OSINT Deep Dive: Unmasking 'The Gentlemen' Admin via Recruitment OpSec Fails
Saw Krebs' latest piece on 'The Gentlemen' gang. It’s fascinating that they've surged to the #2 spot by victim count just by offering a 90% affiliate cut. This aggressive monetization model is clearly attracting top-tier talent, but it seems their rapid expansion has led to significant OpSec failures regarding the admin's real-world identity.
From a defensive perspective, we know this group is heavily reliant on affiliates leveraging recent critical vulnerabilities. We've seen a correlation between their encryption events and initial access via the CVE-2026-44963 Veeam flaw and the nf_tables UAF (CVE-2026-23111). Since their payload delivery varies by affiliate, hunting for the initial access vectors is our best bet for early detection.
Here is a KQL query I'm using to hunt for suspicious Veeam backup manipulation attempts often used as a precursor:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has "Veeam" and ProcessCommandLine contains "export"
| where InitiatingProcessAccountName != "System"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
The article suggests the admin’s identity is tied to past forum activity. Has anyone else been tracking the historical identities of these newer RaaS admins, or are we mostly playing whack-a-mole with the affiliates?
Interesting read. We've flagged several IOCs associated with their custom loader in our SIEM. The 90% cut model is terrifying because it incentivizes quantity over quality, leading to more indiscriminate targeting. We've deployed a Sigma rule specifically looking for the Cobalt Strike profiles typically used by their top affiliates:
detection:
selection:
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'javascript:'
condition: selection
Regarding the admin's identity, it's usually just a matter of time before they slip up on their personal social media while recruiting.
I'm less concerned about the admin's name and more concerned about the sheer volume of attacks. We patched Veeam (CVE-2026-44963) last week, but the noise level from scanning attempts hasn't dropped. It seems every script kiddie is now trying to get a piece of that 90% payout.
Sysadmins need to focus on egress filtering. We blocked their exfil domains yesterday, and it stopped the encryption phase in its tracks. The encryption routine calls home before it starts if it can't reach the C2, it stalls.
Great share. From a pentester's view, this 90/10 split disrupts the market. Traditional gangs kept 30-50%. By giving up most of the profit, the admin risks losing control of the brand. We might see 'The Gentlemen' splinter into sub-groups soon if the admin can't maintain the infrastructure quality. Keep an eye on their dark web leak site uptime—that's usually the first thing to degrade.
The recruitment angle is indeed the weakest link. We've noticed that affiliates testing the waters often reuse the same staging IPs, leading to C2 overlaps before the main payload drops. To catch this early vetting phase, I've been using this simple YARA rule to flag their specific obfuscation pattern in our sandbox:
yara rule TheGentlemen_Loader { strings: $c wide nocase condition: uint16(0) == 0x5A4D and $config }
Has anyone else correlated these specific config strings with the recruitment chatter?
The recruitment ads are a goldmine for intelligence beyond just technical indicators. We’ve found that admins often reuse personal crypto wallets for affiliate payouts. If you correlate wallet hashes scraped from their forum posts against your threat intel, you can proactively flag associated infrastructure. Try hunting for these patterns in your logs to catch the payout phase:
regex \b(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}\b
Disrupting the financial flow is often more effective than just chasing the malware itself.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access