The ransomware-as-a-service (RaaS) operation known as The Gentlemen is continuously building and refining a collection of tools designed to take down endpoint detection and response (EDR) solutions. These tools are then distributed to affiliates, who use them to cripple security defenses before launching the ransomware encryptor.
This well-developed lineup of EDR-disabling utilities is built around a core framework called GentleKiller.
“The group also makes use of third-party or leaked tools, including HexKiller, ThrottleBlood, and HavocKiller,” explained Jakub Souček, a security researcher at ESET, in a report shared with The Hacker News. “These tools are unified through a common defense-evasion layer that imitates well-known security product vendors by deploying fake version details, forged certificates, and copied icons.”
ESET also highlighted the ransomware group’s remarkable speed in turning newly published proof-of-concept (PoC) exploits — related to a technique known as bring your own vulnerable driver (BYOVD) — into operational weapons, often doing so within just days of their public disclosure.
Since first appearing in March 2025, The Gentlemen have rapidly climbed the ranks to become one of the most prolific ransomware operations. According to data from Ransomware.live, the group has now claimed 504 victims, the majority based in Southeast Asia, South America, and Western Europe.
Recent investigations by cybersecurity journalist Brian Krebs and PRODAFT have identified the ringleader as Alexander Andreevich Yapaev (aka hastalamuerte), a 36-year-old Russian national who previously operated as an affiliate for other ransomware schemes, including Qilin.
ESET has characterized The Gentlemen as one of the most technically nimble RaaS operations, using a range of tactics to ensure their compiled EDR killer samples evade detection. These tactics include packing binaries with Enigma or Themida protectors and assigning file names that closely resemble those of established cybersecurity vendors — complete with matching version strings, digital signatures, and icons.
The most prominent of these tools is GentleKiller, available in eight distinct versions, each spoofing a different legitimate product and exploiting a different vulnerable or malicious driver as part of the BYOVD attack. GentleKiller specifically hunts for 400 processes tied to 48 separate security products spanning multiple vendors.
The drivers used by each variant are as follows –
- Kaspersky (“eb.sys”)
- FACEIT Anti-Cheat (“nseckrnl.sys”)
- Valorant (“GameDriverX64.sys”)
- Javelin (“stpm_old.sys” or “stpm_new.sys”)
- WatchDog (“dmx.sys”)
- Network Blocker (“360netmon_wfp.sys”)
- Cleaner (“IMFForceDelete.sys”)
- G11 (“PoisonX.sys”)
It’s notable that “PoisonX.sys” abuse has been documented in recent months across several BYOVD campaigns — one of which was used to kill CrowdStrike Falcon EDR. In another incident detailed by Huntress, unknown attackers exploited BeyondTrust Remote Support to deploy ransomware across a network, but not before disabling security software using “PoisonX.sys” and “hrwfpdrv.sys.”
“Setting aside the impersonation layer and the specific drivers involved, the core code shows strong structural and behavioral similarities that point to a shared development blueprint,” Souček noted.
“This architecture emphasizes quick deployment and flexibility for affiliates while keeping development work to a minimum for the operators. It enables The Gentlemen to integrate exploited drivers into their arsenal almost immediately after a new EDR killer PoC surfaces.”
The third-party EDR killers based on BYOVD techniques that the group employs include –
- HexKiller (“googleApiUtil64.sys”), a tool previously believed to be used only by the Warlock ransomware group
- ThrottleBlood (“ThrottleBlood.sys”), a tool seen in attacks carried out by MedusaLocker and DragonForce affiliates
- HavocKiller or HwAudKiller (“havoc.sys”)
ESET also uncovered a Rust-based credential stealer called OxideHarvest (also known as buildx641), capable of extracting stored data from a wide range of web browsers, including Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, BlackHawk, and IceCat.
“While most ransomware groups leave EDR killing to their affiliates, The Gentlemen have opted to centralize this capability by providing affiliates with a pre-built, standardized EDR-killer suite,” ESET stated. “This approach makes The Gentlemen particularly appealing to affiliates, as it significantly lowers the barrier to entry and streamlines their operations.”
This revelation comes as the CERT Coordination Center (CERT/CC) published an advisory warning that multiple vendor-signed UEFI applications contain vulnerabilities allowing Secure Boot to be bypassed through a BYOVD attack. ESET researcher Martin Smolár is credited with investigating and reporting the flaw. The affected applications come from Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill.
“If a target system recognizes the affected vendor’s certificate as trusted, an attacker [with administrative access or physical access to the machine] can leverage these applications to run arbitrary code during the early pre-boot stage, before the operating system even starts up,” CERT/CC explained.
“To address this threat, system administrators should update the UEFI Forbidden Signature Database (DBX) to revoke trust in the affected vendor-signed binaries, blocking these vulnerable applications from executing during the boot process.”
