The Gentlemen RaaS Strengthens Cyber Attacks with GentleKiller EDR Framework Targeting 400 Security Processes

The Gentlemen RaaS Strengthens Cyber Attacks with GentleKiller EDR Framework Targeting 400 Security Processes

The rise of the Gentlemen ransomware-as-a-service (RaaS) operation signifies a notable shift in cybercriminal strategies. This group is actively enhancing its capabilities by developing advanced endpoint detection and response (EDR) killers, which are distributed to affiliates for disabling system defenses before deploying encryption payloads. This evolution poses increased risks to organizations globally.

The GentleKiller Framework

Central to the Gentlemen’s operations is the GentleKiller framework, which underpins their suite of EDR-terminating tools. This collection includes various third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller. ESET security researcher Jakub Souček indicates that these tools are standardized through a shared defense-evasion layer that mimics well-known security vendors. They employ fake version information, along with replicated legitimate certificates and icons, to avoid detection.

The group’s ability to quickly operationalize newly disclosed proof-of-concept (PoC) exploits related to the “bring your own vulnerable driver” (BYOVD) attack technique is particularly concerning. ESET has observed that the Gentlemen can implement these exploits within days of their public release, showcasing a level of agility that raises alarms among cybersecurity experts.

Rapid Rise and Victim Profile

Since its formation in March 2025, the Gentlemen group has swiftly gained prominence among ransomware organizations. Data from Ransomware.live reveals that the group has claimed 504 victims to date, with a significant concentration in Southeast Asia, South America, and Western Europe. This geographical spread highlights the global threat posed by this RaaS operation, targeting a diverse array of organizations across multiple sectors.

Investigations have identified Alexander Andreevich Yapaev, a 36-year-old Russian national, as a pivotal figure leading the operation. Known by the alias hastalamuerte, Yapaev previously served as an affiliate for other ransomware schemes, including Qilin. His leadership appears to have propelled the Gentlemen to new heights within the competitive cybercrime landscape.

Technical Sophistication and Evasion Techniques

ESET has characterized the Gentlemen as one of the most technically adept RaaS groups currently active. The group employs a variety of techniques designed to ensure that their EDR killer samples evade detection. This includes binary protection methods utilizing Enigma or Themida, as well as file names that closely resemble those of reputable cybersecurity vendors, complete with their version information, digital signatures, and icons.

The GentleKiller framework features eight distinct variants, each mimicking legitimate products and exploiting different vulnerable or malicious drivers as part of the BYOVD attack strategy. Specifically, GentleKiller targets 400 processes associated with 48 distinct security programs from various vendors. The drivers exploited by these variants include:

  • Kaspersky (“eb.sys”)
  • FACEIT Anti-Cheat (“nseckrnl.sys”)
  • Valorant (“GameDriverX64.sys”)
  • Javelin (“stpm_old.sys” or “stpm_new.sys”)
  • WatchDog (“dmx.sys”)
  • Network Blocker (“360netmon_wfp.sys”)
  • Cleaner (“IMFForceDelete.sys”)
  • G11 (“PoisonX.sys”)

Notably, the exploitation of “PoisonX.sys” has been linked to multiple BYOVD attacks, including one that successfully bypassed CrowdStrike Falcon EDR. Another campaign, as detailed by Huntress, involved the use of “PoisonX.sys” and “hrwfpdrv.sys” to terminate security tools before deploying ransomware.

Shared Development Template

The underlying code of these EDR killers reveals numerous structural and behavioral similarities, indicating the use of a shared development template. This design prioritizes operational flexibility for affiliates while minimizing development effort for the operators. Such a framework allows the Gentlemen to quickly integrate newly abused drivers into their toolset following the disclosure of an EDR killer PoC.

The group also employs third-party, BYOVD-based EDR killers, including:

  • HexKiller (“googleApiUtil64.sys”), previously thought to be exclusive to the Warlock ransomware gang
  • ThrottleBlood (“ThrottleBlood.sys”), observed in attacks by MedusaLocker and DragonForce affiliates
  • HavocKiller or HwAudKiller (“havoc.sys”)

Additionally, ESET has identified a Rust-based credential stealer named OxideHarvest, capable of extracting data from popular web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. This capability further enhances the group’s operational effectiveness.

Centralized EDR-Killing Functionality

Unlike many ransomware groups that delegate EDR-killing responsibilities to affiliates, the Gentlemen have centralized this function by providing a standardized EDR-killer suite. This strategic decision lowers the entry barrier for affiliates, facilitating their engagement in ransomware activities. This approach not only amplifies the threat landscape but also complicates the efforts of cybersecurity professionals working to defend against such attacks.

The urgency of addressing these threats is underscored by a recent advisory from the CERT Coordination Center (CERT/CC), which highlighted vulnerabilities in multiple vendor-signed UEFI applications that could be exploited via BYOVD attacks. The advisory indicates that if a target system trusts the affected vendor’s certificate, an attacker with administrative privileges or physical access could execute arbitrary code during the pre-boot phase, prior to the operating system’s initialization.

To mitigate these risks, system administrators are advised to apply updates to the UEFI Forbidden Signature Database (DBX) to revoke trust in the affected vendor-signed binaries, thereby preventing their execution during the boot process.

As reported by cyberwarriorsmiddleeast.com, the emergence of the Gentlemen RaaS operation and its sophisticated tactics highlights the evolving landscape of cyber threats.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-06-21 20:03:00 • By FAME Delivered News Desk

The Gentlemen RaaS Strengthens Cyber Attacks with GentleKiller EDR Framework Targeting 400 Security Processes

The Gentlemen RaaS Strengthens Cyber Attacks with GentleKiller EDR Framework Targeting 400 Security Processes

The rise of the Gentlemen ransomware-as-a-service (RaaS) operation signifies a notable shift in cybercriminal strategies. This group is actively enhancing its capabilities by developing advanced endpoint detection and response (EDR) killers, which are distributed to affiliates for disabling system defenses before deploying encryption payloads. This evolution poses increased risks to organizations globally.

The GentleKiller Framework

Central to the Gentlemen’s operations is the GentleKiller framework, which underpins their suite of EDR-terminating tools. This collection includes various third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller. ESET security researcher Jakub Souček indicates that these tools are standardized through a shared defense-evasion layer that mimics well-known security vendors. They employ fake version information, along with replicated legitimate certificates and icons, to avoid detection.

The group’s ability to quickly operationalize newly disclosed proof-of-concept (PoC) exploits related to the “bring your own vulnerable driver” (BYOVD) attack technique is particularly concerning. ESET has observed that the Gentlemen can implement these exploits within days of their public release, showcasing a level of agility that raises alarms among cybersecurity experts.

Rapid Rise and Victim Profile

Since its formation in March 2025, the Gentlemen group has swiftly gained prominence among ransomware organizations. Data from Ransomware.live reveals that the group has claimed 504 victims to date, with a significant concentration in Southeast Asia, South America, and Western Europe. This geographical spread highlights the global threat posed by this RaaS operation, targeting a diverse array of organizations across multiple sectors.

Investigations have identified Alexander Andreevich Yapaev, a 36-year-old Russian national, as a pivotal figure leading the operation. Known by the alias hastalamuerte, Yapaev previously served as an affiliate for other ransomware schemes, including Qilin. His leadership appears to have propelled the Gentlemen to new heights within the competitive cybercrime landscape.

Technical Sophistication and Evasion Techniques

ESET has characterized the Gentlemen as one of the most technically adept RaaS groups currently active. The group employs a variety of techniques designed to ensure that their EDR killer samples evade detection. This includes binary protection methods utilizing Enigma or Themida, as well as file names that closely resemble those of reputable cybersecurity vendors, complete with their version information, digital signatures, and icons.

The GentleKiller framework features eight distinct variants, each mimicking legitimate products and exploiting different vulnerable or malicious drivers as part of the BYOVD attack strategy. Specifically, GentleKiller targets 400 processes associated with 48 distinct security programs from various vendors. The drivers exploited by these variants include:

  • Kaspersky (“eb.sys”)
  • FACEIT Anti-Cheat (“nseckrnl.sys”)
  • Valorant (“GameDriverX64.sys”)
  • Javelin (“stpm_old.sys” or “stpm_new.sys”)
  • WatchDog (“dmx.sys”)
  • Network Blocker (“360netmon_wfp.sys”)
  • Cleaner (“IMFForceDelete.sys”)
  • G11 (“PoisonX.sys”)

Notably, the exploitation of “PoisonX.sys” has been linked to multiple BYOVD attacks, including one that successfully bypassed CrowdStrike Falcon EDR. Another campaign, as detailed by Huntress, involved the use of “PoisonX.sys” and “hrwfpdrv.sys” to terminate security tools before deploying ransomware.

Shared Development Template

The underlying code of these EDR killers reveals numerous structural and behavioral similarities, indicating the use of a shared development template. This design prioritizes operational flexibility for affiliates while minimizing development effort for the operators. Such a framework allows the Gentlemen to quickly integrate newly abused drivers into their toolset following the disclosure of an EDR killer PoC.

The group also employs third-party, BYOVD-based EDR killers, including:

  • HexKiller (“googleApiUtil64.sys”), previously thought to be exclusive to the Warlock ransomware gang
  • ThrottleBlood (“ThrottleBlood.sys”), observed in attacks by MedusaLocker and DragonForce affiliates
  • HavocKiller or HwAudKiller (“havoc.sys”)

Additionally, ESET has identified a Rust-based credential stealer named OxideHarvest, capable of extracting data from popular web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. This capability further enhances the group’s operational effectiveness.

Centralized EDR-Killing Functionality

Unlike many ransomware groups that delegate EDR-killing responsibilities to affiliates, the Gentlemen have centralized this function by providing a standardized EDR-killer suite. This strategic decision lowers the entry barrier for affiliates, facilitating their engagement in ransomware activities. This approach not only amplifies the threat landscape but also complicates the efforts of cybersecurity professionals working to defend against such attacks.

The urgency of addressing these threats is underscored by a recent advisory from the CERT Coordination Center (CERT/CC), which highlighted vulnerabilities in multiple vendor-signed UEFI applications that could be exploited via BYOVD attacks. The advisory indicates that if a target system trusts the affected vendor’s certificate, an attacker with administrative privileges or physical access could execute arbitrary code during the pre-boot phase, prior to the operating system’s initialization.

To mitigate these risks, system administrators are advised to apply updates to the UEFI Forbidden Signature Database (DBX) to revoke trust in the affected vendor-signed binaries, thereby preventing their execution during the boot process.

As reported by cyberwarriorsmiddleeast.com, the emergence of the Gentlemen RaaS operation and its sophisticated tactics highlights the evolving landscape of cyber threats.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-06-21 20:03:00 • By FAME Delivered News Desk

Latest Posts

Latest Posts

Don't Miss

Subscribe

To be updated with all the latest news, offers and special announcements.