What Recent Reporting Gets Right About The Gentlemen RaaS and What Silent Push Learned Months Earlier
Brian Krebs of KrebsonSecurity published a piece this week identifying the person allegedly behind The Gentlemen ransomware operation. It’s good work and puts a spotlight back on the Ransomware-as-a-Service (RaaS) group that has been moving fast since mid-2025.
We covered The Gentlemen in an April blog, “No Place to Hide: Following a Serial Ransomware Affiliate from LockBit, Black Basta, and Qilin to The Gentlemen,” based on our deep research in 2025. The blog focuses on the infrastructure and affiliate activity underpinning the operation, specifically an affiliate we had been tracking across four ransomware groups for the better part of three years. Here is what that research found, and what defenders should have in place today.
The Affiliate Trail, From CountLoader to The Gentlemen
In July and August 2025, Silent Push Preemptive Cyber Defense Analysts identified a new malware loader we named CountLoader, observed in three distinct versions: .NET, PowerShell, and JScript. The more significant finding was what CountLoader led to: two Cobalt Strike watermarks, 1473793097 and 1357776117, fingerprinted to a single ransomware affiliate with verifiable ties to Black Basta, LockBit, and Qilin activity. We published those findings in an exclusive client-facing report in August 2025, followed by our public blog, “CountLoader: Silent Push Discovers New Malware Loader Being Served in Three Different Versions,” on September 18, 2025.
Cobalt Strike licenses carry unique identifiers. When an affiliate uses the same licensed instance across campaigns and RaaS platforms, those watermarks follow them. A RaaS affiliation is replaceable, but the tooling fingerprint is not. That’s what makes Cobalt Strike watermarks a reliable tracking mechanism across brand changes.
On February 8, 2026, Silent Push flagged 91.107.247[.]163 as a Cobalt Strike C2, issuing an Indicators of Future Attack® (IOFA) alert to customers. Blocking was pushed automatically to firewalls, SIEMs, and EDR platforms that day.
On April 20, 2026, Check Point published a DFIR report on an intrusion by The Gentlemen. The report identified 91.107.247[.]163 as the Cobalt Strike C2 used in the attack. Silent Push had flagged that IP 76 days earlier, and customers had blocks in place across the board.
That 76-day window is where preemptive cyber defense operates.
What the Infrastructure Picture Adds to the Operator Picture
While Krebs answers who is running the operation, infrastructure attribution answers what they are running it on, and how to detect the same actor even when they move between ransomware groups.
The affiliate tracked in our research has worked across LockBit, Black Basta, Qilin, and The Gentlemen. The RaaS group they operate under is interchangeable, and the Cobalt Strike watermarks follow them regardless. Such persistence is what allows Silent Push to maintain a high-confidence trail across three years of activity spanning four ransomware programs.
What to Block and Monitor Now
Cobalt Strike is well known to be used by many threat actors and Advanced Persistent Threat (APT) groups. Our IOFA for Cobalt Strike C2 Domains and C2 IPs, as well as Cobalt Strike Domains and Cobalt Strike IPs, are available for enterprise clients.
Initial access: The Gentlemen affiliates favor internet-facing VPN and firewall appliances as entry points. Organizations that have not audited and patched those surfaces recently should treat that as an immediate priority.
IOFA feeds: Exclusive to enterprise clients, Silent Push Cobalt Strike IOFA feeds are available via API and STIX/TAXII for direct integration into your firewall, SIEM, or EDR. That integration is what put our customers ahead of this intrusion by 76 days.
Related Reading
- No Place to Hide: Following a Serial Ransomware Affiliate from LockBit, Black Basta, and Qilin to The Gentlemen, April 22, 2026
- CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions, September 18, 2025
Getting Started with Silent Push
To learn more about Silent Push preemptive cyber defense and how we work with organizations to neutralize threats before threat actors can execute, start a conversation with our experts.
We also offer a free Community Edition for defenders to see how our platform integrates into your existing security stack.
