An analysis of the Gentlemen ransomware-as-a-service (RaaS) gang’s sophisticated EDR killer suite reveals a centralized approach to disabling security software that sets the group apart from nearly every other active ransomware operation.
Gentlemen emerged in late 2025 and quickly became one of the five most active ransomware gangs in Q1 2026, offering affiliates a generous 90% revenue share.
According to Group-IB, the gang was founded by a threat actor known as hastalamuerte, a former Qilin affiliate, with PRODAFT reporting further ties to LockBit, Embargo, Medusa, and BlackLock. Brian Krebs published evidence of the actor’s real identity on June 10, 2026.
EDR Killer Combines HexKiller, ThrottleBlood, and HavocKiller
Unlike most top-tier ransomware operations that heavily target U.S. organizations, Gentlemen’s victimology is globally distributed with significant targeting across Southeast Asia, South America, and Western Europe, including Thailand, Brazil, and France.
Leaked internal data reveals the gang selects victims primarily based on FortiGate misconfigurations rather than geographic preference, pointing to a technically driven targeting strategy.
The group also employs double extortion, threatening to publish stolen data if ransoms go unpaid. Operators offer both a Go-based encryptor for Windows and Linux and a C-written ESXi variant.
The centerpiece of Gentlemen’s EDR-disabling capability is GentleKiller, an internally developed framework that ESET first documented in February 2026.
At least eight variants have been identified, each abusing a different vulnerable or malicious driver while sharing a common development template including consistent internal strings, periodic process-termination loops, and identical code obfuscation.
GentleKiller targets over 400 processes belonging to 48 security products, including CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, and ESET itself.
A key differentiator is Gentlemen’s ability to rapidly weaponize newly disclosed Bring Your Own Vulnerable Driver (BYOVD) proof-of-concept exploits often within days of public release, as seen with the UnknownKiller and PoisonKiller PoCs.
Beyond GentleKiller, the suite integrates three externally sourced EDR killers, all staged within the GentlemenCollection directory and standardized through the same defense evasion layer:
- HexKiller — Previously associated exclusively with the Warlock gang, HexKiller abuses the Baidu Antivirus BdApi driver. ESET does not assess its presence as evidence of direct gang collaboration.
- ThrottleBlood — Observed across MedusaLocker and DragonForce intrusions, this tool leverages a driver by TechPowerUp LLC. Its exact origin remains unclear, with underground market distribution considered a likely possibility.
- HavocKiller — First publicly disclosed by Huntress on March 19, 2026, ESET telemetry confirms its use in live intrusions as early as January 23, 2026 — weeks before public awareness via abuse of a Huawei Audio driver (
havoc.sys).
Gentlemen applies a unified evasion strategy across its entire toolkit: Enigma or Themida binary packers, fabricated version metadata, copied invalid digital signatures, and vendor-impersonating icons all applied post-compilation, enabling protection even for tools whose source code operators don’t possess.
Researchers also linked OxideHarvest, a Rust-based credential stealer targeting Chromium and Gecko browsers, to a Gentlemen affiliate known as quant. A sample was identified on VirusTotal under the filename buildx641.exe, confirming its operational integration.
Gentlemen’s operator-managed EDR killer model materially lowers the technical barrier for affiliates, making the gang an increasingly attractive RaaS partner.
Understanding GentleKiller’s behavioral signatures, BYOVD driver abuse, process-termination loops, and vendor impersonation gives defenders a foundation for building detection strategies resilient to the group’s evolving, rapidly adapted arsenal.
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
8AE6BD18B129061F63642531F1B684CF0383C75D | Kasps.exe | Win64/KillAV.EA | GentleKiller (Kaspersky variant) — primary in-house EDR killer |
BA914FE77B177B45799403B16DD14765C510A074 | eb.sys | Win64/Agent.ITG | Custom rootkit used by the Kaspersky variant of GentleKiller |
56BEE9DF5833A637F5C54D5911DF98B0812FE643 | G11.sys | Win64/Agent.IYQ | PoisonX rootkit used by GentleKiller G11 variant |
CF4D74DF17A91B4A36A2911B22AFEC5D8FA93A01 | Avast.exe | Win32/KillAV.NVL | HexKiller with Gentlemen’s evasion layer applied |
7131B377E96016DC1911020C9F95B1B4D042D7B4 | Sent.exe | Win64/KillAV.AT | ThrottleBlood with Gentlemen’s evasion layer applied |
F0537CBB773AE12100B36731E7C39F5A9D852B14 | Sophos.exe | Win64/KillAV.DE | HavocKiller with Gentlemen’s evasion layer applied |
A5CF917EC4A7DFBDFA43621398604805D860C718 | buildx641.exe | Win64/Spy.Agent.AGC | OxideHarvest credential stealer linked to Gentlemen affiliate quant |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Click Here For The Original Source.
