Threat Analysis: The Gentlemen Ransomware and ARToken Phishing Platform, What UK SMBs Need to Know

Threats & Attacks

Threat Analysis: The Gentlemen Ransomware and ARToken Phishing Platform, What UK SMBs Need to Know

Hello, Mauven here.

This is your Daily Threat Analysis for 1st July 2026.

Two items today. Both are significant. Neither is being communicated with the urgency they deserve.


The Gentlemen: A Ransomware Group That Kills Your Security Tools Before You Notice

The Gentlemen ransomware-as-a-service group has been confirmed as a top-10 global threat actor in the first half of 2026. That is not a vendor marketing claim. That is Kaspersky’s Securelist assessment, corroborated by independent incident response analysis from Expel.

Here is what that ranking means in practice: this group has the operational maturity, infrastructure, and affiliate network to hit organisations at scale. They are not opportunistic. They are systematic.

What the coverage is not emphasising clearly enough is the specific technique that makes them particularly dangerous to organisations with limited security operations capability, which is most UK SMBs.

During an incident investigated in early April 2026, The Gentlemen deployed a zero-day vulnerability in ktapi.sys, a legitimate driver from Kontron, an industrial hardware manufacturer. The technique is called Bring Your Own Vulnerable Driver, or BYOVD. The concept has been around since at least 2022. The NCSC has published guidance on it. What makes this instance notable is that the specific driver was obscure enough that no existing detection tooling was flagging it, and the exploit chain was sophisticated enough to neutralise endpoint detection and response tools entirely before the ransomware payload was deployed.

To be clear about what that means operationally: your EDR goes dark, and you probably do not know why. A monitoring alert that your security agent has stopped reporting is not, by itself, unusual in many environments. Agents crash. Licenses lapse. Servers reboot. In most UK SMBs, that alert goes to a shared IT inbox and sits there for a few hours.

A few hours is all The Gentlemen need.

The group’s broader methodology is worth understanding because it is not unusual in the ransomware ecosystem, but it is thorough. Initial access typically comes via internet-facing devices: VPNs, firewalls, perimeter appliances. Once inside, they conduct extensive reconnaissance using tools including SharpADWS, NetScan, and Advanced IP Scanner. They capture network traffic using netsh. They map the environment carefully before moving. This is not smash-and-grab. This is a deliberate operation.

The advisory from Securelist attributes the group and describes their custom tooling, SharkLoader, ZichatBot, CoolClient, but what it does not say is that the BYOVD technique used here represents an escalation in the accessibility of EDR-bypass capability. The fact that an affiliate group, operating under a RaaS model, has access to a working zero-day driver exploit tells you something about the current state of the criminal marketplace.

If your IT provider tells you that your endpoint protection makes you safe from ransomware, ask them specifically whether tamper protection is enabled, and ask them what their monitoring procedure is when an agent stops reporting. If they cannot answer the second question in under thirty seconds, that is your answer.

What to check today

  • Confirm tamper protection is enabled on your EDR platform. This is not the same as the EDR being installed and running.
  • Ask your IT provider or MSP how they are alerted when an endpoint agent goes offline unexpectedly, and what the response time expectation is.
  • If you run any internet-facing VPN or firewall appliances, confirm they are on current firmware. The Gentlemen specifically exploit these for initial access.
  • Review whether your backup systems are isolated from your primary network. If ransomware reaches your EDR before it reaches your backups, isolated backups are your recovery path.

ARToken: Microsoft 365 Phishing-as-a-Service, and Why MFA Does Not Protect You Here

Cisco Talos published detailed analysis today of a phishing-as-a-service platform called ARToken, operating as part of the EvilTokens affiliate ecosystem. The platform targets Microsoft 365.

I want to be precise about what ARToken is, because the summary descriptions in circulation understate it.

ARToken is not a phishing kit that sends fake login pages. It is an affiliate management platform with over 80 documented API endpoints that automate the entire attack chain for Microsoft 365 account compromise. That includes:

  • Device code phishing: Victims are tricked into authorising what appears to be a legitimate device or application. The attacker receives an OAuth token. No password is stolen because no password is entered.
  • Primary Refresh Token (PRT) persistence: Once a PRT is obtained, the attacker can generate new access tokens silently. The victim’s account remains compromised even if passwords are changed, because the token is still valid.
  • Email access and exfiltration: Automated access to inbox contents.
  • SharePoint exfiltration: Document libraries, internal wikis, shared drives.
  • BEC operations: Business email compromise workflows built directly into the platform.

The critical point for UK SMBs is this: standard MFA does not stop device code phishing. The authentication flow is legitimate. The user approves a real Microsoft prompt. The token that flows to the attacker is genuine. Your conditional access logs will show a successful authentication event from a trusted device.

This is not a new technique. Device code phishing has been documented since at least 2021. The NCSC has published guidance on restricting device code flow in Microsoft 365 tenants. What ARToken represents is the industrialisation of that technique, making it accessible to affiliates who do not need to understand the underlying mechanism, only how to run the panel.

The practical implication: if you are a UK professional services firm, an accountancy practice, a legal firm, or any organisation where Microsoft 365 is your primary working environment, ARToken-enabled affiliates represent a direct threat to your client data, your internal communications, and your financial processes.

BEC fraud, where attackers impersonate company directors or suppliers to redirect payments, remains the single highest-value fraud category affecting UK SMBs. A platform that automates email account access and provides BEC workflow tooling is not an abstract threat. It is infrastructure built to take money out of UK business bank accounts.

What to check today

  • Log in to your Microsoft 365 admin centre and check whether device code flow is restricted in your conditional access policies. If you do not have conditional access policies configured, that is a more urgent conversation to have.
  • Ask your IT provider whether they monitor for Primary Refresh Token anomalies or unusual OAuth token issuance in your tenant.
  • Review whether your Microsoft 365 users have received any training on device code phishing specifically. Generic phishing awareness training does not cover this scenario, the prompts look legitimate because they are.
  • If you process supplier payments or client fund transfers via email, review your authorisation procedures. A compromised email account that looks and behaves normally is indistinguishable from the real thing without out-of-band verification.

A Note on the NCSC’s CNI Pen Testing Blog

The NCSC published a blog post today based on what industry penetration testers told them about the state of critical national infrastructure defences. I mention it here not because it is directly targeted at SMBs, it is not, but because the findings will be familiar to anyone who has looked honestly at the state of security in smaller organisations.

The pen testers reported the usual: default credentials still in use, insufficient network segmentation, poor patch management, inadequate monitoring. These are not exotic findings. They are the same findings that have appeared in NCSC guidance, Cyber Essentials documentation, and every incident post-mortem for the past decade.

The fact that the NCSC is still receiving these findings from pen testers working on critical national infrastructure should tell you something about how seriously organisations take published guidance when there is no immediate pressure to act. The threat landscape does not afford that luxury.


Sources

SourceTitleURL
ExpelNot very gentlemanly: Analyzing a zero-day exploit used to disable targets’ EDRshttps://expel.com/blog/not-very-gentlemanly-analyzing-a-zero-day-exploit-used-by-the-gentlemen-ransomware-to-disable-targets-edrs/
Securelist (Kaspersky)The Gentlemen are knocking: custom backdoors and evolving tacticshttps://securelist.com/the-gentlemen-raas/120447/
Cisco TalosARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/
NCSCBuilding more resilient CNI: what industry pen testers told ushttps://www.ncsc.gov.uk/blogs/building-more-resilient-cni-what-industry-pen-testers-told-us
BleepingComputerOver 900 Oracle E-Business instances exposed to ongoing attackshttps://www.bleepingcomputer.com/news/security/over-900-oracle-e-business-instances-exposed-to-ongoing-attacks/

If this briefing is useful to you, follow Threat Analysis wherever you listen so tomorrow’s brief lands automatically. And if someone in your network, a fellow business owner, an office manager, an IT lead at a firm without a security function, would benefit from knowing what was in today’s picture, pass it on. The Gentlemen are not waiting for them to subscribe first.

Filed under

  • ransomware-groups
  • credential-theft
  • smb-security
  • uk-business
  • cloud-security
  • msp-security
  • incident-response