The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor.
This mature portfolio of EDR-terminating tools is centered around a framework that’s known as GentleKiller.
“They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller,” ESET security researcher Jakub Souček said in a report shared with The Hacker News. “These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied legitimate certificates and icons.”
The Slovakian cybersecurity company also called out the ransomware crew for its ability to “unusually quickly operationalize” newly disclosed proof-of-concept (PoC) exploits related to an attack technique called bring your own vulnerable driver (BYOVD), in many cases within days of their public release.
Since its emergence in March 2025, The Gentlemen has swiftly risen up the ranks and made a name for itself as one of the most active ransomware groups. Per data from Ransomware.live, the group has claimed 504 victims to date, with most of them located in Southeast Asia, South America, and Western Europe.
Recent reports from cybersecurity journalist Brian Krebs and PRODAFT have revealed that a 36-year-old Russian national named Alexander Andreevich Yapaev (aka hastalamuerte) has been leading the operation, after acting as an affiliate for other ransomware schemes, including Qilin.
ESET has described The Gentlemen as one of the most technically agile RaaS groups, using a set of techniques to ensure that the compiled EDR killer samples sidestep detection. This includes binary protection using Enigma or Themida and using file names that resemble well-known cybersecurity vendors, right down to their version information, digital signatures, and icons.
The most prevalent of them is GentleKiller, which comes in eight different variants, each mimicking a different legitimate product and abusing a different vulnerable or malicious driver as part of the BYOVD attack. GentleKiller specifically looks for 400 processes associated with 48 distinct security programs from a number of vendors.
The list of drivers exploited by each of the variants is as follows –
- Kaspersky (“eb.sys”)
- FACEIT Anti-Cheat (“nseckrnl.sys”)
- Valorant (“GameDriverX64.sys”)
- Javelin (“stpm_old.sys” or “stpm_new.sys”)
- WatchDog (“dmx.sys”)
- Network Blocker (“360netmon_wfp.sys”)
- Cleaner (“IMFForceDelete.sys”)
- G11 (“PoisonX.sys”)
It’s worth noting that the abuse of “PoisonX.sys” has been recorded in recent months in connection with various BYOVD attacks, one of which was used to kill CrowdStrike Falcon EDR. A second campaign, detailed by Huntress, involved an intrusion in which unknown threat actors leveraged BeyondTrust Remote Support to successfully deploy ransomware on the network, but not before terminating security tooling via “PoisonX.sys” and “hrwfpdrv.sys.”
“When abstracting away the impersonation layer and the specific drivers used, the underlying code reveals numerous structural and behavioral commonalities that strongly suggest the use of a shared development template,” Souček said.
“This design prioritizes ease of deployment and operational flexibility for affiliates, while minimizing development effort for the operators. It allows The Gentlemen operators to integrate abused drivers into their toolset very soon after an EDR killer PoC is disclosed.”
The third-party, BYOVD-based EDR killers employed by the group are below –
- HexKiller (“googleApiUtil64.sys”), a tool previously assumed to be exclusive to the Warlock ransomware gang
- ThrottleBlood (“ThrottleBlood.sys”), a tool observed in attacks mounted by MedusaLocker and DragonForce affiliates
- HavocKiller or HwAudKiller (“havoc.sys”)
ESET said it also detected a Rust-based credential stealer codenamed OxideHarvest (aka buildx641) that’s capable of harvesting data from popular web browsers, including Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, BlackHawk, and IceCat.
“While most ransomware gangs continue to delegate EDR killing to affiliates, Gentlemen has chosen to centralize this function by offering affiliates a ready-to-use, standardized EDR-killer suite,” ESET said. “This decision makes Gentlemen an attractive operator for affiliates as it materially lowers the entry barrier for them, making their job consequently easier.”
The disclosure comes as the CERT Coordination Center (CERT/CC) issued an advisory about multiple vendor-signed UEFI applications being vulnerable to Secure Boot bypass via a BYOVD attack. ESET researcher Martin Smolár has been credited with researching and reporting the vulnerability. The impacted applications are from Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill.
“If a target system trusts the affected vendor’s certificate, an attacker [with administrative privileges or physical access] can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes,” CERT/CC said.
“To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process.”
