top of page

The Gentlemen's GentleKiller: How a Standardized EDR-Killer Framework Emerged as the New Ransomware Threat

  • Jun 20
  • 3 min read

Key Findings


  • The Gentlemen ransomware operation has developed GentleKiller, a standardized EDR-killer suite distributed to affiliates before ransomware deployment

  • GentleKiller exists in at least eight variants, each impersonating legitimate products and exploiting different vulnerable drivers via BYOVD technique

  • The framework targets over 400 processes across 48 security products including CrowdStrike, SentinelOne, and Microsoft Defender

  • The Gentlemen adopts newly disclosed exploits within days of public release, demonstrating unusual operational agility

  • The group has claimed 504 victims since emerging in late 2025, with concentration in Southeast Asia, South America, and Western Europe

  • Leadership appears centralized around operator zeta88, later identified as Russian national Alexander Andreevich Yapaev


Background


The Gentlemen emerged as a ransomware-as-a-service operation in late 2025 and rapidly established itself as one of the five most active ransomware groups by Q1 2026. What distinguishes them from competitors is their operational approach to endpoint defense evasion. While most ransomware gangs leave affiliates to source their own EDR-killing tools, The Gentlemen centralized this function by providing a ready-to-use standardized suite. This significantly lowers the barrier to entry for affiliates and accelerates attack timelines.


ESET's June 18 analysis drew from months of incident investigation combined with the group's own internal data leak from May 2026. The leaked communications confirmed what researchers had hypothesized since February: leadership actively maintains and distributes EDR killer packages across the affiliate network.


GentleKiller Framework Architecture


GentleKiller serves as the centerpiece of the EDR-killer portfolio. The framework operates through a shared development template that gets minimally modified across eight distinct variants. Each variant mimics a different legitimate software product and abuses a separate vulnerable or malicious kernel driver.


The eight variants exploit drivers from:


  • Kaspersky

  • FACEIT Anti-Cheat

  • Valorant

  • Javelin

  • WatchDog

  • Network Blocker

  • Cleaner

  • G11 (using PoisonX rootkit)


The underlying code structure reveals strong commonalities suggesting intentional template reuse. This design prioritizes ease of deployment for affiliates while minimizing development effort for operators.


Target Scope and Detection Capability


GentleKiller hunts for over 400 security processes belonging to 48 distinct security vendors. Target list includes major players like CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Carbon Black, and ESET. The breadth of coverage ensures the framework can disable most enterprise security stacks encountered during affiliate operations.


Each variant applies the same defense evasion layer: binary protection via Enigma or Themida, filenames mimicking security vendors, fabricated version information, copied digital signatures, and matching icons. This standardization makes detection more difficult while maintaining consistency across the affiliate ecosystem.


Rapid Exploit Operationalization


The Gentlemen demonstrates unusual speed in weaponizing newly disclosed proof-of-concept exploits. UnknownKiller and PoisonKiller were both integrated into the operational suite within days of their public release. This rapid adoption cycle represents a significant tactical advantage, allowing the group to exploit zero-day-adjacent vulnerabilities before security teams can fully prepare defenses.


The speed is enabled by the modular template design. New drivers can be swapped into existing GentleKiller variants with minimal code modification, then distributed to affiliates through centralized channels.


Third-Party Tools Integration


Beyond proprietary GentleKiller variants, the suite incorporates three externally acquired EDR killers, each standardized with the same defense evasion layer:


  • HexKiller uses a Baidu Antivirus driver, previously associated exclusively with Warlock ransomware

  • ThrottleBlood uses a TechPowerUp driver, commonly seen in MedusaLocker and DragonForce attacks

  • HavocKiller exploits havoc.sys and was publicly disclosed by Huntress in March 2026, with Gentlemen already using it since January


All three tools receive identical treatment: binary protection, vendor name spoofing, fake version data, copied signatures, and matching icons. This standardization obscures their diverse origins and makes them appear cohesive within the Gentlemen infrastructure.


Victim Selection and Geographic Distribution


The Gentlemen's victimology breaks patterns established by competitors like Qilin, DragonForce, and Akira, which show heavy US concentration. The Gentlemen instead targets Southeast Asia, South America, and Western Europe. Leaked data reveals this isn't random targeting by individual affiliates but centralized victim selection based on FortiGate misconfiguration vulnerabilities. Leadership distributes pre-vetted targets to affiliates rather than allowing them to hunt independently.


This structured approach suggests sophisticated reconnaissance infrastructure and close operator control over affiliate activities.


Supporting Infrastructure


ESET identified OxideHarvest, a Rust-based credential stealer also tracked as buildx641, operating within the Gentlemen ecosystem. The tool targets popular browsers including Chrome, Edge, Firefox, Brave, and Opera, likely used for initial access credential harvesting during the reconnaissance phase.


The presence of purpose-built credential theft tools indicates the group maintains integrated attack infrastructure rather than relying solely on ransomware deployment.


Sources


  • https://securityaffairs.com/193941/uncategorized/inside-gentlekiller-the-edr-killer-powering-the-gentlemen.html

  • https://thehackernews.com/2026/06/the-gentlemen-raas-uses-gentlekiller.html

  • https://www.bankinfosecurity.com/gentlemen-ransomware-gang-standardizes-edr-killing-a-32007

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page