment, operators prepared victim information for public disclosure.
Evidence recovered from the leak shows affiliates drafting communications that referenced:
Several communications indicate that operators considered contacting affected individuals directly in order to increase pressure on victim organizations.
This tactic is consistent with modern double-extortion and triple-extortion operations where reputational damage, regulatory exposure, and customer notification concerns are leveraged to encourage payment.
Assessment
The leaked communications demonstrate that public disclosure was not merely a backup option but an established component of The Gentlemen’s extortion framework.
MITRE ATT&CK
Figure 20: Extortion Communication Prepared for Public Disclosure and Customer Notification
The reconstructed lifecycle demonstrates that The Gentlemen operates using a structured and repeatable ransomware methodology that closely resembles established Ransomware-as-a-Service programs.
The evidence indicates a workflow centered on:
Victim Identification → Access Acquisition → Credential Validation → Reconnaissance → Privilege Escalation → Data Collection → Encryption → Negotiation → Public Disclosure
This sequence reflects a mature operational model focused on maximizing both technical effectiveness and extortion revenue while minimizing unnecessary operational risk.
Analysis of the leaked Rocket.Chat communications provides insight into the tools, resources, and infrastructure discussed among members of The Gentlemen. While the dataset contains references to numerous offensive security projects, utilities, and operational guides, it is important to distinguish between tools that were merely shared or discussed and those that can be reasonably associated with observed intrusion activity.
The presence of a tool within an internal discussion does not, by itself, constitute evidence of operational deployment. Many of the referenced resources appear to have been shared for educational purposes, capability development, operational research, or affiliate training.
Nevertheless, the collection provides valuable insight into the types of capabilities that operators considered useful during ransomware operations.
One of the most active collaboration rooms within the leaked dataset functioned as a centralized repository for offensive security tools, operational guides, and infrastructure resources.
Communications indicate that operators routinely shared:
The room appears to have served as a knowledge-sharing environment where affiliates exchanged operational guidance and discussed techniques relevant to enterprise compromises.
Assessment
With high confidence, we assess that this workspace functioned primarily as an internal research and collaboration hub. The presence of a specific tool within the repository should not be interpreted as confirmation that the tool was operationally deployed during observed intrusions.
The shared resources can be broadly grouped into several operational categories.
Several discussions referenced tools capable of maintaining access to compromised systems and facilitating post-compromise operations.
Observed examples include:
These resources provide varying degrees of remote administration, host management, traffic tunneling, and post-exploitation support.
Their presence suggests that operators maintained awareness of both traditional command-and-control frameworks and legitimate administrative technologies that could be repurposed for offensive use.
Operators also shared tools designed to establish secure communication channels and operational infrastructure.
Examples include:
The frequent discussion of VPN infrastructure indicates an emphasis on protecting operator anonymity and maintaining resilient access channels.
This behavior is consistent with mature ransomware groups that routinely separate operational infrastructure from their real-world locations through layered proxy and VPN architectures.
A substantial portion of the shared tooling focused on enterprise enumeration and Active Directory assessment.
Examples include:
These projects support:
The concentration of Active Directory-focused tooling reflects the importance of privileged access acquisition within ransomware operations.
The leak contains references to multiple credential acquisition and credential processing tools.
Observed examples include:
The presence of these resources aligns with the group’s observed reliance on credential intelligence and valid-account abuse throughout the intrusion lifecycle.
The leaked communications also contain references to cloud-focused tooling.
Examples include:
These discussions suggest that operators maintained awareness of cloud attack paths and privilege escalation opportunities beyond traditional on-premises environments.
Although evidence of large-scale cloud compromise activity is limited within the dataset, the shared tooling indicates that affiliates possessed at least a working familiarity with cloud-focused attack methodologies.
Among the most notable findings within the leak is evidence of a custom web-based platform referred to as G-BOT.
Screenshots recovered from the dataset reveal a management interface designed to monitor compromised systems and support post-compromise operations.
Figure 21: G-BOT Custom Command-and-Control (C2) Management Panel
The interface displays functionality commonly associated with command-and-control frameworks, including:
Additional screenshots indicate support for both Linux and Windows systems
Figure 22: G-BOT Control Panel Displaying Active Compromised Hosts
The interface references active beacons, system metadata, and operational status indicators that would enable operators to monitor compromised hosts and coordinate post-compromise activities.
The available evidence suggests that G-BOT functioned as an internally managed command-and-control capability.
However, the leaked screenshots alone do not conclusively establish the scale of deployment or the extent to which the platform was used across observed victim engagements.
With moderate confidence, we assess that G-BOT was likely intended to support post-compromise operations through centralized host management and access retention capabilities.
A recurring theme throughout the leak is the use of SOCKS-based proxy infrastructure to facilitate internal network access.
The G-BOT platform includes functionality that enables operators to route traffic through compromised systems and interact with internal resources while masking their true origin.
Figure 23: SOCKS5 Proxy Configuration Interface within the G-BOT Platform
The screenshots indicate support for:
The capability effectively transforms compromised systems into pivot points from which operators can conduct additional reconnaissance and lateral movement activities.
One of the more revealing artifacts recovered from the leak is an internal guide describing how SOCKS-based access should be used after gaining access to a victim network.
Figure 24: Internal Guide Explaining SOCKS5-Based Access to Victim Networks
The guide explains how operators can access:
The document also discusses operational limitations, including DNS leakage concerns and authentication requirements for services such as RDP and SMB.
The existence of formalized guidance suggests that SOCKS-based pivoting was sufficiently common to justify internal training and documentation.
This further reinforces the assessment that The Gentlemen operates through structured workflows rather than purely ad hoc intrusion activity.
The leaked communications contain screenshots associated with Velociraptor, an open-source digital forensics and incident response platform.
Figure 25: Velociraptor Administration Panel Showing Client Configuration Downloads
The screenshots show functionality including:
Additional screenshots reference artifact creation and endpoint collection capabilities
Figure 26: Velociraptor Artifact Collection Interface Showing CreateMSI Search
Velociraptor is widely used by:
As a result, its presence within the leaked communications should not automatically be interpreted as evidence of malicious deployment.
However, like many legitimate administrative platforms, Velociraptor can be repurposed for post-compromise operations, including:
With moderate confidence, we assess that members of The Gentlemen possessed access to Velociraptor infrastructure or operational knowledge relating to its use.
The available evidence does not conclusively establish widespread deployment across victim environments.
The leak also provides insight into how operators evaluated payload effectiveness prior to deployment.
One recovered screenshot shows the results of a multi-engine antivirus scan involving an executable identified as SetupGps2.exe.
Figure 27: Multi-Engine Antivirus Scan Results for a Payload Sample
The scan results indicate that only a single security product detected the sample while multiple others reported no detection.
This type of testing is commonly conducted by threat actors to evaluate detection rates and identify potential opportunities for signature evasion.
The communications also reference several projects associated with:
Importantly, the available evidence does not confirm that every referenced project was deployed operationally.
The observed activity suggests that operators evaluated payload detection rates and maintained awareness of EDR bypass techniques prior to operational deployment.
Such behavior is consistent with mature ransomware operations seeking to maximize dwell time and reduce the likelihood of early detection.
The leaked communications reveal an operational ecosystem built around a combination of:
Rather than relying on a single malware family or command-and-control framework, The Gentlemen appears to leverage a flexible collection of tools selected according to operational requirements.
This approach provides several advantages:
The evidence suggests that The Gentlemen should be viewed less as a malware-centric threat actor and more as an affiliate-driven ransomware platform that coordinates multiple intrusion capabilities through a shared operational ecosystem.
Analysis of the leaked tooling and infrastructure discussions indicates that:
Collectively, these findings reinforce the assessment that The Gentlemen operates as a structured ransomware enterprise with defined workflows, shared infrastructure resources, and a growing affiliate ecosystem.
The leaked Rocket.Chat communications provide valuable insight into The Gentlemen’s operational workflow and reveal multiple opportunities for defenders to identify malicious activity before ransomware deployment occurs.
The group’s observed attack lifecycle demonstrates a strong reliance on valid accounts, remote access technologies, credential intelligence, Active Directory reconnaissance, and post-compromise privilege escalation. Organizations that focus exclusively on ransomware execution may miss earlier indicators that provide significantly greater opportunities for containment and remediation.
The following detection opportunities are mapped to activities observed throughout the leak.
The leaked communications repeatedly reference Fortinet SSL-VPN infrastructure as a source of victim access.
Organizations should monitor for:
The group frequently leveraged previously compromised credentials and breach intelligence datasets.
Organizations should hunt for:
The leak reveals systematic efforts to identify domain infrastructure, administrative systems, backup environments, and business-critical assets.
Defenders should monitor for:
The leaked communications suggest that Domain Administrator privileges were frequently obtained before ransomware deployment.
Organizations should monitor for:
The intrusion workflow indicates that operators expanded access throughout victim environments after obtaining administrative privileges.
Defenders should monitor for:
The leaked communications demonstrate that data theft was an essential component of the group’s extortion strategy.
Organizations should monitor for:
Encryption was typically deployed only after access, reconnaissance, and data theft activities had been completed.
Organizations should monitor for:
Organizations seeking to proactively identify activity associated with The Gentlemen should prioritize hunting for:
Investigate:
Investigate:
Investigate:
Investigate:
Investigate:
The following ATT&CK techniques were observed or strongly inferred from the leaked communications.
| Tactic | Technique | ATT&CK ID |
| Reconnaissance | Gather Victim Organization Information | T1591 |
| Reconnaissance | Search Open Websites/Domains | T1593 |
| Initial Access | External Remote Services | T1133 |
| Initial Access | Valid Accounts | T1078 |
| Credential Access | Credentials from Password Stores | T1555 |
| Credential Access | Brute Force | T1110 |
| Discovery | Network Service Discovery | T1046 |
| Discovery | Domain Trust Discovery | T1482 |
| Discovery | Account Discovery | T1087 |
| Discovery | System Information Discovery | T1082 |
| Privilege Escalation | Account Manipulation | T1098 |
| Privilege Escalation | Domain Policy Modification | T1484 |
| Lateral Movement | Remote Services | T1021 |
| Collection | Data from Local System | T1005 |
| Collection | Data from Network Share | T1039 |
| Collection | Data from Information Repositories | T1213 |
| Exfiltration | Exfiltration to Web Services | T1567 |
| Impact | Data Encrypted for Impact | T1486 |
| Impact | Inhibit System Recovery | T1490 |
| Impact | Financial Theft / Extortion | T1657 |
The leaked communications demonstrate that The Gentlemen does not operate in isolation but instead participates in a broader cybercriminal ecosystem composed of affiliates, access brokers, malware developers, and underground forum communities.
The group’s growth appears to have been accelerated through aggressive recruitment efforts and strategic relationships with established underground communities.
Following its separation from the Qilin ecosystem, The Gentlemen actively sought to attract affiliates through public recruitment campaigns.
The group’s advertised revenue-sharing model offered significantly higher payouts than many competing RaaS programs.
Observed recruitment messaging emphasized:
Figure 28: Partnership Announcement Between BreachForums and The Gentlemen
The group maintained a visible presence on multiple underground communities where members promoted services, recruited affiliates, and established relationships with other cybercriminal actors.
Figure 29: BreachForums Activity Associated with The Gentlemen
The observed activity suggests that public forum participation served several purposes:
Analysis of the leaked communications supports several key assessments regarding The Gentlemen.
High Confidence
The Gentlemen operates as a structured Ransomware-as-a-Service platform rather than an informal cybercriminal collective.
Evidence includes:
High Confidence
Credential abuse and VPN access play a significant role in the group’s intrusion methodology.
Evidence includes:
Moderate Confidence
The group possesses operational maturity comparable to established mid-tier ransomware programs.
Evidence includes:
Moderate Confidence
The custom G-BOT platform likely serves as a centralized post-compromise management capability.
However, available evidence does not conclusively establish deployment across all observed victim engagements.
Moderate Confidence
The group’s operational effectiveness is heavily dependent on access obtained through external criminal ecosystems, including credential repositories and access brokers.
The compromise of The Gentlemen’s internal Rocket.Chat environment provides a rare and detailed view into the operational mechanics of a modern ransomware enterprise.
The exposed communications reveal a structured affiliate-driven ecosystem centered on victim qualification, credential intelligence, remote access abuse, privilege escalation, data theft, encryption, and extortion. Rather than relying on highly sophisticated exploitation techniques, the group appears to prioritize operational efficiency through the systematic use of valid credentials, exposed remote access services, and commercially available intelligence sources.
The evidence further demonstrates that The Gentlemen functions as a ransomware business platform that coordinates independent operators through centralized infrastructure, shared operational knowledge, and standardized monetization processes.
From a defensive perspective, the leak offers valuable insight into the group’s attack lifecycle and highlights numerous opportunities for early detection. Many of the activities observed throughout the communications—including VPN access abuse, credential validation, Active Directory reconnaissance, and privilege escalation—occur well before ransomware deployment and provide defenders with opportunities to disrupt operations before significant impact occurs.
As ransomware ecosystems continue to mature and professionalize, operational leaks such as this provide critical visibility into adversary workflows that are rarely observable through traditional incident response investigations. The Rocket.Chat dataset therefore represents not only a compromise of a ransomware group’s internal communications but also a valuable intelligence resource for defenders seeking to better understand and counter modern extortion operations.
Contributor:
Siva Prasad Boddu
