An analysis of the Gentlemen ransomware-as-a-service (RaaS) operation has revealed a sophisticated, centralized approach to neutralizing endpoint detection and response (EDR) solutions.
This unified defense evasion framework sets the group apart in an increasingly crowded ransomware landscape, significantly lowering the technical barrier for affiliates and driving the gang into the top five most active operations of Q1 2026.
Emerging in late 2025, Gentlemen quickly attracted a formidable network of affiliates by offering a lucrative 90% revenue share. Threat intelligence from Group-IB attributes the gang’s founding to hastalamuerte, a former Qilin affiliate with deep ties to established ransomware syndicates.
PRODAFT researchers have linked the operation to LockBit, Embargo, Medusa, and BlackLock, highlighting a seasoned threat actor whose real-world identity was recently exposed by Brian Krebs on June 10, 2026.
Unlike premier ransomware operations that primarily hunt U.S. enterprises, Gentlemen exhibits a globally distributed victimology. Intrusions heavily target organizations across Southeast Asia, South America, and Western Europe, with confirmed victims in Thailand, Brazil, and France.
EDR Killer Unifies HexKiller, ThrottleBlood, and HavocKiller
Internal data leaks indicate this distribution is technically driven rather than geographic, as operators specifically scan for and weaponize FortiGate misconfigurations.
Upon securing access, the group executes a double-extortion playbook using a Go-based encryptor for Windows and Linux environments, along with a specialized C-written ESXi variant.
The core of Gentlemen’s operational success relies on GentleKiller, an internally developed EDR-disabling framework that ESET first documented in February 2026.
Security researchers have identified at least eight distinct variants of the tool. Each iteration abuses a different vulnerable or malicious driver while maintaining a standardized development template that includes recurring internal strings, periodic process-termination loops, and uniform code obfuscation.
GentleKiller is highly aggressive, engineered to terminate over 400 processes associated with 48 distinct security products, including enterprise solutions from CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, and ESET.
A defining characteristic of the Gentlemen operation is its rapid weaponization cycle. Operators routinely integrate newly disclosed Bring Your Own Vulnerable Driver (BYOVD) proof-of-concept exploits, such as UnknownKiller and PoisonKiller, often within days of their public release.
ESET researcher stated that beyond the proprietary GentleKiller framework, the overarching suite stages three externally sourced EDR killers within the GentlemenCollection directory. These tools are integrated via a standardized defense evasion layer:
- HexKiller abuses the Baidu Antivirus BdApi driver, a tool previously associated exclusively with the Warlock gang, though researchers do not view this as evidence of direct operational collaboration.
- ThrottleBlood leverages a driver digitally signed by TechPowerUp LLC, previously observed in MedusaLocker and DragonForce intrusions, suggesting distribution through underground markets.
- HavocKiller abuses a Huawei Audio driver (
havoc.sys), which Huntress publicly disclosed in March 2026, though ESET telemetry confirms Gentlemen utilized it in live intrusions as early as January 23, 2026.
To maximize operational security, Gentlemen applies a unified evasion strategy across its entire arsenal. Operators utilize Enigma or Themida binary packers, forge version metadata, duplicate invalid digital signatures, and spoof vendor-impersonating icons post-compilation.
Additionally, researchers have observed affiliated actors expanding their intrusion capabilities. An affiliate known as quant successfully integrated OxideHarvest, a Rust-based credential stealer targeting Chromium and Gecko browsers, deploying it operationally under the filename buildx641.exe.
Defending against the Gentlemen RaaS requires a shift from static indicators to behavioral analysis. Security teams must prioritize building detection strategies around BYOVD driver abuse, anomalous process-termination loops, and vendor impersonation to withstand the group’s rapidly adapting toolkit.
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 8AE6BD18B129061F63642531F1B684CF0383C75D | Kasps.exe | Win64/KillAV.EA | GentleKiller (Kaspersky variant) — primary in-house EDR killer |
| BA914FE77B177B45799403B16DD14765C510A074 | eb.sys | Win64/Agent.ITG | Custom rootkit used by the Kaspersky variant of GentleKiller |
| 56BEE9DF5833A637F5C54D5911DF98B0812FE643 | G11.sys | Win64/Agent.IYQ | PoisonX rootkit used by GentleKiller G11 variant |
| CF4D74DF17A91B4A36A2911B22AFEC5D8FA93A01 | Avast.exe | Win32/KillAV.NVL | HexKiller with Gentlemen’s evasion layer applied |
| 7131B377E96016DC1911020C9F95B1B4D042D7B4 | Sent.exe | Win64/KillAV.AT | ThrottleBlood with Gentlemen’s evasion layer applied |
| F0537CBB773AE12100B36731E7C39F5A9D852B14 | Sophos.exe | Win64/KillAV.DE | HavocKiller with Gentlemen’s evasion layer applied |
| A5CF917EC4A7DFBDFA43621398604805D860C718 | buildx641.exe | Win64/Spy.Agent.AGC | OxideHarvest credential stealer linked to Gentlemen affiliate quant |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
