The Gentlemen Ransomware Expands With Rapid Affiliate Growth: What You Need to Know

The The Gentlemen ransomware operation is making headlines as a rapidly expanding ransomware-as-a-service (RaaS) group that has already claimed more than 320 victims. According to researchers at Check Point, the bulk of these attacks occurred in early 2026, signaling a sharp escalation in its activity.

First identified in mid-2025, this group has gained significant traction among affiliates by promoting its services on underground forums and recruiting technically skilled partners. But what sets The Gentlemen apart? Its modular tooling and cross-platform payloads are designed specifically for enterprise environments, making it a formidable threat.

How The Gentlemen Ransomware Recruits Affiliates

The success of The Gentlemen ransomware hinges on its affiliate model. The operation provides partners with ransomware variants written in the Go programming language, which support Windows, Linux, NAS, and BSD systems. Additionally, a separate ESXi encryptor developed in C is available for virtualized environments.

Affiliates are drawn to the platform because of its robust toolkit. This includes built-in lateral movement capabilities, credential reuse, and Group Policy-based deployment. These features allow attackers to trigger simultaneous encryption across domain environments with minimal effort.

Enterprise Impact: Multi-Platform Tooling in Action

In one observed case, attackers achieved domain controller access before deploying payloads across multiple systems. The activity included credential harvesting, remote execution via administrative shares, and widespread reconnaissance. The attackers also disabled endpoint protections and used scheduled tasks, services, and registry changes to maintain persistence.

Key capabilities observed in The Gentlemen attacks include:

• Cross-platform encryption covering endpoints, servers, and virtualized environments
• Automated lateral movement using stolen domain credentials
• Group Policy deployment for rapid, domain-wide execution
• Defense evasion through disabling antivirus and firewall protections

Furthermore, the ransomware terminates processes linked to databases, backup tools, and virtual machines to maximize impact. It also deletes shadow copies and logs to hinder recovery and forensic analysis.

SystemBC Use Suggests Broader Intrusion Ecosystem

During incident response, Check Point researchers identified the use of SystemBC, a proxy malware commonly associated with human-operated ransomware campaigns. This tool enables covert communication via SOCKS5 tunnels and can deliver additional payloads directly into memory.

Telemetry from a related command-and-control (C2) server revealed more than 1,570 infected systems globally. The distribution, heavily concentrated in the US, UK, and Germany, suggests a focus on organizational targets rather than opportunistic consumer infections.

However, it remains unclear whether SystemBC is fully integrated into The Gentlemen ecosystem or simply used by certain affiliates. Its presence alongside tools such as Cobalt Strike suggests a modular attack chain that can adapt to defenses.

When SystemBC deployment was blocked, attackers shifted to alternative C2 channels and established persistence using remote desktop and remote access software. This adaptability underscores the group’s sophistication.

What This Means for Cybersecurity Teams

The combination of scalable affiliate recruitment, enterprise-focused tooling, and integration with established post-exploitation frameworks increases the threat level significantly. Cybersecurity teams should prioritize monitoring for lateral movement indicators and Group Policy abuse.

For more insights, check out our guide on ransomware prevention strategies and learn about incident response planning. Additionally, stay updated on the latest cyber threats through threat intelligence reports.

In conclusion, The Gentlemen ransomware represents a new wave of RaaS operations that are more agile and dangerous than ever. Organizations must remain vigilant and invest in robust security measures to defend against these evolving threats.

Trojanized Android App Fuels New Wave of NFC Fraud: How NGate Malware Steals Payment Data

A fresh variant of the NGate malware family has been uncovered, this time hiding inside a trojanized version of a legitimate Android app. Security researchers at ESET have identified a new campaign that exploits a modified near-field communication (NFC) relay application called HandyPay to intercept payment card data and personal identification numbers (PINs). This marks a significant evolution in NGate malware NFC fraud, moving beyond open-source tools to a more sophisticated, stealthy approach.

How the NGate Malware Campaign Works

According to ESET’s findings, the malicious version of HandyPay has been circulating since November 2025, primarily targeting users in Brazil. Victims are lured through phishing websites that impersonate a Brazilian lottery site or a fake Google Play listing for a card protection tool. Once a user visits these fraudulent pages, they are instructed to manually install the app—bypassing the official Google Play Store.

Because the app is not available on the official store, Android prompts users to allow installations from unknown sources. This social engineering tactic is crucial for the attack to succeed. After installation, the trojanized app requests minimal permissions, relying instead on its ability to become the default payment application on the device. This design helps it avoid detection while maintaining full functionality.

NFC Data Relay and PIN Capture

The malware performs two key actions: it captures NFC data from any payment card tapped on the infected device, and it prompts the victim to enter their card’s PIN. Both pieces of information are then transmitted to attacker-controlled infrastructure. This allows fraudsters to relay the NFC data to their own devices, enabling them to make fraudulent contactless transactions or even withdraw cash from ATMs.

This technique is far more dangerous than simple card skimming. By combining the NFC relay with the PIN, attackers can bypass typical security measures for contactless payments. The campaign demonstrates a clear shift from earlier NGate variants, which relied on open-source tools like NFCGate, to a more targeted approach using a trojanized legitimate app.

AI-Assisted Code Generation Suspected

Interestingly, ESET researchers found evidence suggesting that parts of the malicious code may have been generated using generative AI tools. Debug logs within the malware contained emoji markers, a pattern often associated with AI-assisted code generation. While not definitive proof, this aligns with a broader trend of threat actors using large language models (LLMs) to accelerate malware development.

Building on this, the use of AI could make it easier for less technically skilled criminals to create sophisticated malware. This particular campaign, however, still required significant effort in setting up phishing infrastructure and modifying the HandyPay app. The combination of AI-generated code and social engineering makes this NGate malware NFC fraud campaign particularly concerning.

Protecting Against NFC-Based Fraud

Google has been notified of the campaign, and Google Play Protect now detects known versions of the malware. Additionally, the developer of HandyPay has been allegedly contacted and is investigating the misuse of their application. However, users remain the first line of defense.

To protect against this type of Android NFC malware, always download apps from the official Google Play Store. Be wary of any website that instructs you to install an app manually, especially if it claims to offer security or financial services. Furthermore, avoid tapping your payment card on unknown devices, and regularly check your bank statements for unauthorized transactions.

For more insights on mobile banking threats, read our article on APK Malformation Found in Thousands of Android Malware Samples. Additionally, learn about the latest phishing techniques in our guide on How to Spot Phishing Attacks.

The Future of NFC Relay Attacks

This campaign signals a worrying trend. Attackers are moving away from generic malware kits and instead modifying legitimate apps to serve their purposes. The use of a trojanized HandyPay app allows for stealthier operations, as the app’s core functionality—NFC relay—is itself legitimate. As a result, users and security solutions may find it harder to distinguish between a benign app and a malicious one.

Therefore, the financial sector and Android users, particularly in regions like Brazil, must stay vigilant. The combination of NFC relay, PIN capture, and potential AI-assisted development means that NGate malware NFC fraud could become a template for future attacks worldwide.

Police arrest SMS blaster crew that sent malicious messages to thousands across Toronto

In a landmark case for Canadian cybersecurity, Toronto police have arrested three men and filed 44 charges for allegedly operating an SMS blaster crew arrested in the heart of the city. This marks the first known instance of such a device being used in Canada, according to authorities. The operation, which began in November 2025, targeted tens of thousands of devices with spammy text messages over several months.

The scheme relied on an SMS blaster—a device that spoofs cell towers and broadcasts a stronger signal to trick nearby phones and tablets into connecting. Once linked, the blaster can send thousands of texts containing links to phishing sites that mimic legitimate login pages. The goal, said Detective Sergeant Lindsay Riddell of the Toronto Police Service, was to steal usernames and passwords, including banking credentials. Beyond theft, these devices disrupt cellular communications and can interfere with 911 emergency services, posing a serious public safety risk.

How the SMS blaster operation worked

The Toronto police revealed that the SMS blaster was “uniquely built” and operated from the back of a vehicle, allowing the crew to move across multiple locations. This mobile setup made detection harder, as the device could be deployed in crowded downtown areas without raising immediate suspicion. The blaster exploited weaknesses in older 2G cellular networks, which lack modern encryption and authentication protocols. This vulnerability is well-known among cybercriminals, but this case highlights its real-world impact in a major urban center.

Authorities declined to share a photo of the specific device found in Toronto, citing safety reasons, but released an image of a similar blaster from a UK investigation. The tactic mirrors a 2024 case in Thailand, where gang members operated an SMS blaster from a truck in Bangkok, blasting nearly a million messages in just three days. These global incidents underscore the growing threat of portable phishing tools.

Protecting yourself from SMS blaster attacks

Users can block attempts by SMS blasters by switching off their phone’s 2G cellular connectivity. For Apple device owners, enabling Lockdown Mode automatically disables 2G radios, adding a layer of protection. Android users can often find 2G toggle options in their network settings, though availability varies by manufacturer and carrier. Learn how to disable 2G on your phone to stay safe from similar threats.

This arrest is a wake-up call for mobile users and telecom regulators alike. As SMS blasters become more sophisticated, staying vigilant against unsolicited texts is crucial. Never click on links in messages from unknown senders, and always verify the authenticity of login pages by typing URLs directly into your browser. Explore more phishing prevention tips to safeguard your data.

What this means for Canadian cybersecurity

Toronto police have set a precedent by cracking down on this SMS blaster crew arrested in Canada. However, the case raises questions about how prepared telecom networks are to detect and block such devices. Older 2G infrastructure remains a weak link, and while carriers have phased out 2G in some regions, it still operates in many areas for legacy devices and emergency services. Read about Canada’s 2G network phase-out plans to understand the broader context.

Building on this, the arrest serves as a reminder that cybercriminals are quick to exploit outdated technology. For consumers, the best defense is a proactive approach: update your phone’s software regularly, use strong passwords, and enable two-factor authentication wherever possible. As Detective Sergeant Riddell emphasized during the press conference, the scheme aimed to steal banking credentials, making financial vigilance equally important.

In the end, this case is not just about three men in Toronto—it’s about a global trend that requires coordinated action from law enforcement, telecoms, and users. The SMS blaster crew arrested may be off the streets, but the technology they used remains a threat. Stay informed, stay cautious, and always think twice before clicking that unexpected text message link.