The Gentlemen Leak Analysis (Part 2) — JA456 Follow-on

TLP:WHITE — Unrestricted Distribution within the Security Community

Ransom-ISAC Technical Intelligence Report

Executive summary

JA456 is a follow-on package to the original “Gentlemen Leaks” (4 May 2026) — see Part 1: https://ransom-isac.org/blog/the-gentlemen-leak-analysis/. It appears to have been shared by the same source and was also posted on Cracked under the username n7778 (unverified).

JA456 follow-on package posted on Cracked under the username n7778

Unlike typical leak packs focused solely on victim data, JA456 exposes operator-side artifacts: MEGA account session history and a Synology NAS shadow dump, plus screenshots taken during an apparent last-minute wipe. These artifacts provide rare visibility into tooling, timelines, and potential operator geolocation.

Why it matters / impact

Attribution-grade infrastructure breadcrumbs: session IPs and device/tool fingerprints (MEGAsync/MEGAcmd, rclone) can be pivoted into broader infrastructure mapping and clustering.
High-value lead: an early, pre-VPN residential Russian IP (92.39.211.142, Izhevsk/Udmurttelecom) may reflect an operator location prior to operational hardening. This IP may also be static and have been observed across multiple campaigns.
Historical operator tooling: related infrastructure and activity has been associated with Cobalt Strike and Havoc C2 in 2023, suggesting a broader, multi-year tradecraft footprint beyond this leak set.
Tradecraft confirmation: end-to-end exfil workflow (credential tooling → lateral movement → Synology NAS staging → rclone/MEGA) aligns with modern ransomware affiliate playbooks.
Downstream risk: confirmation of sensitive victim materials (pharma regulatory dossiers; Windows DC backup metadata including NTDS capture) indicates exposure and potential follow-on extortion/fraud risk.

What's in the package (at a glance)

MEGA — GDPR export for a staging account used for exfiltration (sessions, IPs, tooling fingerprints).
NAS — Synology /etc/shadow + screenshots documenting the NAS reset while exfiltration was still active.

What Is This

JA456 is a two-folder package dropped as a follow-on to the original Gentlemen Leaks. It contains data exfiltrated from the infrastructure of Zeta — a threat actor who was themselves compromised and wiped by The Gentlemen. The wider TheGentlemenLeak-main corpus confirms Zeta = The Gentlemen ransomware group, ranked #2 globally in 2026 (1,410 victims across 322 groups).

Package Contents

Path	What it is
`MEGA/gdpr-data/`	MEGA GDPR export from Zeta's staging account
`MEGA/egypt/`	Stolen pharma regulatory docs (victim redacted)
`MEGA/Backup_2025-07-30/`	Windows VSS backup metadata from a victim DC
`NAS/1.txt`	`/etc/shadow` from Zeta's Synology NAS
`NAS/99/`	4 screenshots — NAS kill chain

NAS `/etc/shadow` (from `NAS/1.txt`)

Password-hash accounts (high signal): operator and crew/user accounts with hashes present in /etc/shadow (excerpt below).
Locked/service accounts (low signal): Synology and service accounts typically present on DSM; shown for completeness.

Accounts with password hashes (excerpt)

┌───────────┬─────────┬────────────────────────────────┐
│  Account  │  Hash   │             Notes              │
├───────────┼─────────┼────────────────────────────────┤
│ zeta88    │ SHA-512 │ Primary operator               │
├───────────┼─────────┼────────────────────────────────┤
│ admin     │ SHA-512 │                                │
├───────────┼─────────┼────────────────────────────────┤
│ 3NT3R     │ SHA-512 │ min_age=100000 — locked        │
├───────────┼─────────┼────────────────────────────────┤
│ B1d3n     │ SHA-512 │                                │
├───────────┼─────────┼────────────────────────────────┤
│ C0CA      │ SHA-512 │ min_age=100000 — locked        │
├───────────┼─────────┼────────────────────────────────┤
│ d0wnloAd1 │ SHA-512 │                                │
├───────────┼─────────┼────────────────────────────────┤
│ equal1z3r │ SHA-512 │                                │
├───────────┼─────────┼────────────────────────────────┤
│ F3N1X     │ SHA-512 │ min_age=100000 — locked        │
├───────────┼─────────┼────────────────────────────────┤
│ Gblog88   │ SHA-512 │                                │
├───────────┼─────────┼────────────────────────────────┤
│ guest     │ MD5     │ Weak — legacy Synology default │
├───────────┼─────────┼────────────────────────────────┤
│ JLL       │ SHA-512 │                                │
├───────────┼─────────┼────────────────────────────────┤
│ LDW       │ SHA-512 │                                │
├───────────┼─────────┼────────────────────────────────┤
│ n0n3      │ SHA-512 │                                │
├───────────┼─────────┼────────────────────────────────┤
│ PRTGRS    │ SHA-512 │ min_age=100000 — locked        │
├───────────┼─────────┼────────────────────────────────┤
│ W1Z       │ SHA-512 │                                │
└───────────┴─────────┴────────────────────────────────┘

Locked / service accounts (no login, `*`)

anonymous, avahi, bind, daemon, dbus, dovecot, FileStation, ftp, http, HybridShare, HybridShareSystem, HyperBackup, ldap, lp, MEGAcmd, myds, mysql, nobody, ntp, OAuthService, postfix, postgres, Python2, QuickConnect, root, rpc, sc-rclone, SecureSignIn, StorageManager, SynoFinder, synoplugind, SynoRsyncd, synotss, system, SYSTEM_ADMIN, taskmgr, tokenmgr, videodriver, vmcomm

MEGA Account

[email protected] / [email protected] — alias “The G” — free tier, no contacts, no shared links.

Sessions

IP	Country	When	Tool	Note
192.42.116.104	NL	2026-05-01	Firefox/Linux	LIVE — Tor exit
178.130.46.120	RU	2025-12-18	MEGAsync 6.2.2 / MEGAcmd 2.3.0	Primary ops IP
193.228.128.2	RU	2025-12-29	rclone v1.71.0	Their NAS
194.87.31.69	NL	2025-10-16	MEGAsync 6.0.0.3	VPN/staging
89.185.80.134	US	2025-11-14 → 2026-04-12	—	Secondary
92.39.211.142	RU	2025-11-14 → 2025-12-19	—	Udmurttelecom, Izhevsk — residential
2a12:a800:2:1:45:138:16:82	DE	2025-10-17	—	Single event
2a03:e600:100::2	AT	2025-10-16	—	Single event

92.39.211.142 is the key lead — Udmurttelecom residential ISP in Izhevsk, Udmurt Republic. Active before VPN was set up. Chat message activity peaks at 17:00 UTC (20:00 MSK), consistent with UTC+4 (Izhevsk) timezone.

Confidence & caveats

Claims explicitly labelled as “assessment” are analytical judgments based on the artifacts described in this report.
The Cracked username n7778 is included as unverified reporting.
IP geolocation and “residential vs. VPN” characterization is best-effort and may change with additional context (routing, CGNAT, leased blocks, VPN exit attribution).
This report summarizes sensitive victim-side material at a high level and does not reproduce victim documents.

Timeline

Date	Event
2025-10-16	Account created (NL VPN)
2025-11-14	Izhevsk IP appears
2025-12-18	MEGAsync/MEGAcmd from RU
2025-12-29	rclone — NAS live
2026-04-21	Last session activity (lastactive)
2026-05-01	GDPR pull via Tor

Zeta's NAS

Synology SA6400 — 7 × TOSHIBA 18TB enterprise drives (~127TB) — serial 34POALFLF3XJ, firmware 1.13.2.

SFTP: 193.228.128.2:2222 user d0wnloAd1 (rclone config posted in plaintext by zeta88, 2026-02-14).

Crew accounts by onboarding date (from `/etc/shadow`)

Date	Account	Notes
2025-12-26	zeta88, admin	NAS stood up
2025-12-29	MEGAcmd, sc-rclone	Exfil tools
2026-01-03 → 2026-03-21	LDW, equal1z3r, JLL, W1Z, PRTGRS, Gblog88, n0n3, 3NT3R, B1d3n, F3N1X, C0CA, d0wnloAd1	Crew onboarding

3NT3R, F3N1X, C0CA have min_age=100000 — password change permanently blocked.

NAS Screenshots — Kill Chain

All four taken before the reset completed. Upload speed in frame 4 confirms exfil was still running as the wipe was triggered.

667.png — Storage Manager

Storage Manager — all drives healthy

Stage 1. Hardware documented: 7 drives, all Healthy, 29°C.

3934.png — Password Prompt

Admin password entry

Stage 2. Admin credentials entered.

017.png — Factory Reset Page

Factory Reset page open — 69KB/s down / 64.2KB/s up

Stage 3. Reset page open. Network I/O active — still exfiltrating.

7199.png — Confirmation Dialog

Factory Reset confirmation — 395KB/s up / 71KB/s down

Stage 4. “Are you sure?” on screen. 395 KB/s upload — draining the last data as the reset is confirmed.

Stolen Data on the NAS

JA456 contains artifacts from two victims (both anonymised in this report): (1) a pharma regulatory submission; and (2) a Windows Server domain controller backup.

Victim (redacted)

Full regulatory dossier for a pharma regulatory submission (product and organization details redacted): submission materials, R&D dossier, pilot batch manufacturing records, pricing, product inserts, and an internal email chain (.msg).

Email header exposure (victim identifiers redacted): AD domain, Exchange version, endpoint security product, internal server range, office egress IP, and a regulator contact email address.

Domain Controller Backup (2025-07-30, pre-NAS loot)

VSS backup metadata confirms a full Windows Server DC backup with NTDS writer (b2014c9e) present and backupSucceeded=yes.

Key artifacts:

NTDS writer (b2014c9e) present and successful — ntds.dit and transaction logs (edb*.log, edb.chk) captured from C:\Windows\NTDS
DC hostname identified (redacted)
AD domain identified via SYSVOL/DFS-R staging path (redacted) — confirms domain-joined DC, not standalone server
OS: Windows Server, AMD64, UEFI, dual GPT disk layout
Local accounts visible in VSS snapshot exclusions (redacted)

All domain hashes were in Zeta's possession at time of exfiltration. Victim has been notified through responsible disclosure channels.

TTPs

Exfiltration Path (evidenced in JA456)

rclone → NAS (193.228.128.2:2222, user d0wnloAd1) → MEGA ([email protected])

IOCs

Infrastructure & IP breakdown

Operator infrastructure

IP	Role	Evidence & Notes
178.130.46.120	Primary operational	MEGAsync/6.2.2.0 + MEGAcmd/2.3.0.0 sessions Dec 2025 → Apr 2026 (sessions.json); Windows 10.0.19044 throughout; file uploads on multiple ports (files.json); RU country; RU hosting block. Likely rented VPS — check Shodan/scan history.
193.228.128.2	NAS (SFTP :2222)	Single rclone/v1.71.0 session 2025-12-29 (sessions.json); RU hosting block. d0wnloAd1 confirmed as live Synology account in shadow dump (NAS/1.txt). MEGAcmd and sc-rclone service accounts present — MEGAcmd was installed on the NAS itself. Check SSH/SFTP banner on :2222 (Shodan/Censys).
92.39.211.142	Residential (Izhevsk)	additional_ip_activity in sessions.json: firstseen 2025-11-14, lastseen 2025-12-19 — pre-VPN hardening window. Drops off precisely when 178.130.46.120 takes over. Udmurttelecom (Izhevsk, Udmurt Republic); likely static residential/business; high attribution value. RIPE lookup 92.39.211.0/24 for netname/org.
194.87.31.69	Staging / VPN hop	Account creation IP confirmed in accountgeneral.json (signup_ip, signup_country: NL). Browser UA: Firefox/128.0 on Windows NT 10.0. Early file uploads on multiple ports (files.json). Account emails: [email protected] (primary), [email protected] (secondary). Review open ports/abuse history (Shodan).
89.185.80.134	Secondary (US)	Confirmed in additional_ip_activity alongside 178.130.46.120: firstseen 2025-11-14 → lastseen Apr 2026. Country: US. Consistent persistent VPS/proxy hop role. Check VT/PDNS and scan history.

Recommended actions (defenders)

Add the listed IOCs to monitoring/blocking where appropriate, and set alerts on new infrastructure resolving from the same clusters.
Hunt for rclone usage and configuration artifacts on endpoints and servers (common staging/exfil indicator), alongside MEGA tooling where relevant.
For impacted environments, validate potential domain compromise paths consistent with NTDS/SYSVOL access and implement credential resets and tiered admin controls.
Treat the Izhevsk lead (92.39.211.142) as a pivot for historical campaign linkage (including 2023 C2 tooling associations) rather than a single-point attribution indicator.

Indicator	Value
IP primary ops	178.130.46.120
IP NAS	193.228.128.2
IP residential (Izhevsk)	92.39.211.142
IP staging	194.87.31.69
IP Tor exit	192.42.116.104
C2 onion (Part 1 corpus)	xcsqtdobtmdhsjkyjz6iydfowh7bps5dd3a2xg53oirylnohednc4syd.onion
DLS onion (Part 1 corpus)	tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion
Extension (Part 1 corpus)	.i8p14s
Ransom note (Part 1 corpus)	README-GENTLEMEN.txt
NAS serial	34POALFLF3XJ
BTC tx (Part 1 corpus)	7e366683f1d175278feefaaa35d87e87076931974506b9f373a775a428c28f10
Email	[email protected] / [email protected]
TOX (Part 1 corpus)	F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
MEGA device token	K6sen1eMEcg7Iuh6p2uraDVnK4t4sjhDdhmqSGZp5uY

Attribution (assessment)

Russia (assessment). Key lead: Izhevsk, Udmurt Republic (Udmurttelecom, 92.39.211.142). Timezone indicators are consistent with UTC+4 (Izhevsk), and Windows 10 build 19044 is observed throughout. Infrastructure suggests self-hosted VPN (AmneziaVPN / WireGuard) and compromised FortiGates used as pivots.

Additional context: 92.39.211.142 is assessed as possibly static and may have been used across multiple campaigns. Related infrastructure and activity have also been associated with Cobalt Strike and Havoc C2 in 2023, indicating a broader tradecraft footprint beyond this leak set.

Conclusion

JA456 is notable because it exposes operator-side artifacts rather than only victim-side documents. The combination of MEGA session history, NAS account artifacts, and wipe-in-progress screenshots provides rare pivots for clustering infrastructure and assessing operator location and tradecraft. We recommend treating the Izhevsk residential IP lead (92.39.211.142) as a priority pivot for additional campaign linkage and infrastructure mapping.