The Gentlemen (Storm-2697) status update — Unit 42's full profile: 580 victims, a Qilin-affiliate lineage, and a suspected EDR-disable zero-day
UPDATE · originally covered The Gentlemen (2026-06-29)
Palo Alto Unit 42 published the first full technical profile of The Gentlemen (Microsoft: Storm-2697; also Phantom Mantis), consolidating and extending the picture this pipeline built from ESET's GentleKiller research and the FortiBleed nexus. The delta worth carrying: Unit 42 counts 580 claimed victims across 77 countries through 3 July 2026 (103 in manufacturing) and a "slightly more than 6x" victim increase from H2 2025 to H1 2026, and assesses the ~20 operators "likely morphed from a private entity into a RaaS model on or about September 2025," previously operating as "ArmCorp," an affiliate of Qilin, now offering an "unprecedented 90% payout" versus the typical 70-80% (Unit 42, 2026-07-10). Two operationally relevant additions: the initial-access set now explicitly names Erlang/OTP SSH-server and Windows SMB-client flaws alongside the already-tracked FortiOS/FortiProxy edge path, and Unit 42 cites Expel describing a suspected zero-day the group uses specifically to disable target EDR agents — distinct from the BYOVD-based GentleKiller framework and not previously in this pipeline's coverage. The Go/C dual-language encryptor and Curve25519/XChaCha20 per-file key scheme are unchanged.
The operators (roughly 20 of them) likely morphed from a private entity into a RaaS model on or about September 2025. While traditional RaaS models typically offer affiliates a 70% to 80% cut of paid ransoms, The Gentlemen offer an unprecedented 90% payout.
When comparing the last six months of 2025 to the first six months of 2026, the number of victims claimed by The Gentlemen increased by slightly more than 6x.
ATT&CK mapping
3 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Defense Impairment TA0112
T1685Disable or Modify Tools
Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.
Impact TA0040
T1486Data Encrypted for Impact
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Update chain
- updates The Gentlemen 2026-06-29
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.