ctipilot.ch
← Back to Weekly 2026-W28
NOTABLEupdateNATOB2synthesis

The Gentlemen (Storm-2697) status update — Unit 42's full profile: 580 victims, a Qilin-affiliate lineage, and a suspected EDR-disable zero-day

discovered 2026-07-12 23:46 UTCrun 2026-07-12T2309Z-weekly1 sourcesingle-source

UPDATE · originally covered The Gentlemen (2026-06-29)

Palo Alto Unit 42 published the first full technical profile of The Gentlemen (Microsoft: Storm-2697; also Phantom Mantis), consolidating and extending the picture this pipeline built from ESET's GentleKiller research and the FortiBleed nexus. The delta worth carrying: Unit 42 counts 580 claimed victims across 77 countries through 3 July 2026 (103 in manufacturing) and a "slightly more than 6x" victim increase from H2 2025 to H1 2026, and assesses the ~20 operators "likely morphed from a private entity into a RaaS model on or about September 2025," previously operating as "ArmCorp," an affiliate of Qilin, now offering an "unprecedented 90% payout" versus the typical 70-80% (Unit 42, 2026-07-10). Two operationally relevant additions: the initial-access set now explicitly names Erlang/OTP SSH-server and Windows SMB-client flaws alongside the already-tracked FortiOS/FortiProxy edge path, and Unit 42 cites Expel describing a suspected zero-day the group uses specifically to disable target EDR agents — distinct from the BYOVD-based GentleKiller framework and not previously in this pipeline's coverage. The Go/C dual-language encryptor and Curve25519/XChaCha20 per-file key scheme are unchanged.

The operators (roughly 20 of them) likely morphed from a private entity into a RaaS model on or about September 2025. While traditional RaaS models typically offer affiliates a 70% to 80% cut of paid ransoms, The Gentlemen offer an unprecedented 90% payout.

When comparing the last six months of 2025 to the first six months of 2026, the number of victims claimed by The Gentlemen increased by slightly more than 6x.

Palo Alto Networks Unit 42

ATT&CK mapping

3 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Defense Impairment TA0112
T1685Disable or Modify Tools

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

overlap matrix · ATT&CK page ↗

Impact TA0040
T1486Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

overlap matrix · ATT&CK page ↗

Update chain

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.