The Gentlemen RaaS: Operator-Managed EDR Killer Suite Actively Targeting Enterprise Endpoints
June 25th, 2026
High
Our Cyber Threat Intelligence Unit is monitoring the active operations of The Gentlemen, a ransomware-as-a-service (RaaS) group that emerged in late 2025 and ranked among the five most active ransomware gangs in Q1 2026. On June 18, 2026, ESET Research published a detailed technical analysis revealing an operator-managed portfolio of endpoint detection and response (EDR) killers provided directly to affiliates, an approach that differs from most major RaaS operations, where affiliates typically source their own defense-evasion tooling. At the centre of this suite is GentleKiller, an in-house framework with at least eight documented variants. Each variant abuses a different vulnerable or malicious driver using the Bring Your Own Vulnerable Driver (BYOVD) technique to attain kernel-level privileges and terminate security processes across more than 400 targeted executables associated with 48 security vendors and products. The suite also incorporates three externally sourced EDR killers, HexKiller, ThrottleBlood, and HavocKiller, standardized through a shared defense-evasion layer. A Rust-based credential stealer, OxideHarvest, attributed to a Gentlemen affiliate, has also been observed in intrusions. Victims are reportedly selected based on FortiGate endpoint misconfiguration rather than geographic criteria. Organizations relying on EDR for primary endpoint defense should treat this toolset as an active and escalating threat.
Technical Details
Threat Type: Ransomware-as-a-Service (RaaS); EDR Evasion / Defense Impairment; Credential Theft
Severity: High
Threat Actors: The Gentlemen; founding operator aliases: hastalamuerte / zeta88 (per Group-IB)
Affected Systems: Windows endpoints protected by any of 48 EDR/AV products targeted by the GentleKiller process list, including Microsoft Defender, CrowdStrike Falcon, SentinelOne, Palo Alto Cortex XDR, Sophos, ESET, Bitdefender, Kaspersky, McAfee/Trellix, and Trend Micro, among others. Linux and ESXi environments are also targeted by the Gentlemen encryptor.
Exploit Status: Actively exploited in the wild
Attack Chain Overview:
Initial Access: Victims are selected based on FortiGate endpoint misconfigurations. Initial access methods are consistent with credential abuse and exploitation of exposed network perimeter devices.
Privilege Escalation / Defense Impairment: Upon gaining access, affiliates deploy the GentleKiller suite (staged in a directory named GentlemenCollection) using the BYOVD technique. A vulnerable or malicious driver is loaded as a Windows service, granting the tool kernel-level privileges. The tool then terminates targeted security processes in a loop, using identical code obfuscation across variants.
EDR Killer Framework GentleKiller (in-house): Eight documented variants,each impersonating a different legitimate product (Kaspersky, FACEIT Anti-Cheat, Valorant, Javelin, WatchDog, Network Blocker, Cleaner, G11) and loading a different abused driver. Binaries are protected with commercial packers (Enigma or Themida), carry fabricated version information, invalid but copied digital signatures, and icons matching the impersonated vendor. GentleKiller targets more than 400 processes across 48 products.
Credential Theft: OxideHarvest, a Rust-based credential stealer attributed to a Gentlemen affiliate, harvests saved credentials from Chromium-based and Gecko-based browsers. The tool accepts command-line parameters specifying target hosts, credentials, thread count, and output file, and writes harvested credentials to a user-specified output file.
Encryption / Extortion:The Gentlemen operates a double extortion model. Operators provide affiliates with a Go-based encryptor targeting Windows and Linux, and a C-based ESXi variant. Encrypted victim data is threatened with public leakage on the group's dedicated leak site if ransom is not paid. The group offers a 90% affiliate revenue share, lowering the barrier for new affiliates.
Impact
EDR and Antivirus Neutralization:GentleKiller and the associated EDR killer suite are designed to disable security software across a broad set of enterprise endpoint protection platforms before encryption or data exfiltration begins, substantially reducing the defender's ability to detect and respond to the intrusion.
Credential Compromise: OxideHarvest allows systematic harvesting of browser-stored credentials, which may be leveraged for lateral movement, persistence, or further access within the victim environment.
Data Encryption and Exfiltration:Successful intrusions result in encryption of victim data across Windows, Linux, and ESXi environments, combined with data theft and the threat of public disclosure under the double extortion model.
Lateral Movement: Access to a compromised FortiGate perimeter device or credential pool obtained via OxideHarvest may allow affiliates to extend their reach into additional network segments.
Ransomware Deployment at Scale: The operator-managed EDR killer model lowers the operational barrier for Gentlemen affiliates, increasing the potential volume of attacks relative to RaaS models that require affiliates to source their own defense evasion tooling.
Attribution Complexity: The standardized application of defense-evasion techniques across both in-house and third-party tools obscures sample attribution, complicating incident response and threat intelligence correlation when samples are observed in isolation.
Detection Method
Security teams should monitor endpoint, network, and kernel-level telemetry for indicators consistent with BYOVD-class EDR killer activity and Gentlemen intrusion patterns:
Monitor for the loading of known vulnerable or malicious drivers as Windows services, particularly those associated with GentleKiller variants (eb.sys, nseckrnl.sys, GameDriverX64.sys, stpm_old.sys, stpm_new.sys, dmx.sys, 360netmon_wfp.sys, IMFForceDelete (dropped without .sys extension), G11.sys (PoisonX rootkit), googleApiUtil64.sys, ThrottleBlood.sys, and havoc.sys).
Detect the creation of a directory named GentlemenCollection on any endpoint, as this is the consistent staging location for the EDR killer suite across observed intrusions.
Alert on the presence of executables matching GentleKiller naming conventions (Kasp*.exe, FaceIT*.exe, Valorant*.exe, EASolo*.exe, EAAntiCheat*.exe, BitD*.exe, MB*.exe, Deletor.exe, Symantec*.exe, G11*.exe, Avast*.exe, Sent*.exe, Sophos*.exe, and HwAudKiller.exe), particularly where these appear outside expected vendor installation paths.
Monitor for mass process termination events targeting known security product executables, especially where multiple EDR/AV processes are terminated in rapid succession by a non-standard parent process.
Detect use of the Windows DeviceIoControl API from unsigned or low-reputation processes to interact with kernel drivers.
Alert on Windows service creation events that load drivers not present in an approved allowlist, especially drivers with invalid or mismatched digital signatures.
Monitor for the execution of buildx641.exe or any binary named buildx64.exe, which are associated with the OxideHarvest credential stealer.
Review endpoint telemetry for lateral credential authentication attempts using credential sets that deviate from established usage baselines following any suspicious process termination activity.
Correlate SIEM events for BYOVD-pattern driver installation chains: process creation, service creation with driver load, subsequent mass security process termination.
Examine FortiGate access and authentication logs for anomalous access patterns or configuration queries from unrecognized IP addresses, given the group's FortiGate-centric victim selection methodology.
Indicators of Compromise
Type | Indicator | Description |
File Hash (SHA-1) | 8ae6bd18b129061f63642531f1b684cf0383c75d | Kasps.exe - GentleKiller - Kaspersky variant executable |
File Hash (SHA-1) | ba914fe77b177b45799403b16dd14765c510a074 | eb.sys - Rootkit driver abused by GentleKiller Kaspersky variant |
File Hash (SHA-1) | d605994fc72a2bb59b5cfb1624a1b9170eca73a2 | FaceIT1.exe - GentleKiller - FACEIT Anti-Cheat variant executable (Enigma-protected) |
File Hash (SHA-1) | b0b912a3fd1c05d72080848ec4c92880004021a1 | nseckrnl.sys - NSecsoft NSecKrnl driver abused by GentleKiller FACEIT Anti-Cheat variant |
File Hash (SHA-1) | 5aa3124e5c4921e5edfc60133b5d71da21b07da3 | Valorant2.exe - GentleKiller - Valorant variant executable (Themida-protected) |
File Hash (SHA-1) | 7556ae58c215b8245a43f764f0676c7a8f0fdd1a | vgk.sys - Tower of Fantasy AntiCheat driver abused by GentleKiller Valorant variant |
File Hash (SHA-1) | 331879f5eec8892bbd896f90bdbb1bad0bf63bd6 | EASolo2Light.exe - GentleKiller - Javelin variant executable (Safetica newer driver) |
File Hash (SHA-1) | f11aebccb9a86a7e2e653f90baec697f233c255f | EASOLO1clear.exe - GentleKiller - Javelin variant executable (Safetica older driver) |
File Hash (SHA-1) | ef9cd06683159397f099caa244e94e6eaad96eba | EAAntiCheatLight.exe - GentleKiller - Javelin variant executable (both Safetica drivers) |
File Hash (SHA-1) | 711ef221526997039e804a18db9647c91680bbe2 | stpm_old.sys - Safetica Process Monitor Driver (older) abused by GentleKiller Javelin variant |
File Hash (SHA-1) | 68fec379f2ae76c3d2ce913f7be650cea1d06990 | stpm_new.sys - Safetica Process Monitor Driver (newer) abused by GentleKiller Javelin variant |
File Hash (SHA-1) | a11ee9cdc59e5caa59aefd27b30d104f3ad68e62 | BitD1.exe - GentleKiller - WatchDog variant executable (Themida-protected) |
File Hash (SHA-1) | 96f0dbf52aed0afd43e44500116b04b674f7358e | dmx.sys - Zemana WatchDog Antimalware Driver abused by GentleKiller WatchDog variant |
File Hash (SHA-1) | 2f86898528c6cab3540c486a9bfaa0c029b73950 | MB2.exe - GentleKiller - Network Blocker variant executable (Themida-protected) |
File Hash (SHA-1) | 9ad51ad97c01e97ab59214116740785e0f6320a8 | 360netmon_wfp.sys - Qihoo 360 driver abused by GentleKiller Network Blocker variant |
File Hash (SHA-1) | a19117175dbc9ba4d23b5dce8415e299a2e32192 | Deletor.exe - GentleKiller - Cleaner variant executable |
File Hash (SHA-1) | 12500f6c87ce62712a0ed6652c57468d15c14223 | IMFForceDelete - IObit IMF ForceDelete filter driver abused by GentleKiller Cleaner variant (deployed without .sys extension) |
File Hash (SHA-1) | d29670e684e40ddc89b47010c37cbc96737035b6 | Symantec.exe - GentleKiller - G11 variant executable |
File Hash (SHA-1) | 56bee9df5833a637f5c54d5911df98b0812fe643 | G11.sys - PoisonX rootkit abused by GentleKiller G11 variant |
File Hash (SHA-1) | cf4d74df17a91b4a36a2911b22afec5d8fa93a01 | Avast.exe - HexKiller EDR killer executable |
File Hash (SHA-1) | ec296f9501ad71e430810cb5cdc38d954d4ba536 | googleApiUtil64.sys - Baidu Antivirus BdApi driver abused by HexKiller |
File Hash (SHA-1) | 7131b377e96016dc1911020c9f95b1b4d042d7b4 | Sent.exe - ThrottleBlood EDR killer executable |
File Hash (SHA-1) | 82ed942a52cdcf120a8919730e00ba37619661a3 | ThrottleBlood.sys - TechPowerUp LLC driver abused by ThrottleBlood |
File Hash (SHA-1) | f0537cbb773ae12100b36731e7c39f5a9d852b14 | Sophos.exe - HavocKiller EDR killer executable |
File Hash (SHA-1) | 1fa071303fb846308571e64727501fb98b1c2be6 | havoc.sys - Huawei Audio driver abused by HavocKiller |
File Hash (SHA-1) | a5cf917ec4a7dfbdfa43621398604805d860c718 | buildx641.exe - OxideHarvest credential stealer |
File Hash (SHA-1) | d4b19141102015d436321e6f26976e98183cfd27 | buildx64.exe - OxideHarvest credential stealer |
Recommendations
Enable and enforce EDR tamper protection on all endpoints. Most enterprise EDR platforms support tamper-protection modes that require protected processes to be stopped only through authenticated vendor console actions. This is the primary control against BYOVD-class EDR killers.
Implement a kernel driver allowlist. Use Windows Defender Application Control (WDAC) or a comparable policy to restrict which drivers may load, preventing the installation of vulnerable or malicious drivers as Windows services.
Audit and restrict administrative privileges. BYOVD attacks require administrative or SYSTEM-level access to load drivers as services. Apply the principle of least privilege and enforce just-in-time access for administrative accounts.
Monitor for and block known vulnerable drivers. Cross-reference the Microsoft Vulnerable Driver Blocklist and supplement with the driver names listed in Section 5.0. Consider deploying blocklist policies via WDAC or equivalent.
Harden FortiGate perimeter devices. Given the group's targeting methodology based on FortiGate endpoint configuration, ensure all FortiGate devices are running current firmware, have management interfaces restricted to trusted IP ranges, and are not exposed to the internet. Review authentication and access logs for anomalous activity.
Rotate and audit credentials stored in browser profiles across all endpoints, particularly on systems with elevated network access. Consider deploying credential manager policies that discourage browser-based credential storage for privileged accounts.
Block and alert on the staging directory name GentlemenCollection at the endpoint and file integrity monitoring layer.
Deploy SIEM detection rules for the BYOVD driver installation pattern: service creation events with non-allowlisted drivers followed by mass security process terminations.
Validate EDR coverage by conducting adversary simulation or red team exercises targeting BYOVD and process-kill techniques to verify that tamper protection is functioning as expected and that detection logic is tuned for this threat class.
Conclusion
The Gentlemen RaaS represents a meaningful evolution in ransomware operational tradecraft. By centralizing EDR killer development and distribution rather than delegating this responsibility to individual affiliates, the group systematically lowers the technical barrier to successful ransomware deployment while increasing the consistency and effectiveness of its defense-evasion capability. GentleKiller's modular architecture, combined with the group's demonstrated ability to operationalize newly disclosed BYOVD proof-of-concept exploits within days, indicates that the toolset will continue to expand. Organizations that rely primarily on EDR for endpoint defense without layered controls such as tamper protection enforcement, kernel driver allowlisting, and privileged access restrictions face materially elevated risk from this threat actor. Immediate focus should be placed on EDR hardening and FortiGate perimeter security.
References
https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
https://www.eset.com/us/about/newsroom/research/eset-research-gentlemen-ransomware-gang-edr-killers/
https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/
https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/
https://thehackernews.com/2026/06/the-gentlemen-raas-uses-gentlekiller.html