The Gentlemen / Storm-2697 — internal "Rocket" backend leaked by a rival; KELA and Check Point dissect the operator inner circle

The most consequential campaign development of the window is one no daily captured: on 2026-05-04 a rival actor leaked The Gentlemen's internal Rocket database backend on underground forums, and KELA (2026-05-20) and Check Point ("Thus Spoke The Gentlemen", 2026-05-13) published deep analyses of the resulting six-month (Nov 2025 – Apr 2026) chat archive (key: item:the-gentlemen-raas-czech-university-and-swiss-engineering-fi). The leak exposes the inner circle (admin/infrastructure alias zeta88, also operating as hastalamuerte, alongside Wick, mAst3r, Kunder and others) and — far more useful to defenders — the operation's initial-access playbook: Fortinet and Cisco edge appliances, NTLM relay, harvested OWA / M365 credential logs, and GPO-based deployment of the encryptor. A linked affiliate runs a SystemBC SOCKS5 botnet of 1,570+ victims. This is an intelligence gift: every named access path maps to an existing hunt — prioritise edge-appliance patch state, NTLM-relay hardening (SMB/LDAP signing, channel binding) and anomalous-GPO-creation monitoring. Per Check Point's Q1 data the group sits at #3 globally (§ 6) — though its victims concentrate in Thailand, Brazil and India (US ~13%), so the European and Swiss listings carried over from W21 run against its centre of gravity, which is precisely what makes a CH/EU hit worth surfacing rather than treating as background.