Gentlemen operators develop and maintain an EDR-killer suite provided directly to affiliates.
GentleKiller, an in-house framework, has at least eight variants abusing different vulnerable or malicious drivers.
Gentlemen operators apply a unified evasion strategy across tools to standardize impersonation and protection.
Third-party EDR killers (HexKiller, ThrottleBlood, and HavocKiller) are operationally integrated.
The gang’s victimology is globally distributed and notably not US focused.
BRATISLAVA, Slovakia, June 18, 2026 (GLOBE NEWSWIRE) — ESET researchers analyzed the robust EDR-killing toolset of the ransomware-as-a-service (RaaS) gang Gentlemen. Since the beginning of 2026, Gentlemen has emerged as one of the most active gangs in the ransomware ecosystem. The group distinguishes itself through a mature, operator-maintained set of endpoint detection and response (EDR) killers — tools for disrupting security software. Additionally, unlike most top-tier gangs, Gentlemen does not exhibit a strong US-centric victimology, instead targeting victims across Southeast Asia, South America, and Western Europe. The gang’s targeting includes some otherwise rarely targeted countries like Thailand, Brazil, and France.
“While there have been multiple reports covering Gentlemen in recent months, they have not focused on a detailed analysis of the group’s EDR killers. Thanks to ESET’s continued incident-level visibility, we can provide a uniquely deep view into Gentlemen’s EDR-killer development practices. The internal data leak that Gentlemen suffered in May 2026 gave us more insight into the inner workings of the group,” says ESET researcher Jakub Souček, who tracks EDR killers. “The leak also allowed us to confirm the hypothesis we formed in February 2026: that Gentlemen operators actively develop and maintain a portfolio of EDR killers that they offer to affiliates, centered around their in-house framework, which we have named GentleKiller.”
Additionally, the group incorporates third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller. These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors by using fake version information and copied legitimate certificates and icons. Gentlemen also demonstrates an ability to unusually quickly operationalize newly disclosed Bring Your Own Vulnerable Driver proofs-of-concept, often within days of public release. Apart from the EDR killers, we also identified a credential stealer we named OxideHarvest; this tool was developed by one of Gentlemen’s affiliates.
