A new analysis of Gentlemen The operation revealed that a financially motivated threat group was initially acting as the agent responsible for the double heist attack, while using services from various ransomware-as-a-service (RaaS) programs such as LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).
According to a detailed report published by PRODAFT, the group, which goes by the name Phantom Mantis, is led by a Russian-speaking hacker called LARVA-368, who goes by the online aliases hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. Gentlemen has been known to be active since March 2025, claiming a total of 478 victims to date, according to data from Ransomware.Live.
“In July 2025, Phantom Mantis switched to The Gentlemen, an independent partnership system that is no longer dependent on other RaaS groups,” said the Swiss cybersecurity company. “Additionally, LARVA-368 relies heavily on artificial intelligence to develop and maintain ransomware and tools, as well as help with post-exploitation processes.”
As for LARVA-368, the threat actor is believed to have been a member of the Embargo ransomware group (also known as Primeval Mantis) before they launched their own operation under the name ArmCorp. It was then renamed The Gentlemen four months later.
The person’s identity has since been released by cyber security journalist Brian Krebs as 36-year-old Alexander Andreevich Yapaev (Япаев Алексанр Андреевич) from the Russian city of Izhevsk. PRODAFT told Hacker News that the findings match the same person with “high confidence.”
As explained by Dark Atlas in August 2025, this change coincided with a payment dispute between LARVA-368 and Qilin, with the threat actor accusing the RaaS operation of running an exit scam and defrauding them of $48,000.
“Although the Phantom Mantis was a very active collective group with more than 20 targets registered in the cooperative panel in less than 30 days, the leader of this group (LARVA-368) and LARVA-367 (also known as DevMan), who was a member of the Phantom Mantis, said that the Pestilent Mantis was suspected of being the ‘Pestilent Mantis’ group this Mantis is talking to victims,” notes PRODAFT.
“While we cannot confirm these claims, there is a possibility that LARVA-368 and LARVA-367 intentionally spread misinformation with the intention of recruiting Pestilent Mantis affiliates to Phantom Mantis by discrediting the group.”
Phantom Mantis has also been seen paying for Premium accounts on underground forums to increase its visibility and avoid competition, with the group’s communications and technical support handled by a different Russian-speaking person named The Gentlemen Data.
Some important aspects of the fraud scheme covered in various reports are as follows:
- In a ransomware analysis late last year, Cybereason’s LevelBlue team described The Gentlemen as a “flexible, fast-moving ransomware operation” that combines mature ransomware techniques with RaaS features, double-jacking, platform keys, and flexible distribution, with consistent support.
- This group has emerged as one of the most threatening actors, accounting for 10% of ransomware activity in April 2026. “Gentlemen follow a business-oriented chain that begins with the first access, with services facing the Internet at risk or stolen credentials,” said the NCC Group. “The analysis suggests that Gentlemen can adapt and change tactics during the attack, such as manipulating GPOs, compromising special accounts, and using custom methods to bypass endpoint protection.”
- Only about 13% of their victims are based in the US The majority of victims are concentrated in Thailand, the UK, Brazil, Germany and India.
- LARVA-368 uses Gentlemen IM application accounts to support managed organizations regarding encryption and any intrusion-related issue, such as providing EDR killers to bypass security solutions using your own vulnerable driver (BYOVD) process.
- Support services for both The Gentlemen and Gentlemen Data are available through Tox, SimpleX Chat, and Ricochet Refresh for open source messaging.
- Powerful parties are required to provide the administrator with at least 1GB of data extracted from the victim in order to gain access to the membership panel, a tactic designed to prevent researchers and law enforcement authorities from accessing the infrastructure under diplomatic cover. The agent panel supports user management, configuring new targets, and downloading ransomware from specific targets.
- Phantom Mantis offers five versions of the ransomware designed for Windows, Linux, ESXi, Windows XP+, and Logical Volume Manager (LVM).
- Group courts operate with an aggressive profit-sharing model: 90% to subsidiaries and 10% to the user.
- Primary access is achieved through edge devices such as VPN devices, firewalls, and other Internet-facing systems, with a special focus on platforms such as Cisco and Fortinet FortiGate.
- Infection chains involve the use of red team utilities such as NetExec, RelayKing, TaskHound, PrivHound, and CertiHound to perform active directory discovery, certificate abuse, privilege escalation, and file share discovery. A different set of tools, such as EDRStartupHinder, gfreeze, glinker, and DumpBrowserSecrets, are used to evade security systems, while Velociraptor is recognized by command and control (C2).
- This attack also attempts to clear System, Application, and Security Event Logs, disable Microsoft Defender, and add antivirus exclusions.
- The ransomware uses a cryptographic hybrid system: X25519 key exchange combined with XChaCha20 symmetric encryption.
- Microsoft, which is tracking the batch under the moniker Storm-2697, said the ransomware was written in Go and mixed with Garble to target the Windows environment. “When enabled with the –spread argument, it turns the malware from a single host into a self-propagating worm that tries to use its encryptor on all accessible systems on the network,” the tech giant said. “If the –wipe argument is provided, Gentlemen ransomware performs an additional post-encryption routine to eliminate recoverable artifacts from disk.”
- According to ZeroFox, the ransomware team may be conducting a multi-channel extortion operation, combining ransomware attacks with email and phone-based tactics to target victims.
- The team uses a “highly responsive development cycle,” a feature demonstrated by the same-day patch release after the decryptor was released in April 2026.
- The average dwell time for an entry ranges from two to six weeks from initial access to deployment, with the group focusing primarily on organizations using VMware infrastructure.
Last month, the leak of the internal Rocket.Chat database used by the group – including 3,366 messages between November 2025 and late April 2026 – shed more light on the group’s inner workings, including its use of known security flaws in VMware Aria Operations, Fortinet, Cisco, and Microsoft software, while drawing a clearer picture of the role of criminal members.
“The team tracks and evaluates current vulnerabilities, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073, and includes tactical approaches such as backup and controller abuse and NTLM pipeline overflows,” Check Point said.
It doesn’t end there. In March 2026, Hunt.io claimed to have discovered an open directory hosted at “176.120.22[.]127:80” from Russian bulletproof hosting provider Proton66 revealed 126 files containing the complete ransomware user toolkit attributed to The Gentlemen RaaS affiliate.
These included tools for auditing, privilege escalation, defense avoidance, identity theft, lateral movement, persistence, and pre-encryption preparation, covering all phases of the intrusion lifecycle.
“LARVA-368 is a threat actor focused on hijacking-related activities and has been active since at least 2020,” PRODAFT said. “Expertise gained from previous collaborations with various RaaS teams provided the technical foundation needed to establish The Gentlemen RaaS.”
