TheGentlemen
First observed in September 2025, the Gentlemen is believed to be a former affiliate of Qilin, known as ArmCorp, which spun off to form its own RAAS program following a payment dispute.
Since then, the Gentlemen has maintained a steady stream of victims, using sophisticated custom tools to bypass endpoint protections and leveraging Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks. The group targets multiple geographies and industries, with a focus on manufacturing, information technology and healthcare.
