The Gentleman ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers, which it hands out to affiliates to degrade system security before deploying encryptors.
This mature portfolio of EDR-terminating tools is centered around a framework known as gentlekiller.
“They also include third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller,” ESET security researcher Jakub Soucek said in a report shared with The Hacker News. “These tools are standardized through a shared defense-evasion layer, using fake version information to primarily impersonate security vendors, and copy legitimate certificates and icons.”
Slovakia’s cybersecurity company called out the ransomware crew’s ability to “conduct unusually quickly” newly disclosed proof-of-concept (PoC) exploits related to an attack technique called ‘bring your own vulnerable driver (BYOVD)’, in many cases within days of public release.
Since its emergence in March 2025, The Gentlemen has grown rapidly and made a name for itself as one of the most active ransomware groups. According to data from Ransomware.live, the group has claimed 504 victims so far, the majority of whom are in Southeast Asia, South America, and Western Europe.
Recent reports from cybersecurity journalist Brian Krebs and PRODAFT revealed that a 36-year-old Russian citizen named Alexander Andreevich Yapaev (aka Hastalamuerte) is leading the operation, after serving as an accomplice to other ransomware schemes, including Killin.
ESET describes The Gentlemen as one of the most technologically agile RaaS groups, using a set of techniques to ensure that compiled EDR killer samples bypass detection. This includes binary security using Enigma or Themida and using similar file names from well-known cybersecurity vendors, down to their version information, digital signatures, and icons.
The most prevalent of them is GentleKiller, which comes in eight different variants, each mimicking a different legitimate product and abusing a different vulnerable or malicious driver as part of a BYOVD attack. GentleKiller specifically looks for 400 processes associated with 48 specific security programs from multiple vendors.
The list of drivers used by each variant is as follows –
- Kaspersky (“eb.sys”)
- FACEIT Anti-Cheat (“nseckrnl.sys”)
- Valorant (“GameDriverX64.sys”)
- Javelin (“stpm_old.sys” or “stpm_new.sys”)
- watchdog (“dmx.sys”)
- Network Blocker (“360netmon_wfp.sys”)
- Cleaner (“IMForceDelete.sys”)
- G11 (“PoisonX.sys”)
It is worth noting that abuse of “PoisonX.sys” has been documented in connection with various BYOVD attacks in recent months, one of which was used to kill the CrowdStrike Falcon EDR. The second campaign detailed by Huntress involved an intrusion in which unknown threat actors leveraged BeyondTrust Remote Support to successfully deploy ransomware on the network, but not before eliminating security tooling via “PoisonX.sys” and “hrwfpdrv.sys.”
“When separating the modeling layer and the specific drivers used, the underlying code reveals many structural and behavioral similarities that strongly suggest the use of a shared development template,” Soucek said.
“This design prioritizes ease of deployment and operational flexibility for partners while reducing development effort for operators. This allows gentleman operators to integrate misbehaving drivers into their toolset as soon as the EDR killer PoC is revealed.”
Below are the third-party, BYOVD-based EDR killers employed by the group –
- HexKiller (“googleApiUtil64.sys”), a tool previously thought to be exclusive to the Warlock ransomware gang
- ThrottleBlood (“ThrottleBlood.sys”), a tool seen in attacks by MedusaLocker and DragonForce affiliates
- Havockiller or Havockiller (“havoc.sys”)
ESET said it also detected a Rust-based credential stealer codenamed OxideHarvest (aka Buildx641) that is capable of collecting data from popular web browsers, including Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, Blackhawk, and Icecat.
“While most ransomware gangs continue to delegate EDR killing to affiliates, Gentleman has chosen to centralize this task by offering affiliates a ready-to-use, standardized EDR-killer suite,” ESET said. “This decision makes Gentlemen an attractive operator for partners as it lowers the entry barrier for them, making their job easier.”
The disclosure came after the CERT Coordination Center (CERT/CC) issued an advisory regarding several vendor-signed UEFI applications that are vulnerable to Secure Boot bypass via a BYOVD attack. ESET researcher Martin Smoller is credited with researching and reporting the vulnerability. The affected applications are from Acer, AMD, ASUS, ECS, Getac, Gigabyte, Toshiba, and Univil.
“If a target system trusts the affected vendor’s certificate, an attacker [with administrative privileges or physical access] “These applications can be exploited to execute arbitrary code during the initial pre-boot phase before the operating system starts,” CERT/CC said.
“To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in affected vendor-signed binaries, thereby preventing these vulnerable applications from executing during the boot process.”
