TheGentlemen
First observed in September 2025, the Gentlemen is believed to be a former affiliate of Qilin, known as ArmCorp, which spun off to form its own RAAS program following a payment dispute.
Since then, the Gentlemen has maintained a steady stream of victims, using sophisticated custom tools to bypass endpoint protections and leveraging Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks. The group targets multiple geographies and industries, with a focus on manufacturing, information technology and healthcare.
Update June 2026
In May 2026, The Gentlemen suffered a data breach where internal communications orginating from the group’s Rocketchat servers were leaked. The leaks gave insight into the group’s TTPs, organizational structure and potential personnel crossover with now-defunct ransomware schemes Conti and BlackBasta.
