Threat Actors to Watch: Three Groups Targeting Organisations Right Now

Key takeaways:

• • Discovering a breach costs organisations an average of $4.88 million globally, understanding who is responsible before an incident escalates is what limits that damage.
  • TheGentlemen has named over 150 victims across 30+ countries in under a year, primarily through unpatched Fortinet devices.
  • NoName057(16) selects targets based on geopolitical news cycles, giving organisations in NATO-aligned countries very little advance warning.
  • DDoS attacks directly impact Availability under the CIA triad, a board-level concern that extends beyond data loss to operational continuity and reputation.
  • ShinyHunters consistently follows through on data publication threats, meaning the regulatory, legal, and reputational consequences outlast the breach itself.

Understanding Threat Actor Intelligence

Discovering that a breach has occurred is not merely a trigger for response planning, it is one of the most operationally and financially disruptive events an organisation can face, with the average cost of a data breach now sitting at $4.88 million globally and ransomware attacks increasing by 67% year-on-year. The difference between a damaging incident and a contained one often comes down to what a security team knew before the breach escalated: which group is responsible, how they operate, and what they are likely to do next.  

Threat actor intelligence provides that context, allowing teams to prioritise defences, recognise early indicators of compromise, and move from a reactive posture to a more targeted and surgical response; one informed by specific knowledge of adversary behaviour rather than generic playbooks.  

Below, CYJAX profiles three active threat groups that organisations across multiple sectors and regions should be monitoring closely right now.

1. TheGentlemen

Aliases: Gentleman, TheGentile | Type: Ransomware-as-a-Service | Threat Level: High

Who They Are

TheGentlemen is a financially motivated ransomware group that emerged in August 2025 and has moved fast, naming over 150 victims across more than 30 countries in under a year. The group operates a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out attacks while it provides the infrastructure, retaining 10% of each ransom paid. Its targets span manufacturing, healthcare, financial services, energy, government, and education across the Americas, EMEA, and APAC.

What They Do

TheGentlemen enters networks by exploiting vulnerabilities in internet-facing firewall devices, most notably those from Fortinet, and has built a shared inventory of approximately 14,500 compromised devices that affiliates can pick from. Once inside a network, the group steals sensitive data before encrypting systems, then threatens to publish that data on its public leak site unless a ransom is paid. In December 2025, Oltenia Energy Complex confirmed an attack by the group that disrupted its ERP systems, email services, and website.

Why It Matters

TheGentlemen's speed of growth, broad sector targeting, and scalable affiliate model make it one of the most operationally significant ransomware groups active today. For CISOs, the key exposure point is unpatched internet-facing infrastructure, particularly Fortinet devices, which the group has systematically weaponised at scale.

2. NoName057(16)

Type: Hacktivist | Motivation: Pro-Russia, Geopolitical | Threat Level: High

Who They Are

NoName057(16) is a Russian-speaking hacktivist group that formed in March 2022 following Russia's invasion of Ukraine. It has since become one of the most active and organised pro-Russian hacktivist collectives operating today, with a Telegram following that has reached 75,000 followers at its peak and confirmed ties to groups linked to the Russian state. It is a core member of the HolyLeague, a broader alliance of Russian, Iranian, and Turkish hacktivist groups that coordinate attacks against shared targets.

What They Do

The group runs a crowdsourced attack platform called DDoSia, through which volunteers lend their devices to a botnet in exchange for small cryptocurrency payments, giving NoName057(16) scalable attack capacity without relying on compromised infrastructure. It uses this to launch disruptive DDoS attacks against government, financial, and transport sector targets in countries it perceives as hostile to Russia, responding to geopolitical events within days. Current campaigns are focused on the UK, France, Austria, and Ukraine, with Austria targeted specifically in response to Israel's participation in Eurovision 2026.

Why It Matters

NoName057(16) selects targets based on news cycles, meaning any organisation in a NATO-aligned country or associated with Ukraine support is a potential target with very little warning. DDoS attacks do not result in data theft, but their effect on Availability, the A in the CIA triad, can be significant, disrupting public-facing services, degrading operational continuity, and creating reputational consequences that resonate at board and executive level. This also underlines the value of sustained geopolitical intelligence: organisations that monitor the broader threat landscape can anticipate when shifts in the political environment are likely to make them a target, rather than discovering it only once an attack is underway.

3. ShinyHunters

Type: Data Extortion | Motivation: Financial | Threat Level: High

Who They Are

ShinyHunters is a well-established and highly capable threat group focused on large-scale data theft and extortion. The group has a long track record of compromising major enterprises, exfiltrating sensitive customer data, and using the threat of public exposure to extract ransom payments. It operates a Tor-based data-leak site where victim organisations are listed publicly and given a deadline to pay before their data is released.

What They Do

In May 2026, ShinyHunters listed Charter Communications, one of the largest broadband providers in the United States, on its leak site, claiming to have stolen 42 million records containing personally identifiable information. Charter Communications confirmed the breach but disputed the scope of what was taken, a position the group directly contradicted. ShinyHunters has a consistent history of following through on data publication, making the threat credible regardless of what victims publicly state.

Why It Matters

The Charter Communications case is a reminder that no organisation is too large to be targeted and that a breach confirmation without full transparency carries its own risks. For security and legal teams, the downstream consequences extend well beyond the ransom itself, encompassing regulatory penalties, litigation exposure, reputational damage, and the long-term misuse of leaked data in fraud and phishing campaigns targeting affected customers.

Staying ahead of groups like these requires more than threat feeds and alerts. It requires knowing who is active, who they are targeting, and what your organisation looks like from their perspective. Book a demo with CYJAX to see how our analyst-led intelligence platform helps your team move from reactive to ready.