The Gentlemen ransomware-as-a-service (RaaS) operation is actively advancing a range of tools designed to undermine endpoint detection and response (EDR) systems. These tools are distributed to affiliates to weaken system defenses before the ransomware is activated.
GentleKiller Framework: A Core Component
At the heart of this operation is the GentleKiller framework, a sophisticated suite of EDR-disabling tools. According to ESET security researcher Jakub Souček, GentleKiller incorporates both proprietary and third-party elements such as HexKiller, ThrottleBlood, and HavocKiller. These tools employ a shared defense-evasion strategy by mimicking legitimate security vendors through forged version information and duplicated certificates.
The Gentlemen group has been noted for its rapid adaptation to new security vulnerabilities, often integrating proof-of-concept (PoC) exploits related to the bring your own vulnerable driver (BYOVD) technique shortly after their release. Since its emergence in March 2025, the group has become a prominent player in the ransomware landscape, with 504 reported victims predominantly in Southeast Asia, South America, and Western Europe.
Technical Agility and Adaptation
Recent investigations, including reports by Brian Krebs and PRODAFT, identify Alexander Andreevich Yapaev as the leader of The Gentlemen. Known for his past affiliations with other ransomware operations, Yapaev is recognized for steering a technically adept group that employs advanced techniques to bypass EDR detection. This includes using Enigma or Themida for binary protection and adopting file names that mimic those of reputable cybersecurity vendors.
GentleKiller is particularly notable for its eight variants, each imitating different legitimate products and exploiting various vulnerable drivers. These drivers include well-known names like Kaspersky and FACEIT Anti-Cheat, among others. A recent attack utilizing “PoisonX.sys” was highlighted for its role in disabling CrowdStrike Falcon EDR, showcasing the group’s ability to execute complex BYOVD attacks.
Centralized EDR-Killer Suite
Unlike many ransomware gangs that rely on affiliates for EDR disabling, Gentlemen centralizes this function by providing affiliates with a ready-to-use EDR-killer suite. This strategic decision reduces entry barriers for affiliates, making the operation more accessible and efficient.
In addition to their EDR-disabling capabilities, ESET detected a Rust-based credential stealer named OxideHarvest. This tool is capable of extracting data from major web browsers, further enhancing the group’s offensive capabilities.
The CERT Coordination Center (CERT/CC) has issued warnings about vulnerabilities in multiple vendor-signed UEFI applications, which could be exploited using BYOVD tactics. ESET researcher Martin Smolár has been credited with identifying these vulnerabilities. To mitigate risks, system administrators are advised to update the UEFI Forbidden Signature Database (DBX) to block these vulnerable applications.
The Gentlemen RaaS operation exemplifies the evolving threat landscape in cybersecurity, highlighting the need for advanced defensive measures and proactive vulnerability management.
