Gentlemen Ransomware Runs Its Own EDR Killer Factory

Most ransomware gangs buy or borrow their EDR-killing tools. The Gentlemen built their own—and they run it like a product team.

ESET Research published a deep analysis on June 18 documenting GentleKiller, a modular framework the gang maintains in-house and distributes to affiliates. The tool has appeared in at least eight distinct variants, each designed to impersonate legitimate software while deploying different vulnerable drivers to kill security processes at the kernel level.

The operation has claimed 478 victims as of mid-June, according to Ransomware.Live. What makes them notable is not the body count—they ranked second among RaaS groups in Q1 2026—but the industrialized approach to defense evasion that ESET's research exposes.

GentleKiller: Eight Variants, One Framework

The GentleKiller framework exemplifies modern ransomware operations that prioritize reliability over novelty. Each variant impersonates a different piece of legitimate software—Kaspersky antivirus, the game Valorant, enterprise tools like Javelin and WatchDog—while loading a different vulnerable driver to gain kernel access.

Variant Name	Impersonated Software	Vulnerable Driver
Kaspersky	Kaspersky Antivirus	eb.sys
FACEIT	Anti-Cheat	nseckrnl.sys
Valorant	Valorant Game	GameDriverX64.sys
Javelin	Enterprise Tool	stpm_old.sys
WatchDog	Zemana	dmx.sys
Network Blocker	Qihoo 360	360netmon_wfp.sys
Cleaner	IObit	IMFForceDelete
G11	Custom	PoisonX

The framework targets over 400 processes across 48 security vendors, including Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Trend Micro, ESET, Bitdefender, McAfee, and Kaspersky itself.

ESET found that all variants share common strings, identical obfuscation techniques, and similar process-killing logic. The architecture lets operators swap in newly disclosed vulnerable drivers without major code changes—ESET observed the gang weaponizing public BYOVD proof-of-concept exploits within days of disclosure.

Third-Party Tools Integrated Into the Suite

Beyond GentleKiller, The Gentlemen integrate three external EDR killers into their affiliate toolkit:

HexKiller — Previously linked to the Warlock gang, this tool uses the googleApiUtil64.sys driver from Baidu Antivirus to achieve kernel access.

ThrottleBlood — Connected to MedusaLocker and DragonForce operations, it exploits CVE-2025-7771 in a driver derived from ThrottleStop.sys to terminate protected security processes.

HavocKiller — Deployed operationally by Gentlemen affiliates on January 23, 2026—nearly two months before Huntress publicly disclosed the technique in March. This timeline indicates either early access to the vulnerability or independent discovery.

We've seen this BYOVD pattern across the ransomware ecosystem. Groups like CrazyHunter and Reynolds have embedded similar driver-based EDR killers directly into their payloads. The Gentlemen's approach stands out because they maintain the tooling centrally and push updates to affiliates.

The Attack Chain

The Gentlemen's typical intrusion flow follows a predictable pattern once initial access is established:

1. Affiliate gains access, often through misconfigured FortiGate appliances or stolen credentials
2. Lateral movement using standard tools (SystemBC proxy, Cobalt Strike)
3. EDR killer deployment to blind defenders
4. Group Policy manipulation to push ransomware domain-wide via NETLOGON shares
5. Encryption and data exfiltration for double extortion

The group also deploys OxideHarvest, a Rust-based credential stealer that ESET believes was developed externally given its different coding style.

Attribution and Leadership

On June 10, journalist Brian Krebs published evidence linking The Gentlemen's administrator—known by the handles "zeta88" and "hastalamuerte"—to Alexander Andreevich Yapaev of Izhevsk, Russia.

When The Gentlemen's own backend was breached in May through a compromise at bulletproof host 4VPS, leaked chat logs confirmed the operation centers on approximately nine named operators. Affiliates receive a 90/10 revenue split—more generous than the industry-standard 80/20—which helps attract experienced operators from rival programs.

Earlier research into a SystemBC C2 server used by Gentlemen affiliates revealed over 1,570 compromised corporate networks that never appeared on public victim lists.

Protection and Detection

Commercial packing tools Enigma and Themida protect most GentleKiller binaries, with stolen digital signatures (though invalid) adding another layer of evasion. ESET provides detection names like Win64/KillAV.EA for the EDR killer variants.

Organizations running endpoint protection should ensure:

• Driver blocklists include known BYOVD targets
• Kernel-mode driver loading is monitored and alerted
• Application control policies restrict unauthorized driver installation
• EDR agents have tamper protection enabled

The broader trend is clear: EDR killers are now standard equipment in ransomware operations. Help Net Security reported in March that ESET tracks nearly 90 EDR killers actively used in the wild. Defenders who rely solely on endpoint detection face an adversary class that systematically works to blind them before striking.

ESET's full technical analysis, including sample hashes and detection signatures, is available at [email protected].