The **Gentlemen** RaaS operation is actively developing and maintaining a robust portfolio of EDR-terminating tools, centered around a framework known as **GentleKiller**. This framework is provided to affiliates to impair system defenses effectively before deploying their encryptor. ### A Mature EDR Killer Ecosystem According to **ESET** security researcher Jakub Souček, **GentleKiller** incorporates third-party or leaked tools such as **HexKiller**, **ThrottleBlood**, and **HavocKiller**. These tools are standardized through a shared defense-evasion layer, which typically impersonates security vendors using fake version information, copied legitimate certificates, and icons. **ESET** has highlighted the ransomware group's remarkable ability to operationalize newly disclosed proof-of-concept (PoC) exploits related to 'bring your own vulnerable driver' (**BYOVD**) attacks, often within days of their public release. ### The Rise of The Gentlemen Since its emergence in March 2025, **The Gentlemen** has quickly become one of the most active ransomware groups. Data from Ransomware.live indicates the group has claimed over 504 victims to date, predominantly in Southeast Asia, South America, and Western Europe. Recent reports from cybersecurity journalist Brian Krebs and **PRODAFT** have identified 36-year-old Russian national Alexander Andreevich Yapaev (aka **hastalamuerte**) as the alleged leader of the operation, who previously acted as an affiliate for other ransomware schemes, including **Qilin**. ### Technical Agility and Evasion Tactics **ESET** describes **The Gentlemen** as one of the most technically agile RaaS groups. They employ various techniques to ensure their compiled EDR killer samples evade detection. These include binary protection using **Enigma** or **Themida** and using file names that mimic well-known cybersecurity vendors, complete with fake version information, digital signatures, and icons. **GentleKiller** itself comes in eight distinct variants, each mimicking a different legitimate product and abusing a unique vulnerable or malicious driver as part of its **BYOVD** attack. **GentleKiller** specifically targets 400 processes associated with 48 distinct security programs from numerous vendors. ### Exploited Drivers and Third-Party Tools The list of drivers exploited by each **GentleKiller** variant includes: * **Kaspersky** ("eb.sys") * **FACEIT Anti-Cheat** ("nseckrnl.sys") * **Valorant** ("GameDriverX64.sys") * **Javelin** ("stpm_old.sys" or "stpm_new.sys") * **WatchDog** ("dmx.sys") * **Network Blocker** ("360netmon_wfp.sys") * **Cleaner** ("IMFForceDelete.sys") * **G11** ("PoisonX.sys") The abuse of "PoisonX.sys" has been noted in recent **BYOVD** attacks, including one that targeted **CrowdStrike Falcon EDR**. Another campaign, detailed by **Huntress**, involved threat actors leveraging **BeyondTrust Remote Support** to deploy ransomware after terminating security tools via "PoisonX.sys" and "hrwfpdrv.sys." Souček notes that despite the impersonation layer and specific drivers, the underlying code reveals numerous structural and behavioral commonalities, suggesting a shared development template. This design prioritizes ease of deployment and operational flexibility for affiliates, while minimizing development effort for the operators. The third-party, **BYOVD**-based EDR killers used by the group include: * **HexKiller** ("googleApiUtil64.sys"), previously linked to the **Warlock** ransomware gang. * **ThrottleBlood** ("ThrottleBlood.sys"), observed in attacks by **MedusaLocker** and **DragonForce** affiliates. * **HavocKiller** or **HwAudKiller** ("havoc.sys"). ### Beyond Ransomware: Credential Stealing **ESET** also identified a Rust-based credential stealer, codenamed **OxideHarvest** (aka **buildx641**), used by the group. This tool is capable of harvesting data from popular web browsers such as **Google Chrome**, **Microsoft Edge**, **Torch**, **Comodo**, **Epic Privacy Browser**, **Vivaldi**, **Brave**, **Opera**, **OperaGX**, **Mozilla Firefox**, **Waterfox**, **BlackHawk**, and **IceCat**. ### Lowering the Barrier for Affiliates **ESET** concludes that while most ransomware gangs delegate EDR killing to affiliates, **The Gentlemen** has centralized this function by offering a ready-to-use, standardized EDR-killer suite. This approach significantly lowers the entry barrier for affiliates, making their operations easier and more attractive. ### UEFI Vulnerabilities and Secure Boot Bypass This disclosure coincides with an advisory from the **CERT Coordination Center (CERT/CC)** regarding multiple vendor-signed **UEFI** applications vulnerable to **Secure Boot** bypass via **BYOVD** attacks. **ESET** researcher Martin Smolár is credited with researching and reporting this vulnerability. Impacted applications are from **Acer**, **AMD**, **ASUS**, **ECS**, **Getac**, **GIGABYTE**, **Toshiba**, and **Uniwill**. **CERT/CC** warns that if a target system trusts the affected vendor's certificate, an attacker with administrative privileges or physical access can exploit these applications to execute arbitrary code during the early pre-boot phase. To mitigate this risk, system administrators should apply updates to the **UEFI Forbidden Signature Database (DBX)** to revoke trust in these vulnerable binaries.