Skip to main content
Mallory
Back to threat actors
Exploits CVEs in the wild

TheGentlemen

Also known asTheGentlemen

TheGentlemen is a ransomware threat actor/group referenced as one of the leading ransomware groups observed in multiple 2025–2026 reporting datasets. It is described as targeting organizations in China, particularly in telecommunications, energy and utilities, information technology, and manufacturing. Reporting also associates it with exploitation of CVE-2017-17215 affecting NETGEAR routers. In April 2026 reporting, TheGentlemen was noted as increasing activity from 80 to 83 incidents and was characterized as showing increasingly industrialized ransomware operations. Specific tradecraft attributed to The Gentlemen ransomware includes use of SystemBC proxy malware for covert payload delivery, with reporting citing more than 1,570 infected corporate hosts, as well as use of Cobalt Strike, Mimikatz, and domain-wide propagation via Group Policy Objects. Separate detection content tied to Check Point DFIR reporting from April 2026 describes an inverted SMB staging pattern associated with TheGentlemen in which operators create a share on a source host, enable anonymous access, modify NullSessionShares and EveryoneIncludesAnonymous-related settings, and have target systems pull payloads over SMB using execution mechanisms such as WMI, Task Scheduler, SCM, or WinRM. The alias explicitly present in the content is "The Gentlemen," alongside the canonical form "TheGentlemen."

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics5 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0007
Discovery
1 technique
T1135
Network Share Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.002
SMB/Windows Admin Shares
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2017-17215RCE in Huawei HG532 via port 37215In the wildEvidence1

CVE-2017-17215 9.1 NETGEAR Routers (R6400, R7000, R8000) World Leaks, TheGentlemen, Devman Link

IOCS

Observables

6 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

6 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
osint team blogNews
Jun 6, 2026
I Ran a Dark Web OSINT Investigation on RansomHub. Here's What Came Back in 3 Minutes. | OSINT Team

Named threat actor handle extracted from dark web leak-site related content; no further activity details provided.

Read more
cyfirma otherNews
May 15, 2026
TRACKING RANSOMWARE : APRIL 2026 - CYFIRMA

An expanding ransomware operation using botnet-assisted delivery and mature post-exploitation tooling to support industrialized, enterprise-scale attacks.

Read more
cyfirma otherNews
Apr 22, 2026
CHINA CYBERSECURITY THREAT INTELLIGENCE REPORT - CYFIRMA

Leading ransomware actor targeting Chinese high-value sectors including telecommunications, energy, IT, and manufacturing.

Read more
shroudcloudNews
Apr 20, 2026
edr-win-lat-anon-share-pull - ShroudCloud

Uses an inverted SMB staging pattern for lateral movement: creating a share on the source host, granting anonymous access, enabling null-session share access, and having targets pull payloads via WMI, Task Scheduler, SCM, or WinRM. The content characterizes this as known ransomware staging tradecraft.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables6

Domains, IPs, and hashes tied to this actor, refreshed continuously.