KrebsOnSecurity Unmasks The Gentlemen Ransomware Operator

An intelligence revelation by KrebsOnSecurity unmasked the individual behind The Gentlemen ransomware group, identifying him as Alexander Andreevich Yapaev, a 36-year-old from Izhevsk, Russia. This group is the second most active ransomware gang, claiming over 332 published victims since mid-2025, with more than 240 attacks documented in 2026 alone. The unmasking shows how Yapaev, operating under the aliases Zeta88 and Hastalamuerte, established a ransomware-as-a-service (RaaS) operation that offered affiliates a 90 percent revenue split, attracting many cybercriminals.

The cybersecurity field remains dynamic, with Microsoft addressing 6 zero-day vulnerabilities and 200 other flaws in its June 2026 Patch Tuesday, including an actively exploited spoofing flaw in Exchange Server, CVE-2026-42897. Concurrently, an unauthenticated authentication bypass vulnerability, CVE-2026-10795, within the UpdraftPlus WordPress plugin is under active exploitation, targeting millions of installations. The China-linked JDY botnet, associated with the Volt Typhoon threat actors, has expanded its reconnaissance efforts, specifically targeting U.S. military and associated networks.

Oracle has also released an emergency fix for a Remote Code Execution (RCE) vulnerability, CVE-2026-35273, in PeopleSoft Enterprise PeopleTools. This vulnerability, with a CVSS score of 9.8, allows unauthenticated attackers to achieve complete system takeover. These developments show heightened threat activity across direct criminal enterprises, state-sponsored espionage, and widespread opportunistic exploitation.

How was "The Gentlemen" ransomware operator unmasked?

The operator of The Gentlemen ransomware group, identified as Alexander Andreevich Yapaev, was unmasked through a breadcrumb trail across various cybercrime forums and public records. Yapaev, known online by the aliases Zeta88 and Hastalamuerte, registered on platforms like Exploit, Breachforums, and Raidforums between 2019 and the present. His initial registration on Breachforums in January 2025 was tied to an Internet address in Izhevsk, Russia, a detail corroborated by his subsequent registration as Zeta88 on the Breached forum in August 2022 from another Izhevsk IP address.

Further investigation by security firms Intel 471, Flashpoint, and Constella Intelligence linked the alias Hastalamuerte to the email address hastalamuerte1488@protonmail.com, a GitHub account under SantaMuerte, and a Telegram username @hastalamuerte18. The Protonmail address and Telegram ID were connected to a Russian phone number ending in 04. This phone number was then traced through hacked Russian government databases, identifying Alexander Andreevich Yapaev of Izhevsk as the owner.

Yapaev's digital footprint also included a Pikabu social media account under "4apai18" and a LinkedIn profile where he listed himself as the head of B2B marketing at Uralenergo Udmurtia, a Russian electrotechnical supplier. Early forum posts from 2019-2020 revealed a less sophisticated hacker, still learning penetration testing tools, demonstrating a common trajectory for cybercriminals who gradually develop their skills and expand their operations.

What did Microsoft Patch Tuesday address this June 2026?

Microsoft's June 2026 Patch Tuesday released security updates for 200 flaws, including six zero-day vulnerabilities, to address security exposures across its product suite. Of these six, one was actively exploited in attacks, and five were publicly disclosed prior to the patch release. The updates included fixes for 33 Critical vulnerabilities, with 28 of these being Remote Code Execution (RCE) flaws, 4 elevation of privilege, and 1 information disclosure. For historical context on similar security releases, readers can refer to our analysis of Microsoft's May 2026 Patch Tuesday.

The actively exploited vulnerability, CVE-2026-42897, is a Microsoft Exchange Server Spoofing Vulnerability. This flaw allows an attacker to execute arbitrary JavaScript in a target's browser if the user opens a specially crafted email in Outlook Web Access and specific interaction conditions are met. Microsoft is deploying mitigations for this flaw through its Exchange Emergency Mitigation Service, which is enabled by default. This type of vulnerability shows the ongoing need for continuous patching, as discussed in our report on Microsoft WebDAV zero-day fixes.

The five publicly disclosed zero-days fixed this month included several Windows privilege escalation and security bypass vulnerabilities:

  • CVE-2026-45586: A Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability, known as GreenPlasma, allows local attackers to gain SYSTEM privileges. Security researcher Nightmare Eclipse publicly disclosed this flaw.
  • CVE-2026-49160: An HTTP.sys Denial of Service Vulnerability, dubbed the "HTTP/2 Bomb" by researchers at Calif., allows unauthenticated attackers to cause service outages by exploiting HTTP/2 protocol compression. Microsoft introduced a new "MaxHeadersCount" registry setting to mitigate this.
  • CVE-2026-45585: A Windows BitLocker Security Feature Bypass Vulnerability, known as YellowKey, enables local attackers with physical access to bypass BitLocker Device Encryption on TPM-only protected systems (Windows 11, Windows Server 2022/2025). Nightmare Eclipse also disclosed this flaw.
  • CVE-2026-50507: Another Windows BitLocker Security Feature Bypass Vulnerability, believed to fix the "bitskrieg" zero-day disclosed by Windows security expert Jonas Lykkegaard, which also allows local access to encrypted drives.
  • CVE-2020-17103: A Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability, identified as "Mini-Plasma," grants SYSTEM privileges. This flaw, also disclosed by Nightmare Eclipse, was originally reported by Google Project Zero's James Forshaw in 2020 and was thought to be fixed then.

The volume of fixes, particularly for zero-days, shows the persistent effort required in patch management and vulnerability response.

How are attackers exploiting the UpdraftPlus vulnerability?

Attackers are actively exploiting CVE-2026-10795, an unauthenticated authentication bypass vulnerability in the UpdraftPlus WordPress plugin, impacting over three million active installations worldwide. This flaw allows unauthenticated attackers to execute arbitrary Remote Procedure Calls (RPC) as a connected administrator, leading to full website takeover. Wordfence reported blocking 4,987 attacks targeting this vulnerability within a single 24-hour period, indicating widespread and aggressive exploitation.

The vulnerability stems from a cryptographic validation error within the UpdraftCentral integration, which handles encrypted remote procedure calls. During processing, the software registers an unauthenticated listener, and a decryption step fails to properly verify malformed keys. This failure causes the system to default to an insecure state, using a deterministic cipher with an all-zero AES-128 key. Attackers can then encrypt their own malicious commands locally, which the vulnerable server accepts as legitimate without requiring authentic keys.

By using the RPC capabilities, attackers can trigger file upload commands, writing a malicious ZIP file directly to the server's disk. This ZIP file, once activated as a new plugin, grants the attackers arbitrary PHP and operating system command execution, effectively compromising the entire WordPress installation. The development team has released a security patch that introduces a strict return-value check to fix the broken cryptographic function, requiring immediate updates to the newest patched version of the UpdraftPlus plugin.

Which U.S. military targets are facing the JDY botnet?

The China-linked JDY botnet, previously associated with Volt Typhoon threat actors, has expanded its targeting to focus predominantly on U.S. military and associated networks. Researchers at Black Lotus Labs by Lumen report that the botnet has grown from approximately 650 active bots in January 2024 to over 1,500 compromised SOHO and IoT devices today. While not a DDoS botnet, JDY specializes in distributed scanning and fingerprinting to identify targets vulnerable to newly disclosed flaws.

The compromised devices in the JDY botnet originate from various manufacturers, including Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, supporting MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures. The botnet's operators, linked to Chinese APT actors, rapidly operationalize reconnaissance output, with Black Lotus Labs observing JDY scans targeting CVE-2026-35616, a Fortinet FortiClient EMS flaw, shortly after its public disclosure. CISA has previously issued warnings about the risks Volt Typhoon poses to unprotected SOHO routers, urging vendors to harden their devices against such attacks.

The JDY botnet conducts various reconnaissance activities, including TCP and UDP scanning, SSL/TLS scanning, ICMP probing, banner collection, TLS certificate harvesting, and service fingerprinting using downloadable rule sets. Operators control the botnet via hidden Tor services that function as Command-and-Control (C2) infrastructure, with some instances also employing the open-source Platypus reverse-shell framework. The malware performs fast and stealthy raw SYN scanning when granted sufficient privileges, using custom-crafted TCP packets with a fixed source port of 19000.

What is the impact of Oracle's PeopleSoft RCE flaw?

Oracle has issued an emergency security alert regarding a Remote Code Execution (RCE) vulnerability, CVE-2026-35273, in PeopleSoft Enterprise PeopleTools. This flaw carries a near-maximum CVSS base score of 9.8, posing an immediate threat to corporate systems. The vulnerability specifically impacts PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62.

The RCE vector allows unauthenticated remote attackers with network access via HTTP to compromise affected systems without requiring any legitimate login credentials. Successful exploitation of CVE-2026-35273 can result in a total system takeover, giving malicious actors the ability to modify internal databases, view confidential user logs, deploy persistent backdoors, or execute arbitrary operating system commands. This level of compromise can have a catastrophic impact on corporate data security.

To neutralize this security flaw, organizations must deploy the latest vendor updates from the official Oracle Security Alerts Page. Regular validation checks are advised to ensure enterprise systems maintain resilience against automated exploitation campaigns.

Technical Takeaways

  • The Gentlemen ransomware group, run by Alexander Andreevich Yapaev, remains an active threat, accounting for over 240 victims in 2026 alone by using a 90% affiliate revenue model.
  • Microsoft's June 2026 Patch Tuesday addressed 200 flaws, including 6 zero-days. CVE-2026-42897, an Exchange Server spoofing flaw, is under active exploitation, while multiple Windows privilege escalation and bypass flaws (e.g., GreenPlasma, YellowKey, Mini-Plasma, HTTP/2 Bomb) were publicly disclosed.
  • CVE-2026-10795, an unauthenticated authentication bypass in the UpdraftPlus WordPress plugin, is being actively exploited, with Wordfence reporting 4,987 attacks in 24 hours against its three million active installations.
  • The China-linked JDY botnet, associated with Volt Typhoon, has expanded its network to over 1,500 compromised SOHO and IoT devices, specifically targeting U.S. military and associated entities for reconnaissance and rapid exploitation of newly disclosed vulnerabilities like CVE-2026-35616.
  • Oracle released an emergency patch for CVE-2026-35273, an RCE flaw (CVSS 9.8) in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, enabling unauthenticated attackers to achieve complete system takeover.