The Gentlemen ransomware as a service (RaaS) operation is actively developing and maintaining a sophisticated collection of endpoint detection and response (EDR) killing tools designed to weaken security defenses before ransomware deployment. According to research published by ESET, the group’s toolkit revolves around a framework known as GentleKiller, which is distributed to affiliates as part of a standardized defense evasion package. Researchers noted that the operation also incorporates third party and leaked tools such as HexKiller, ThrottleBlood, and HavocKiller, integrating them into a common framework that impersonates legitimate cybersecurity products through fake version information, copied digital certificates, and replicated software icons. ESET highlighted the group’s ability to rapidly operationalize newly disclosed proof of concept exploits linked to the bring your own vulnerable driver (BYOVD) technique, often incorporating them into attacks within days of their public release. Since emerging in March 2025, The Gentlemen has become one of the most active ransomware groups globally. Data from Ransomware.live indicates that the operation has claimed 504 victims, with the majority located across Southeast Asia, South America, and Western Europe.
Recent investigations by cybersecurity journalist Brian Krebs and threat intelligence firm PRODAFT revealed that the operation is allegedly led by 36 year old Russian national Alexander Andreevich Yapaev, also known as hastalamuerte. Before leading The Gentlemen, Yapaev reportedly worked as an affiliate for other ransomware programs, including Qilin. ESET described the group as one of the most technically agile ransomware operations currently active, emphasizing its use of multiple techniques to help EDR killer tools evade security monitoring. Compiled samples are commonly protected using software packers such as Enigma and Themida, while file names are intentionally crafted to resemble products from well known cybersecurity vendors. The most prominent component of the toolkit is GentleKiller, which exists in eight variants. Each variant mimics a different legitimate product and abuses a distinct vulnerable or malicious driver to carry out BYOVD attacks. Researchers found that GentleKiller is capable of identifying and targeting approximately 400 processes associated with 48 separate security solutions, significantly increasing its ability to disable endpoint protection software before ransomware execution.
The eight identified GentleKiller variants abuse drivers linked to Kaspersky, FACEIT Anti Cheat, Valorant, Javelin, WatchDog, Network Blocker, Cleaner, and G11. Researchers also pointed to the growing abuse of PoisonX.sys, a driver that has recently appeared in multiple BYOVD attacks. One previously documented campaign used the driver to disable CrowdStrike Falcon EDR, while another incident investigated by Huntress involved threat actors exploiting BeyondTrust Remote Support to deploy ransomware after terminating security tools using PoisonX.sys and hrwfpdrv.sys. ESET researchers observed that despite differences in branding and the drivers employed, the underlying architecture of these tools remains highly consistent. This indicates the use of a shared development template that simplifies deployment for affiliates while reducing development requirements for operators. The approach allows The Gentlemen to quickly incorporate newly discovered BYOVD techniques and release updated tools to affiliates with minimal delay, helping maintain operational effectiveness against modern security products.
In addition to EDR killing capabilities, ESET identified a Rust based credential stealing malware known as OxideHarvest, also referred to as buildx641, being used within the group’s ecosystem. The malware is capable of collecting information from a wide range of web browsers, including Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, BlackHawk, and IceCat. Researchers stated that while many ransomware operations leave EDR disabling activities to individual affiliates, The Gentlemen has centralized this capability by providing a ready to use suite of tools that lowers the technical barrier for participants. The findings were released alongside a separate advisory from CERT Coordination Center regarding multiple vendor signed UEFI applications that are vulnerable to Secure Boot bypass through BYOVD attacks. The affected applications include products from Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill. Researchers warned that systems trusting the affected vendor certificates could allow attackers with administrative privileges or physical access to execute arbitrary code during the pre boot stage. CERT Coordination Center advised organizations to update the UEFI Forbidden Signature Database, known as DBX, to revoke trust in vulnerable binaries and reduce exposure to these threats.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
