“The group actively tracks and evaluates modern vulnerabilities, including CVE-2024–55591, CVE-2025–32433, and CVE-2025–33073, and combines them with technique-driven paths like backup and management-controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline,” Check Point said.

That’s not all. In March 2026, Hunt.io said it discovered an open directory hosted at “176.120.22[.]127:80” on the Russian bulletproof hosting provider Proton66 that exposed 126 files containing a complete ransomware operator toolkit attributed to a The Gentlemen RaaS affiliate.

This included tools for reconnaissance, privilege escalation, defense evasion, credential theft, lateral movement, persistence, and pre-encryption preparation, essentially spanning all phases of the intrusion lifecycle.