Summary
GOLD SHERWOOD is a cybercriminal threat group that operates The Gentlemen ransomware-as-a-service (RaaS). The main operator - a Russian-speaking individual going by the names of 'zeta88' and 'hastalamuerte' on underground forums - was an affiliate of the Qilin RaaS before starting The Gentlemen scheme in mid-2025. The Gentlemen is operated on the name-and-shame or "double extortion" ransomware model, where data is stolen and held to ransom before files are encrypted. The first victims of the scheme was posted to a dedicated leak site in September 2025, the same month that an advertisement for affiliates, offering a generous 90/10 ransom percentage split, appeared on the RAMP underground forum. Fewer than 20 victim names were posted to the leak site each month through the remainder of 2025, but this rose to over 75 on average at the beginning of 2026, suggesting a large group of affiliates is involved with the scheme. As is common with most RaaS schemes, targeting organizations in Russia or the Commonwealth of Independent States (CIS) is prohibited.
While different tactics, techniques and procedures (TTPs) will be observed in The Gentlemen intrusions due to its RaaS model, GOLD SHERWOOD shares access and tools with affiliates to optimize the chances of successful compromise. A leak of internal Rocket chat logs in May 2026 exposed some of the tradecraft that affiliates share. This included a list of Fortinet FortiGate devices identified through reconnaissance that were vulnerable to CVE-2024-55591, providing attackers opportunities for potential victim selection. CVE-2025-32433, a critical Erlang vulnerability affecting Cisco edge devices, was also referenced in the chat logs. In addition to vulnerability exploitation, affiliates also maintained a list of brute-forced credentials for Fortinet VPN access. The chat logs also revealed affiliates' potential use of AI in operations, particularly DeepSeek, although exactly how is unclear.
The Gentlemen ransomware intrusions are notably characterized by attempts to kill endpoint detection and response (EDR) solutions. Research by ESET demonstrated affiliate use of third-party tools like HexKiller, ThrottleBlood, and HavocKiller and also a suite of custom EDR killers the company named GentleKiller. This suite includes drivers for multiple applications for use in the bring your own vulnerable driver (BYOVD) technique to escalate privileges and terminate EDR processes. CTU researchers have observed the use of these drivers in multiple attempted The Gentlemen ransomware attacks.
In addition, GOLD SHERWOOD's affiliates have been observed using a custom credential stealer ESET called OxideHarvest, Cobalt Strike, SystemBC, Impacket modules, and the legitimate AnyDesk remote monitoring and management (RMM) tool in attacks. Affiliates have also used group policy objects (GPO) to ensure wide distribution of the ransomware within victim environments.
The ransomware itself, which is written in Go and has Windows-, Linux-, and ESXi-compatible variants, has multiple built-in functions that are controlled via command line arguments. These include disabling Windows Defender, deleting shadow copies and log files to frustrate cleanup, and launching a script to delete itself once encryption routines are completed.
While different tactics, techniques and procedures (TTPs) will be observed in The Gentlemen intrusions due to its RaaS model, GOLD SHERWOOD shares access and tools with affiliates to optimize the chances of successful compromise. A leak of internal Rocket chat logs in May 2026 exposed some of the tradecraft that affiliates share. This included a list of Fortinet FortiGate devices identified through reconnaissance that were vulnerable to CVE-2024-55591, providing attackers opportunities for potential victim selection. CVE-2025-32433, a critical Erlang vulnerability affecting Cisco edge devices, was also referenced in the chat logs. In addition to vulnerability exploitation, affiliates also maintained a list of brute-forced credentials for Fortinet VPN access. The chat logs also revealed affiliates' potential use of AI in operations, particularly DeepSeek, although exactly how is unclear.
The Gentlemen ransomware intrusions are notably characterized by attempts to kill endpoint detection and response (EDR) solutions. Research by ESET demonstrated affiliate use of third-party tools like HexKiller, ThrottleBlood, and HavocKiller and also a suite of custom EDR killers the company named GentleKiller. This suite includes drivers for multiple applications for use in the bring your own vulnerable driver (BYOVD) technique to escalate privileges and terminate EDR processes. CTU researchers have observed the use of these drivers in multiple attempted The Gentlemen ransomware attacks.
In addition, GOLD SHERWOOD's affiliates have been observed using a custom credential stealer ESET called OxideHarvest, Cobalt Strike, SystemBC, Impacket modules, and the legitimate AnyDesk remote monitoring and management (RMM) tool in attacks. Affiliates have also used group policy objects (GPO) to ensure wide distribution of the ransomware within victim environments.
The ransomware itself, which is written in Go and has Windows-, Linux-, and ESXi-compatible variants, has multiple built-in functions that are controlled via command line arguments. These include disabling Windows Defender, deleting shadow copies and log files to frustrate cleanup, and launching a script to delete itself once encryption routines are completed.

Contact us
Contact us directly whether your organization needs immediate assistance or
you want to discuss your incident readiness, response, and testing needs.