The Gentlemen ransomware group, also known as Phantom Mantis, has escalated its operations, now claiming 478 victims, according to data from Ransomware.Live. Initially functioning as an affiliate in double extortion attacks, the group utilized resources from various ransomware-as-a-service (RaaS) platforms, including LockBit, Qilin, and Medusa.
As reported by The Hacker News, the group transitioned into an independent partnership program in July 2025, no longer relying on other RaaS groups. This shift was led by a Russian-speaking cybercriminal identified as LARVA-368, who operates under aliases such as hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. LARVA-368 is believed to have been a member of the Embargo ransomware group before launching their own operation under the name ArmCorp, which was later rebranded to The Gentlemen.
Notably, LARVA-368 heavily incorporates artificial intelligence in the development and maintenance of ransomware tools and post-exploitation procedures. This technological integration has enabled The Gentlemen to enhance their attack strategies and efficiency.
In August 2025, a payment dispute arose between LARVA-368 and Qilin, with allegations of an exit scam involving $48,000. This conflict led to accusations of backdoors within Qilin’s affiliate panel victim chats, although these claims remain unverified. There is speculation that such allegations may have been intended to recruit affiliates from Qilin by discrediting the group.
To increase their visibility and competitiveness, The Gentlemen have invested in premium accounts on underground forums. Communication and technical support within the group are managed by a separate Russian-speaking persona known as The Gentlemen Data.
Analyses by cybersecurity firms have characterized The Gentlemen as a highly adaptive and fast-moving ransomware operation. The group employs mature ransomware techniques combined with RaaS features, double extortion tactics, cross-platform lockers, and flexible propagation methods. Their enterprise-focused attack chain often begins with initial access through vulnerable internet-facing services or stolen credentials.
The rapid expansion and sophisticated tactics of The Gentlemen underscore the evolving nature of ransomware threats. Organizations must remain vigilant, implementing robust cybersecurity measures and staying informed about emerging attack vectors to effectively defend against such advanced adversaries.
Source: The Hacker News
