GentleKiller Malware Framework
The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a comprehensive suite of endpoint detection and response (EDR) killing tools that affiliates can use to disable security protections before deploying ransomware encryptors.
At the center of this arsenal is a framework known as GentleKiller, supported by several third-party and leaked tools, including HexKiller, ThrottleBlood, and HavocKiller. These utilities are unified through a common defense-evasion framework that disguises them as legitimate security products by using fake version information, copied digital certificates, and cloned application icons.
Table of Contents
Rapid Exploitation of Newly Disclosed Vulnerabilities
One of the group's most notable capabilities is its ability to rapidly operationalize newly published proof-of-concept (PoC) exploits associated with the Bring Your Own Vulnerable Driver (BYOVD) technique. In many cases, newly disclosed exploits are integrated into the group's toolkit within only a few days of becoming publicly available.
This streamlined development approach provides affiliates with highly effective tools while reducing development requirements for the operators themselves. The model also enables the group to continuously refresh its arsenal by incorporating newly abused drivers almost immediately after public disclosure.
A Rapid Rise in the Ransomware Ecosystem
Since emerging in March 2025, The Gentlemen has quickly become one of the most active ransomware groups worldwide. The operation has claimed responsibility for 504 victims, with the majority of targets located across Southeast Asia, South America, and Western Europe.
Recent investigations have identified Alexander Andreevich Yapaev, a 36-year-old Russian national known online as 'hastalamuerte,' as the leader of the operation. Before launching The Gentlemen, he reportedly worked as an affiliate for several other ransomware programs, including Qilin.
Advanced EDR Evasion Through Impersonation and Binary Protection
The Gentlemen is considered one of the most technically agile RaaS operations currently active. Its developers employ multiple techniques to ensure that compiled EDR killers evade detection, including binary protection mechanisms and the use of filenames designed to resemble those of well-known cybersecurity vendors. The deception extends to forged version information, digital signatures, and application icons.
The most widely used tool in the arsenal, GentleKiller, exists in eight distinct variants. Each version imitates a different legitimate security product and abuses a separate vulnerable or malicious driver as part of a BYOVD attack chain. The framework is capable of identifying and targeting approximately 400 processes associated with 48 different security solutions from numerous vendors.
The Growing Abuse of Vulnerable Drivers
Recent months have seen increased abuse of the driver PoisonX.sys in multiple BYOVD campaigns. In one incident, the driver was used to terminate the CrowdStrike Falcon EDR platform. Another campaign involved attackers exploiting BeyondTrust Remote Support to deploy ransomware within a victim network after first disabling security products through PoisonX.sys and hrwfpdrv.sys.
Even when differences in branding and driver selection are removed, the underlying code of these EDR killers demonstrates significant structural and behavioral similarities, strongly indicating the use of a shared development template.
Third-Party EDR Killers Integrated into the Arsenal
The Gentlemen's toolkit incorporates several external BYOVD-based EDR killers:
- HexKiller (googleApiUtil64.sys), previously believed to be exclusive to the Warlock ransomware group.
- ThrottleBlood (ThrottleBlood.sys), observed in attacks linked to MedusaLocker and DragonForce affiliates, and HavocKiller or HwAudKiller (havoc.sys).
- OxideHarvest Expands the Threat Beyond Ransomware
Researchers have also identified a Rust-based credential-stealing malware named OxideHarvest, also known as buildx641. The stealer is capable of harvesting sensitive information from numerous popular browsers, including:
Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, BlackHawk, and IceCat.
A Centralized Model That Attracts Affiliates
While many ransomware groups leave EDR bypass operations to their affiliates, The Gentlemen has chosen to centralize this capability by providing affiliates with a ready-to-use and standardized EDR-killer suite. This strategy significantly lowers the technical barrier to entry for affiliates, simplifies ransomware deployment, and increases the overall attractiveness of the operation within the cybercriminal ecosystem.
