Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
Summary
Hide ▲
Show ▼
Phantom Mantis moved The Gentlemen from dependence on other ransomware ecosystems into an independent partnership program, expanding its operational autonomy and affiliate reach. The shift is tied to 478 claimed victims and an active push to recruit affiliates, which strengthens the group’s market position. The operation is also being run by LARVA-368, who has paired the model change with broader tooling and support infrastructure.
Related Happenings
Fake IT support Havoc campaign
Campaign
H score34
First: 03.03.2026 19:15
Last: 03.03.2026 19:15
Sources 1
About this happening:
A **fake IT support** campaign is using **email spam**, phone-based social engineering, and **Havoc C2** to gain initial access, putting targeted organizations at risk of **data e...
Fake IT support Havoc campaign
CampaignAbout this happening: A **fake IT support** campaign is using **email spam**, phone-based social engineering, and **Havoc C2** to gain initial access, putting targeted organizations at risk of **data e...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor Meta
H score35
First: 05.02.2026 00:14
Last: 05.02.2026 00:14
Sources 1
About this happening:
**DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor MetaAbout this happening: **DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
Vect RaaS affiliate recruitment and early ecosystem buildout
Threat Actor Meta
H score16
First: 03.02.2026 16:00
Last: 03.02.2026 16:00
Sources 1
About this happening:
**Vect** has moved into **affiliate recruitment**, marking an early-stage **ransomware-as-a-service** buildout that could expand its reach and victim volume. The group has already...
Vect RaaS affiliate recruitment and early ecosystem buildout
Threat Actor MetaAbout this happening: **Vect** has moved into **affiliate recruitment**, marking an early-stage **ransomware-as-a-service** buildout that could expand its reach and victim volume. The group has already...
Labyrinth Chollima split into three North Korean hacking groups
Threat Actor Meta
H score15
First: 30.01.2026 17:40
Last: 30.01.2026 17:40
Sources 1
About this happening:
**Labyrinth Chollima** has been split into **three tracked North Korean groups**, reshaping how defenders map a major DPRK cyber ecosystem and its target set. **Golden Chollima**...
Labyrinth Chollima split into three North Korean hacking groups
Threat Actor MetaAbout this happening: **Labyrinth Chollima** has been split into **three tracked North Korean groups**, reshaping how defenders map a major DPRK cyber ecosystem and its target set. **Golden Chollima**...
GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem
Threat Actor Meta
H score33
First: 09.12.2025 18:01
Last: 09.12.2025 18:01
Sources 1
About this happening:
**GrayBravo** has expanded **CastleLoader** into a **malware-as-a-service (MaaS)** ecosystem that now includes **CastleBot** and custom **CastleRAT** variants, widening access to...
GrayBravo expands CastleLoader into a multi-cluster malware-as-a-service ecosystem
Threat Actor MetaAbout this happening: **GrayBravo** has expanded **CastleLoader** into a **malware-as-a-service (MaaS)** ecosystem that now includes **CastleBot** and custom **CastleRAT** variants, widening access to...
Timeline
-
11.06.2026 19:50 2 articles · 1h ago
PRODAFT reveals Phantom Mantis turned The Gentlemen into an independent ransomware partnership program
Technical Analysis UpdatePRODAFT analysis says Phantom Mantis transitioned into The Gentlemen in July 2025 as an independent partnership program no longer dependent on other RaaS groups, with LARVA-368 leading the operation and relying on AI-assisted tooling and post-exploitation support. The group was active since March 2025 and had claimed 478 victims by June 11, 2026.
Show sources
- The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm — thehackernews.com — 11.06.2026 19:50
- The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm — thehackernews.com — 11.06.2026 19:50