The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and distributing a range of endpoint detection and response (EDR) killers to affiliates, aimed at disabling system defenses prior to executing ransomware attacks. This initiative is centered around a framework known as GentleKiller.
According to ESET security researcher Jakub Souček, the group also incorporates various third-party or leaked tools, including HexKiller, ThrottleBlood, and HavocKiller. These tools are standardized through a shared defense-evasion layer, impersonating security vendors with fake version information and replicated legitimate certificates and icons.
Operational Tactics and Victim Profile
Since its emergence in March 2025, The Gentlemen has rapidly gained notoriety as one of the most active ransomware groups, claiming a total of 504 victims, primarily located in Southeast Asia, South America, and Western Europe. Recent investigations have identified Alexander Andreevich Yapaev, a 36-year-old Russian national, as the leader of this operation, having previously participated as an affiliate in other ransomware schemes.
Technical Capabilities and EDR Killers
ESET describes The Gentlemen as one of the most technically agile RaaS groups, employing a variety of techniques to ensure that their EDR killer samples evade detection. This includes binary protection methods and using file names that closely resemble those of well-known cybersecurity vendors. The GentleKiller framework itself features eight variants, each mimicking different legitimate products and exploiting various vulnerable or malicious drivers as part of the bring your own vulnerable driver (BYOVD) attack technique.
GentleKiller specifically targets 400 processes associated with 48 distinct security programs from various vendors. Some of the drivers exploited by these variants include:
- Kaspersky: eb.sys
- FACEIT Anti-Cheat: nseckrnl.sys
- Valorant: GameDriverX64.sys
- Javelin: stpm_old.sys or stpm_new.sys
- WatchDog: dmx.sys
- Network Blocker: 360netmon_wfp.sys
- Cleaner: IMFForceDelete.sys
- G11: PoisonX.sys
The use of PoisonX.sys has been noted in recent months in connection with various BYOVD attacks, including one that targeted CrowdStrike Falcon EDR.
Credential Theft and Centralized Operations
In addition to EDR killers, ESET has identified a Rust-based credential stealer named OxideHarvest, capable of extracting data from numerous web browsers. The Gentlemen’s centralized approach to EDR killing makes it an appealing option for affiliates, as it reduces the barriers to entry and simplifies their operational tasks.
This disclosure coincides with an advisory from the CERT Coordination Center (CERT/CC) regarding vulnerabilities in multiple vendor-signed UEFI applications that could be exploited through a BYOVD attack. The affected applications come from vendors such as Acer, AMD, and ASUS, among others. CERT/CC advises system administrators to apply updates to the UEFI Forbidden Signature Database (DBX) to mitigate these risks.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
