The Gentlemen Ransomware Group Exploits Fortinet Flaws and AI Tools

The Gentlemen Ransomware Group Exploits Fortinet Flaws and AI Tools

First seen 3 Jun 2026, 20:10 UTC GbhackersCybersecuritynewsRescanawww.halcyon.ai 83% similarity 69.5

Article Content

Browse articles
ThreatCluster

The Gentlemen ransomware group has emerged as a significant threat in 2026, exploiting vulnerabilities in Fortinet systems, particularly CVE-2024-55591, an authentication bypass flaw. They have been observed using brute-force attacks on approximately 1,000 Fortinet VPN instances, often leveraging weak credentials. The group utilizes a custom command-and-control framework called G-BOT, replacing traditional tools like Cobalt Strike. AI tools, including ChatGPT, are employed for social engineering and automating victim communications. The group has a shared infrastructure with other ransomware brands, indicating a trend of rebranding among cybercriminals. Their operations have been linked to a threat actor known as 'Tinker,' who has appeared in previous ransomware campaigns. The current status of their activities suggests ongoing exploitation and a high level of sophistication in their operations.

Key Points: • The Gentlemen ransomware group exploits Fortinet vulnerabilities, notably CVE-2024-55591. • They utilize brute-force attacks on around 1,000 Fortinet VPN instances with weak credentials. • AI tools are integrated into their operations for phishing and victim communication.

ThreatCluster AI

Timeline

2025-01-14
CVE-2024-55591 published
Fortinet disclosed an authentication bypass vulnerability in FortiOS, enabling potential exploitation.
Gbhackers
2025-01-14
CVE-2024-55591 added to CISA KEV
CISA included CVE-2024-55591 in its Known Exploited Vulnerabilities catalog due to active exploitation.
Gbhackers
2025-01-19
First public PoC for CVE-2024-55591
A proof of concept for the Fortinet vulnerability was publicly released, increasing risk of exploitation.
Gbhackers
Recent
Brute-force attacks on Fortinet VPNs observed
The Gentlemen group targeted around 1,000 Fortinet VPN instances using weak credentials like 'gentlemen25'.
Gbhackers

Community

Browse all →