The Gentlemen RaaS Strengthens Cyber Attacks with GentleKiller EDR Framework Targeting 400 Security Processes
The emergence of the Gentlemen ransomware-as-a-service (RaaS) operation marks a significant evolution in cybercriminal tactics. This group is actively developing a sophisticated suite of endpoint detection and response (EDR) killers, which they distribute to affiliates to disable system defenses prior to deploying their encryption payloads. The implications of this development are profound, as it not only enhances the operational capabilities of ransomware affiliates but also poses a heightened risk to organizations worldwide.
The GentleKiller Framework
At the core of the Gentlemen’s arsenal is a framework known as GentleKiller, which serves as a foundation for their EDR-terminating tools. This portfolio includes various third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller. According to ESET security researcher Jakub Souček, these tools are standardized through a shared defense-evasion layer that impersonates well-known security vendors. They utilize fake version information, along with copied legitimate certificates and icons, to evade detection.
The ability of the Gentlemen to operationalize newly disclosed proof-of-concept (PoC) exploits related to the “bring your own vulnerable driver” (BYOVD) attack technique is particularly alarming. ESET has noted that this group can often implement these exploits within days of their public release, demonstrating a level of agility that is concerning for cybersecurity professionals.
Rapid Rise and Victim Profile
Since its inception in March 2025, the Gentlemen group has rapidly ascended to prominence among ransomware organizations. Data from Ransomware.live indicates that the group has claimed 504 victims to date, with a significant concentration in Southeast Asia, South America, and Western Europe. This geographical distribution underscores the global threat posed by this RaaS operation, as it targets a diverse range of organizations across multiple sectors.
Recent investigations have identified Alexander Andreevich Yapaev, a 36-year-old Russian national, as a key figure leading the operation. Yapaev, known by the alias hastalamuerte, previously acted as an affiliate for other ransomware schemes, including Qilin. His leadership appears to have propelled the Gentlemen to new heights in the competitive landscape of cybercrime.
Technical Sophistication and Evasion Techniques
ESET has characterized the Gentlemen as one of the most technically agile RaaS groups operating today. The group employs an array of techniques designed to ensure that their EDR killer samples evade detection. This includes binary protection methods utilizing Enigma or Themida, as well as file names that closely resemble those of reputable cybersecurity vendors, complete with their version information, digital signatures, and icons.
The GentleKiller framework features eight distinct variants, each mimicking a legitimate product and exploiting different vulnerable or malicious drivers as part of the BYOVD attack strategy. Specifically, GentleKiller targets 400 processes associated with 48 distinct security programs from various vendors. The drivers exploited by these variants include:
- Kaspersky (“eb.sys”)
- FACEIT Anti-Cheat (“nseckrnl.sys”)
- Valorant (“GameDriverX64.sys”)
- Javelin (“stpm_old.sys” or “stpm_new.sys”)
- WatchDog (“dmx.sys”)
- Network Blocker (“360netmon_wfp.sys”)
- Cleaner (“IMFForceDelete.sys”)
- G11 (“PoisonX.sys”)
Notably, the exploitation of “PoisonX.sys” has been linked to multiple BYOVD attacks, including one that successfully bypassed CrowdStrike Falcon EDR. Another campaign detailed by Huntress involved the use of “PoisonX.sys” and “hrwfpdrv.sys” to terminate security tools before deploying ransomware.
Shared Development Template
The underlying code of these EDR killers reveals numerous structural and behavioral similarities, suggesting the use of a shared development template. This design prioritizes operational flexibility for affiliates while minimizing development effort for the operators. Such a framework allows the Gentlemen to quickly integrate newly abused drivers into their toolset following the disclosure of an EDR killer PoC.
The group also employs third-party, BYOVD-based EDR killers, including:
- HexKiller (“googleApiUtil64.sys”), previously thought to be exclusive to the Warlock ransomware gang
- ThrottleBlood (“ThrottleBlood.sys”), observed in attacks by MedusaLocker and DragonForce affiliates
- HavocKiller or HwAudKiller (“havoc.sys”)
Additionally, ESET has identified a Rust-based credential stealer named OxideHarvest, capable of extracting data from popular web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. This capability further enhances the group’s operational effectiveness.
Centralized EDR-Killing Functionality
Unlike many ransomware groups that delegate EDR-killing responsibilities to affiliates, the Gentlemen have centralized this function by providing a standardized EDR-killer suite. This strategic decision lowers the entry barrier for affiliates, making it easier for them to engage in ransomware activities. This approach not only amplifies the threat landscape but also complicates the efforts of cybersecurity professionals working to defend against such attacks.
The urgency of addressing these threats is underscored by a recent advisory from the CERT Coordination Center (CERT/CC), which highlighted vulnerabilities in multiple vendor-signed UEFI applications that could be exploited via BYOVD attacks. The advisory indicates that if a target system trusts the affected vendor’s certificate, an attacker with administrative privileges or physical access could execute arbitrary code during the pre-boot phase, prior to the operating system’s initialization.
To mitigate these risks, system administrators are advised to apply updates to the UEFI Forbidden Signature Database (DBX) to revoke trust in the affected vendor-signed binaries, thereby preventing their execution during the boot process.
For further details, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
