๐จ A new ransomware operation, The Gentlemen, has emerged following an affiliate split revealing how threat actors evolve from partners to independent operators while retaining advanced tooling, infrastructure, and access pipelines.
Our latest analysis explores how this group is operationalizing large-scale attacks by combining exploited network devices, credential harvesting, and advanced defense evasion techniques.
What the blog covers:
๐นThe origins of The Gentlemen and its connection to a prior affiliate dispute on the RAMP forum
๐นSystematic exploitation of CVE-2024-55591 to compromise FortiGate devices, with an observed inventory of approximately 14,700 exposed systems offered to affiliates
๐นOperational tooling for credential harvesting and lateral movement (NetExec, Impacket, DonPAPI)
๐นDefense evasion via Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to disable EDR/AV protections at kernel level
Read the full technical analysis.
#ThreatIntel #Ransomware #CyberSecurity
Our latest analysis explores how this group is operationalizing large-scale attacks by combining exploited network devices, credential harvesting, and advanced defense evasion techniques.
What the blog covers:
๐นThe origins of The Gentlemen and its connection to a prior affiliate dispute on the RAMP forum
๐นSystematic exploitation of CVE-2024-55591 to compromise FortiGate devices, with an observed inventory of approximately 14,700 exposed systems offered to affiliates
๐นOperational tooling for credential harvesting and lateral movement (NetExec, Impacket, DonPAPI)
๐นDefense evasion via Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to disable EDR/AV protections at kernel level
Read the full technical analysis.
#ThreatIntel #Ransomware #CyberSecurity
๐ฅ8โค2๐2
๐Group-IB was named an Overall Leader in Fraud Reduction Intelligence Platforms by KuppingerCole 2025.
In its 2025 Leadership Compass for Fraud Reduction Intelligence PlatformsโeCommerce, KuppingerCole recognized Group-IB across three categories: Overall Leader, Product Leader, and Innovation Leader.
The analyst specifically highlighted our credential intelligence powered by dark web monitoring and Europol/Interpol information-sharing, our device intelligence depth including anti-detect browser and virtual camera detection, and an investigation interface described as "top-notch."
Download the full report.
#FraudPrevention #eCommerce #DarkWeb
In its 2025 Leadership Compass for Fraud Reduction Intelligence PlatformsโeCommerce, KuppingerCole recognized Group-IB across three categories: Overall Leader, Product Leader, and Innovation Leader.
The analyst specifically highlighted our credential intelligence powered by dark web monitoring and Europol/Interpol information-sharing, our device intelligence depth including anti-detect browser and virtual camera detection, and an investigation interface described as "top-notch."
Download the full report.
#FraudPrevention #eCommerce #DarkWeb
๐ฅ6โค4๐3๐1
Most cybersecurity strategies are already legacy the moment theyโre approved.
Why? Because theyโre built annually, around frameworks, without real-time threat context
Meanwhile, the business shifts constantly. Attackers adapt even faster.
๐ That gap is where risk lives.
In our latest breakdown, we explore where cybersecurity strategies fail in 2026, including:
โ why security operates out of sync with business priorities
โ how compliance-first thinking creates blind spots
โ where gap analysis breaks down at the board level
Move beyond โall talk, no showโ strategies:
๐น Tie security directly to business risk
๐น Shift to modular, adaptable planning
๐น Use threat intelligence to drive decisions
๐น Continuously reassess gaps
Prepare for whatโs actually targeting your business right now. Read more.
#Cybersecurity2026 #RiskManagement #ThreatIntelligence
Why? Because theyโre built annually, around frameworks, without real-time threat context
Meanwhile, the business shifts constantly. Attackers adapt even faster.
๐ That gap is where risk lives.
In our latest breakdown, we explore where cybersecurity strategies fail in 2026, including:
โ why security operates out of sync with business priorities
โ how compliance-first thinking creates blind spots
โ where gap analysis breaks down at the board level
Move beyond โall talk, no showโ strategies:
๐น Tie security directly to business risk
๐น Shift to modular, adaptable planning
๐น Use threat intelligence to drive decisions
๐น Continuously reassess gaps
Prepare for whatโs actually targeting your business right now. Read more.
#Cybersecurity2026 #RiskManagement #ThreatIntelligence
โค5๐ฅ4๐3
That RFQ email from a trusted supplier? It might be delivering Phantom Stealer โ a toolkit built to harvest your credentials at scale.
Group-IB researchers have identified a sustained phishing campaign targeting European logistics, manufacturing, and tech companies. Across five distinct waves over three months, every email was blocked by Group-IB's Business Email Protection before reaching end users.
The emails mimic legitimate procurement correspondence with professional signatures and spoofed sender identities. But inside the archive attachment is an infostealer that harvests browser credentials, session tokens, and payment data.
Phantom Stealer is part of a growing stealer-as-a-service market - credential theft is now a subscription business, and threats like this are only scaling.
Our latest Email Protection Spotlight breaks down the full campaign and shows how multi-layer detection stopped it at the inbox. Read the full analysis.
#CyberSecurity #Phishing #InfoStealer #EmailProtection
Group-IB researchers have identified a sustained phishing campaign targeting European logistics, manufacturing, and tech companies. Across five distinct waves over three months, every email was blocked by Group-IB's Business Email Protection before reaching end users.
The emails mimic legitimate procurement correspondence with professional signatures and spoofed sender identities. But inside the archive attachment is an infostealer that harvests browser credentials, session tokens, and payment data.
Phantom Stealer is part of a growing stealer-as-a-service market - credential theft is now a subscription business, and threats like this are only scaling.
Our latest Email Protection Spotlight breaks down the full campaign and shows how multi-layer detection stopped it at the inbox. Read the full analysis.
#CyberSecurity #Phishing #InfoStealer #EmailProtection
๐ฅ7โค6๐1
The regulatory landscape is shifting fast. The UK, Singapore, Australia, the EU, and North America are introducing mandatory fraud intelligence-sharing frameworks. But thereโs a challenge: How can institutions share suspicious activity in real time without violating privacy laws?
The Problem:
๐น Payments settle in 10โ40 seconds
๐น Fraud detection takes 3โ7 days
๐น Criminals layer funds, convert them to crypto, and move funds offshore
๐น Less than 1% of laundered funds are recovered
Why Standard Solutions Fail: Traditional hashing methods are vulnerable to dictionary attacks, meaning โanonymizedโ data can be reversed creating GDPR risks
The Solution: Privacy-preserving distributed tokenization enables institutions to share fraud signals in real time while staying compliant.
Real Results: In a pilot with 46 banks, just two institutions running real-time checks prevented $10โ15M in fraud annually.At full participation, projected savings could reach $100โ300M.
Read the full framework.
#GDPR #Cybersecurity
The Problem:
๐น Payments settle in 10โ40 seconds
๐น Fraud detection takes 3โ7 days
๐น Criminals layer funds, convert them to crypto, and move funds offshore
๐น Less than 1% of laundered funds are recovered
Why Standard Solutions Fail: Traditional hashing methods are vulnerable to dictionary attacks, meaning โanonymizedโ data can be reversed creating GDPR risks
The Solution: Privacy-preserving distributed tokenization enables institutions to share fraud signals in real time while staying compliant.
Real Results: In a pilot with 46 banks, just two institutions running real-time checks prevented $10โ15M in fraud annually.At full participation, projected savings could reach $100โ300M.
Read the full framework.
#GDPR #Cybersecurity
๐ฅ7๐4๐2
๐จRemote hiring has opened new opportunities for companies worldwide but it has also created a new attack surface.
Our latest research dives into how DPRK-linked IT worker operations are infiltrating global companies by posing as remote developers. Instead of relying on traditional cyber intrusions, these actors exploit legitimate hiring processes using synthetic identities, AI-assisted workflows, and trusted developer platforms.
Key highlights:
๐นA coordinated ecosystem of fake developer personas operating across GitHub, portfolio sites, and freelancing platforms.
๐นReusable identity infrastructure including resumes, email accounts, and repositories.
๐นEvidence of AI-assisted job application workflows and templated interview responses
๐นArchived โpersona packagesโ containing identity documents, portfolio assets, and operational instructions.
๐นMonitoring the activities of a specific intruder โgroupโ from 2021 to March 2026.
Read the full blog here.
#ThreatIntelligence #CyberSecurity #InsiderThreat #DPRK
Our latest research dives into how DPRK-linked IT worker operations are infiltrating global companies by posing as remote developers. Instead of relying on traditional cyber intrusions, these actors exploit legitimate hiring processes using synthetic identities, AI-assisted workflows, and trusted developer platforms.
Key highlights:
๐นA coordinated ecosystem of fake developer personas operating across GitHub, portfolio sites, and freelancing platforms.
๐นReusable identity infrastructure including resumes, email accounts, and repositories.
๐นEvidence of AI-assisted job application workflows and templated interview responses
๐นArchived โpersona packagesโ containing identity documents, portfolio assets, and operational instructions.
๐นMonitoring the activities of a specific intruder โgroupโ from 2021 to March 2026.
Read the full blog here.
#ThreatIntelligence #CyberSecurity #InsiderThreat #DPRK
๐ฅ7โคโ๐ฅ6โค4โก1๐1
๐ซWe are proud to announce that Group-IB is an initial data contributor to the newly released MITRE Fight Fraud Frameworkโข (F3) developed by MITRE Corporation.
By contributing our proprietary fraud taxonomy and intelligence derived from real-world investigations, we are helping shape a standardized framework that enables organizations to classify, understand, and respond to fraud threats more effectively.
This collaboration goes beyond classification. By integrating the framework into Group-IBโs Fraud Matrix, organizations will be able to connect standardized fraud techniques with live adversary intelligence, detection methodologies, and mitigation strategies strengthening predictive fraud defense across industries.
Fraud doesnโt begin with a transaction. It begins with an attacker and understanding adversary behavior is key to staying ahead.
Read the full announcement here.
#CyberSecurity #FinancialSecurity #FraudPrevention #ThreatIntelligence #FraudMatrix
By contributing our proprietary fraud taxonomy and intelligence derived from real-world investigations, we are helping shape a standardized framework that enables organizations to classify, understand, and respond to fraud threats more effectively.
This collaboration goes beyond classification. By integrating the framework into Group-IBโs Fraud Matrix, organizations will be able to connect standardized fraud techniques with live adversary intelligence, detection methodologies, and mitigation strategies strengthening predictive fraud defense across industries.
Fraud doesnโt begin with a transaction. It begins with an attacker and understanding adversary behavior is key to staying ahead.
Read the full announcement here.
#CyberSecurity #FinancialSecurity #FraudPrevention #ThreatIntelligence #FraudMatrix
๐ฅ13๐7โค3
๐จ W3LL wasn't just another phishing operation, it was a mature phishing-as-a-service ecosystem that industrialized BEC at scale. Over 7+ years, the actor built a closed, referral-only marketplace powering 500+ cybercriminals with AiTM tooling designed to bypass MFA, hijack sessions, and compromise Microsoft 365 accounts.
This investigation reveals not just the tools, but the infrastructure, operational model, and key weaknesses behind the W3LL phishing ecosystem.
Key highlights:
๐น AiTM-based W3LL Panel engineered for MFA bypass and session cookie theft
๐น W3LL Store: a full-service PhaaS marketplace with tooling, data, and infrastructure
๐น License validation APIs exposing backend links to the operator
๐น Analysis of 700+ weaponized phishing samples that supported victim and campaign mapping
๐น OpSec failures across forums, infrastructure, Telegram, and Indonesian-speaking hacking community ties
Read the full technical analysis.
#ThreatIntel #Cybercrime #Phishing #BEC #CyberSecurity #Infosec
This investigation reveals not just the tools, but the infrastructure, operational model, and key weaknesses behind the W3LL phishing ecosystem.
Key highlights:
๐น AiTM-based W3LL Panel engineered for MFA bypass and session cookie theft
๐น W3LL Store: a full-service PhaaS marketplace with tooling, data, and infrastructure
๐น License validation APIs exposing backend links to the operator
๐น Analysis of 700+ weaponized phishing samples that supported victim and campaign mapping
๐น OpSec failures across forums, infrastructure, Telegram, and Indonesian-speaking hacking community ties
Read the full technical analysis.
#ThreatIntel #Cybercrime #Phishing #BEC #CyberSecurity #Infosec
๐ฅ8โค5๐1
๐ง In 2025, a hacktivist group filmed itself blocking biomass fuel supply and triggering emergency alarms at a Polish factory, then posted the video on Telegram.
Group-IB's Threat Intelligence team analyzed the 2025โearly 2026 threat landscape targeting European manufacturing across six countries.
What we detected โฌ๏ธ
โช๏ธ200 hacktivist incidents targeting European manufacturers
โช๏ธ57 cases of claimed access to industrial control systems
โผ๏ธ The shift is real: hacktivist groups have moved beyond website takedowns to physical control of production systems, manipulating boiler temperatures, ventilation pressure, and biomass fuel supply.
Hacktivism is only one of five threat categories covered in our new report, Inside Europe's Manufacturing Cyber Threat Landscape. The other four are just as urgent.
Read more to predict and prevent attacks on your organization.
#CyberSecurity #Hacktivism #ThreatIntelligence
Group-IB's Threat Intelligence team analyzed the 2025โearly 2026 threat landscape targeting European manufacturing across six countries.
What we detected โฌ๏ธ
โช๏ธ200 hacktivist incidents targeting European manufacturers
โช๏ธ57 cases of claimed access to industrial control systems
โผ๏ธ The shift is real: hacktivist groups have moved beyond website takedowns to physical control of production systems, manipulating boiler temperatures, ventilation pressure, and biomass fuel supply.
Hacktivism is only one of five threat categories covered in our new report, Inside Europe's Manufacturing Cyber Threat Landscape. The other four are just as urgent.
Read more to predict and prevent attacks on your organization.
#CyberSecurity #Hacktivism #ThreatIntelligence
๐7๐2โค1
๐จ Our latest research suggests that a significant share of newly registered business accounts in France may be linked to mule activity, highlighting how business-grade payment infrastructure combined with fast remote onboarding has created an attractive entry point for large-scale financial crime operations
Key Highlights:
๐นVerified mule business accounts are sold on underground markets for $300โ$700, with sellers offering escrow services, replacement guarantees, and daily inventory.
๐นThreat actors bypass KYC by using real victims harvesting PII via phishing and socially engineering them to complete identity verification.
๐นOperations rely on SIM farms, anti detect environments, and cheap Android devices to scale account creation and maintain infrastructure.
๐นDetecting these operations requires analysing the entire account lifecycle, since sign up, KYC, and first login can appear legitimate in isolation.
Read the full technical analysis.
#FraudPrevention #FintechSecurity #CyberSecurity
Key Highlights:
๐นVerified mule business accounts are sold on underground markets for $300โ$700, with sellers offering escrow services, replacement guarantees, and daily inventory.
๐นThreat actors bypass KYC by using real victims harvesting PII via phishing and socially engineering them to complete identity verification.
๐นOperations rely on SIM farms, anti detect environments, and cheap Android devices to scale account creation and maintain infrastructure.
๐นDetecting these operations requires analysing the entire account lifecycle, since sign up, KYC, and first login can appear legitimate in isolation.
Read the full technical analysis.
#FraudPrevention #FintechSecurity #CyberSecurity
๐ฅ4โค3๐3