CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 03, 2026

The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks

Cybersecurity News Archived Jun 03, 2026 ✓ Full text saved

A Russian-speaking ransomware crew known as The Gentlemen has quickly risen to become one of the most active threats in 2026, ranking second only to Qilin in ransomware activity. Their toolkit combines Fortinet vulnerability exploitation, AI-assisted operations, and a fully custom command-and-control framework that most security tools simply do not see coming. The group operates […] The post The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks appeared first on Cyb

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks By Tushar Subhra Dutta June 3, 2026 A Russian-speaking ransomware crew known as The Gentlemen has quickly risen to become one of the most active threats in 2026, ranking second only to Qilin in ransomware activity. Their toolkit combines Fortinet vulnerability exploitation, AI-assisted operations, and a fully custom command-and-control framework that most security tools simply do not see coming. The group operates without a central office or traditional payroll structure. Nine operator handles have been identified communicating across time zones through a self-hosted Rocket.Chat instance on an onion site, with plans to migrate to a Rust-based platform. Their lean, distributed model marks a clear shift from the rigid corporate setup that groups like Conti once maintained. In May 2026, the Ransom-ISAC research team extracted 3,366 messages from The Gentlemen’s Rocket.Chat server, exposing internal plans, tooling discussions, and victim targeting details. Analysts at Vectra AI noted the findings in a report shared with Cyber Security News (CSN), observing that while the group’s tools have changed considerably, the core weaknesses they exploit in victim networks have stayed nearly the same since 2022. The leaked messages also uncovered a connection between The Gentlemen and earlier ransomware brands. A negotiator known by the handle “Tinker” appeared in both Black Basta chats and The Gentlemen’s logs, performing the same operational role across both groups. A shared Matrix homeserver, bestflowers247.online, was present in archives from both groups, anchoring that infrastructure link with hard evidence. This pattern points to a larger truth: ransomware operators do not retire, they rebrand. The same people carry their knowledge and access from one criminal enterprise to the next, making group takedowns far less effective than many defenders might hope. Gentlemen Ransomware Uses Fortinet Exploits, AI, and Custom C2 Frameworks Fortinet remains the front door of choice for The Gentlemen. The Rocket.Chat logs mention FortiGate 81 times, with CVE-2024-55591, a FortiOS authentication bypass flaw, called out explicitly as their primary way into victim networks. Halcyon’s separate analysis found the group brute-forcing roughly 1,000 Fortinet VPNs, in some cases using reused passwords like gentlemen25 and gentle26 across multiple victims. Once inside, the group deploys a custom C2 framework called G-BOT. This previously undocumented control panel supports per-beacon SOCKS5 tunneling and uploads builders to temporary file-sharing sites, replacing commercial tools like Cobalt Strike. That switch makes detection harder for security teams relying on known signatures. The group also targets hypervisors directly. Their Linux locker attacks Hyper-V Volume Manager, encrypting at the hypervisor level so that endpoint agents inside virtual machines cannot see the attack. The locker drops the extension .i8p14s and leaves a ransom note named README-GENTLEMEN.txt, signaling that no layer of infrastructure is off limits. AI and Credential Theft Complete the Kill Chain The Gentlemen have moved AI from a novelty into a working part of their operation. Operators reference using GPT and Claude models to assist with ransom negotiations, with one operator describing them as automatic response writers for victim communications. The group also discusses renting GPUs on vast.ai and running uncensored AI models from Hugging Face to triage large volumes of stolen data. For credential theft, the group relies on Phemedrone Stealer V2.3.2, LummaC2, XenAllPasswordPro, Chrome App-Bound Encryption Decryption, and DumpBrowserSecrets. These tools pull saved passwords directly out of browsers without triggering login failures, meaning standard authentication logs show nothing unusual. Stolen data then moves out through rclone to MEGA, following the same exfiltration pattern ransomware groups have used for years. Defenders have clear steps based on what the leaked chats reveal. Security teams should audit edge devices including Palo Alto, Fortinet, Citrix, F5, and Cisco gear against the CVE list discussed in operator chats. Treating NTDS.dit and VSS backup access as an immediate severity-one alert, rather than a forensic discovery made weeks later, can stop domain-wide compromises before they fully develop. Hunting for tools like rclone, MEGAcmd, WinSCP, and Velociraptor on hosts that have no reason to run them adds an early warning layer that logs alone cannot provide. Indicators of Compromise (IoCs):- Type Indicator Description CVE CVE-2024-55591 FortiOS authentication bypass; primary initial access vector used by The Gentlemen CVE CVE-2024-3400 Palo Alto Networks PAN-OS zero-day; most-discussed CVE in Black Basta operator chats CVE CVE-2025-32433 Erlang/OTP SSH RCE; present in The Gentlemen toolkit CVE CVE-2025-33073 NTLM relay vulnerability; present in The Gentlemen toolkit CVE CVE-2023-4966 Citrix NetScaler; referenced in operator CVE discussions CVE CVE-2020-5135 SonicWall stack buffer overflow (CVSS 9.4); used by Conti operators Domain bestflowers247.online Shared Matrix homeserver linking Black Basta and The Gentlemen operators IP / SSH 193.228.128.2:2222 NAS staging server used in The Gentlemen rclone exfiltration pipeline Credential userd0wnloAd1 Username for NAS staging server used during data exfiltration Password gentlemen25 / Gentlemen25 / gentle26 Reused VPN passwords found across multiple Fortinet-targeted victims File Extension .i8p14s File extension appended by The Gentlemen Linux/NAS locker File Name README-GENTLEMEN.txt Ransom note dropped by The Gentlemen Linux locker Tool Phemedrone Stealer V2.3.2 Credential stealer used by The Gentlemen for browser password harvesting Tool LummaC2 Credential stealer / payload dropper used by both Black Basta and The Gentlemen Tool XenAllPasswordPro Password recovery tool used for credential theft Tool DumpBrowserSecrets Browser credential dumping tool used by The Gentlemen Tool Chrome App-Bound Encryption Decryption Tool for bypassing Chrome credential protection Tool G-BOT Custom C2 framework with SOCKS5 tunneling used by The Gentlemen Tool rclone Data exfiltration tool used to stage stolen data to MEGA Tool Velociraptor Legitimate DFIR tool repurposed by The Gentlemen as C2 File qwertyuio.txt File used by LummaC2 to store exfiltrated credentials (observed in Black Basta) File README-GENTLEMEN.txt Ransom note filename dropped by group’s Linux locker Path /opt/updateamd Linux locker binary invocation path used by The Gentlemen Archive JA456 Follow-on leak package exposing Gentlemen operator-side artifacts including NAS and MEGA session data Platform temp.sh / 0x0.st Temporary file-sharing sites used to upload G-BOT builder payloads Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2 Top 10 Best Mobile Application Security Testing (MAST) Tools in 2026 JINX-0164 Threat Actor Using LinkedIn Social Engineering to Deploy Custom macOS Malware Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users Anthropic Updates Claude Code With Security Plugin and Faster Performance Latest News Cyber Security News CISA and Partners Warns of Cyberattacks Targeting U.S.-based Automatic Tank Gauge Systems AI Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access Cyber Security News WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks AI Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion Apache Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header Injections
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 03, 2026
    Archived
    Jun 03, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗