Thegentlemen
Also known as Phantom Mantis, ArmCorp, Zeta88, Hastalamuerte
Reports
124
First seen
Apr 27
Last seen
Jun 20
Motivation
extortion, financial, financial extortion
Targeting
Sectors
manufacturing ×29healthcare ×12technology ×8other ×7retail ecommerce ×7education ×7professional services ×6agriculture ×5
Victim regions
United States ×25France ×6Germany ×4Thailand ×4Netherlands ×3India ×3Spain ×2Malaysia ×2
Top ATT&CK techniques
T1486 Data Encrypted for Impact ×9T1190 Exploit Public-Facing Application ×6T1078 Valid Accounts ×4T1021 Remote Services ×3T1566 Phishing ×3T1562.001 Impair Defenses: Disable or Modify Tools ×3T1562 Impair Defenses ×2T1195 Supply Chain Compromise ×2T1070.001 Indicator Removal: Clear Windows Event Logs ×2T1021.001 Remote Services: Remote Desktop Protocol ×2T1053 Scheduled Task/Job ×2T1003 OS Credential Dumping ×2
Indicators
domain ×341ip_v4 ×163cve ×45filename ×24hash_md5 ×20hash_sha256 ×16hash_sha1 ×11email ×3bitcoin_address ×2hash_sha512 ×1url ×1
Indicator values are available on Pro and via the API.
Associated CVEs
CVE-2024-55591 (exploited)CVE-2025-32433 (exploited)CVE-2025-33073 (exploited)CVE-2025-29635 (exploited)CVE-2025-55182 (exploited)CVE-2026-11645 (exploited)CVE-2026-20131 (exploited)CVE-2026-2441 (exploited)CVE-2026-28950CVE-2026-33626 (exploited)CVE-2026-34908 (exploited)CVE-2026-34909 (exploited)CVE-2026-34910 (exploited)CVE-2026-35273 (exploited)CVE-2026-3909 (exploited)CVE-2026-3910 (exploited)CVE-2026-40372CVE-2026-50751 (exploited)CVE-2024-40766 (exploited)CVE-2026-5281 (exploited)
Recent reports
Medium