Threat actor zeta88 is promoting a new ransomware-as-a-service operation called The Gentlemen's RaaS on hacking forums, targeting Windows, Linux, and ESXi systems. The platform offers affiliates 90 percent of ransom payments and features cross-platform encryption tools developed in Go and C. This development highlights the ongoing commercialization of sophisticated ransomware targeting enterprise environments.
On October 29, 2025, threat intelligence reports emerged detailing the advertisement of The Gentlemen's RaaS by the operator known as zeta88 across underground hacking forums. This cross-platform ransomware-as-a-service (RaaS) targets enterprise systems running Windows, Linux—including network-attached storage (NAS) and BSD variants—and VMware ESXi virtual environments.
The technical architecture emphasizes modularity and efficiency. Windows and Linux lockers are built in Go for cross-compilation and resource optimization, while the ESXi variant, coded in C, has a compact size of approximately 32 kilobytes to facilitate stealthy deployment in virtualized setups. Encryption relies on XChaCha20 stream cipher and Curve25519 for key exchange, with per-file ephemeral keys to hinder decryption efforts. Propagation and persistence mechanisms include Windows Management Instrumentation (WMI), WMIC, SCHTASKS for scheduled tasks, SC for services, and PowerShell Remoting, enabling lateral movement and run-on-boot execution. The malware also automates network share discovery for worm-like spread.
Economically, the program allocates 90 percent of ransom proceeds to affiliates, with operators retaining 10 percent. Affiliates control negotiations, leveraging their expertise, while the operator provides backend support, including a data-leak site for exfiltrated data and a universal decryptor for all platforms. Builds are password-protected to evade analysis.
The operation excludes targets in Russia and Commonwealth of Independent States (CIS) countries, a common trait in Russian-affiliated cybercrime. All specifications stem from unverified promotional materials, but they align with trends in professional ransomware development. Organizations are advised to enhance endpoint detection, network segmentation, and backups against such threats.
