The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling the threat actors to spread their encryptors across different operating systems and virtual infrastructure.
Additional public reporting revealed that the operators (roughly 20 of them) likely morphed from a private entity into a RaaS model on or about September 2025. While traditional RaaS models typically offer affiliates a 70% to 80% cut of paid ransoms, The Gentlemen offer an unprecedented 90% payout.
Read more…
Source: Palo Alto Unit 42
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- China remains embedded in US energy networks ‘for the purpose of taking it down’
February 17, 2026
Three new threat groups began targeting critical infrastructure last year, while a well-known Beijing-backed crew – Volt Typhoon – continued to compromise cellular gateways and routers, and then break into US electric, oil, and gas companies in 2025, according to Dragos’ annual threat report published on Tuesday. Dragos specializes in operational technology (OT) security, and as ...
- OpenClaw AI agents targeted by infostealer malware for the first time
February 17, 2026
Thanks to its overnight success and widespread adoption, OpenClaw has painted a large target on its back and is now being attacked by infostealers, after security researchers Hudson Rock claimed to have seen a first-of-its-kind attack in the wild. OpenClaw (previously known as Clawdbot and Moltbot) is an open source AI assistant software designed to actually ...
- China-linked snoops have been exploiting Dell 0-day since mid-2024, using ‘ghost NICs’ to avoid detection
February 17, 2026
China-linked attackers exploited a maximum-severity hardcoded-credential bug in Dell RecoverPoint for Virtual Machines as a zero-day since at least mid-2024. It’s all part of a long-running effort to backdoor infected machines for long-term access, according to Google’s Mandiant incident response team. The US government and Google first warned about this campaign last year after detecting Brickstorm ...
- Critical Vulnerabilities in Ivanti EPMM Exploited
February 17, 2026
Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks. These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials. Read ...
- Indian pharmacy chain giant exposed customer data and internal systems
February 17, 2026
A major Indian pharmacy chain operated a flawed platform which exposed highly sensitive data of millions of users, experts have warned. DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, currently runs more than 2,300 stores across the country – however, its platform was bugged in a way that allowed unauthenticated users to create “super admin” ...
- Major telco breach sees 6.2 million users have personal info leaked
February 13, 2026
Dutch telecommunications company Odido has confirmed suffering a cyberattack and losing sensitive data on millions of people. In a notice published on its website, the company says it “deeply regrets” the situation and is “fully committed” to limiting its impact. “Based on investigation, the incident concerns personal data from a customer contact system used by Odido,” ...

