DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL — 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL — 🚨 ServiceNow discloses June 5 security update tied to anomalous activity — KB3067321.… /// @MsftSecIntel CRITICAL — MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL — ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL — The '340M OnlyFans' listing on the leak forum is a compiled corpus — seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/ARCHIVE/RANSOMWARE
DMZ INTEL DESK//FILED: 2026-06-09//00:46Z
HIGH#ransomware

The Gentlemen RaaS Posts Seven New Victims June 8–9 Including Healthcare, Manufacturing, and Tech — Now Second Most Active Group of 2026 with 332 Published Victims

The Gentlemen ransomware-as-a-service operation — which appeared in August 2025 and has rapidly grown to 332 published victims in the first five months of 2026 — posted at least seven new victims to its dark web leak site on June 8–9, including Central Arkansas Pediatrics, IP Rings (automotive manufacturing, India), and Yao Yuan Technology (Taiwan). Check Point Research's deep analysis of a leaked internal database reveals the group is tightly operated by approximately nine core actors under administrator 'zeta88/hastalamuerte,' pays affiliates 90% of proceeds, and gains initial access primarily via internet-facing VPN and management interface exploits including Fortinet, Cisco, and ConnectWise ScreenConnect vulnerabilities. The Go-written, cross-platform locker targets Windows, Linux, and ESXi environments and deploys SystemBC for covert C2 tunneling.

The Go-written, cross-platform locker targets Windows, Linux, and ESXi environments and deploys SystemBC for covert C2 tunneling.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
the-gentlemen · raas · dark-web · healthcare · manufacturing · systembc · go-ransomware · esxi · double-extortion · leak-site
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

RELATED ACTORS

ACTOR
SCATTERED LAPSUS$ HUNTERS (ShinySp1d3r RaaS)
CRIMINAL
ACTOR
VECT
CRIMINAL
ACTOR
KryBit
CRIMINAL

MORE FROM ARCHIVE

# RANSOMWARE
2026-06-12
PRODAFT/KrebsOnSecurity Unmask The Gentlemen RaaS Operator LARVA-368 (Storm-2697) — 478 Victims, AI-Assisted Tooling, FortiGate Mass-Exploitation at Scale
# RANSOMWARE
2026-06-12
DragonForce and TheGentlemen Post New Victims on Leak Sites June 12 — Multi-Sector Global Blitz Continues as DragonForce Shows -95% MoM Activity Variance
# RANSOMWARE
2026-06-11
Silent Ransom Group (Luna Moth / UNC3753) Escalates to Physical Office Intrusion Against U.S. Law Firms — FBI Issues FLASH-Severity Alert as 38+ Victims Published
# RANSOMWARE
2026-06-07
UNC3753 (Silent Ransom Group) Escalates U.S. Law Firm Campaign to Physical Office Intrusions — Full Attack-to-Extortion in Under One Hour