The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling the threat actors to spread their encryptors across different operating systems and virtual infrastructure.
Additional public reporting revealed that the operators (roughly 20 of them) likely morphed from a private entity into a RaaS model on or about September 2025. While traditional RaaS models typically offer affiliates a 70% to 80% cut of paid ransoms, The Gentlemen offer an unprecedented 90% payout.
Read more…
Source: Palo Alto Unit 42
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware
July 9, 2026
In October 2025, Microsoft Threat Intelligence identified destructive wiping activity and uncovered a sophisticated Go programming language (Golang)-based backdoor we now track as GigaWiper, a versatile implant that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage. GigaWiper is particularly notable for its makeup. It’s not a single, ...
- 6.9 million driver’s license numbers stolen from AssuranceAmerica
July 9, 2026
Insurance provider AssuranceAmerica has confirmed a data breach affecting the personal information and driver’s license numbers of up to 6.9 million people. AssuranceAmerica provides car and rental insurance to customers across 14 US states through a network of over 9,500 independent agents. The breach notice letter also mentions information about customers’ auto insurance policies and accounts, their drivers and ...
- Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation
July 7, 2026
In April 2026, Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and the XMRig cryptocurrency miner to consumer and small- and medium-sized business victims worldwide. Attackers lure victims via malvertising to pages for downloading files that impersonate cracked versions of copyright-protected software. Upon execution, the loader drops and runs both Vidar stealer and ...
- CAI cloud worm gives competitors’ malware the boot, then steals secrets and mines for coin
July 7, 2026
There’s no honor among thieves as a new worm steals from other infectious software. It pilfers “multiple” victims’ credentials and mines for cryptocurrency while killing competitors’ processes, including similar secret-harvesting malware. It’s called Cloud AI Infrastructure Attack Framework (CAI), and it’s a centralized botnet that targets cloud-native developer tools like Docker, Kubernetes, Redis, etcd, Kubelet, and ...
- Fake Netflix, Coca-Cola, and FIFA job scams target marketers
July 7, 2026
Attackers are impersonating major companies and recruiters to target marketing professionals, using trusted services and browser tricks to make the scam look legitimate. A BleepingComputer article detailing the campaign found at least 34 domains impersonating high-value companies, including Netflix, Coca-Cola, Adidas, and FIFA. The lure is a fake job interview or scheduling request from a “recruiter” representing one of ...
- Hacktivists call out Trump by hacking and defacing US Army websites
July 7, 2026
The U.S. Army has reportedly fixed two of its websites that had been defaced to display pro-Kurdish messages and to call out President Donald Trump, the latest case of hackers compromising systems run by the federal government in recent months. Security researcher Ronald Lovelace told Cyberscoop, which first reported the defacements, that error pages were modified on two U.S. Army ...

