In February 2026, ESET researchers responded to an incident involving an affiliate of The Gentlemen. On the compromised machine, a staging directory caught their attention: GentlemenCollection. Inside, they found a previously undocumented EDR killer. The tool bore no resemblance to anything previously known. ESET named it GentleKiller and formulated a hypothesis: it was not a tool created by the affiliate themselves, but a component provided directly by the operators of the RaaS program. In the months that followed, the same pattern—same tools, same staging directory—reappeared in unrelated intrusions, all attributed to affiliates of the group. Group-IB, Check Point, and PRODAFT independently confirm that the operators do indeed offer EDR neutralization capabilities to their verified affiliates. Then, in May 2026, a leak of internal data from The Gentlemen provided definitive proof: in chat logs, zeta88, the group’s leader, explicitly mentioned the maintenance and distribution of EDR-killer packages.
The study published by ESET in June 2026 is based on this long-term investigation, corroborated by the leaked data. It provides an in-depth documentation of an arsenal that previous reports had merely mentioned.
The Gentlemen, a RaaS program founded by a ransomware veteran
The Gentlemen is a RaaS program founded by a Russian-speaking actor known by the pseudonyms hastalamuerte and zeta88. The group initially operated under the name ArmCorp starting in March 2025, as an affiliate group leveraging the resources of several RaaS programs, before launching as an independent program under the name The Gentlemen in July 2025. Prior to that, hastalamuerte had been affiliated with no fewer than five competing programs— Qilin, Embargo, LockBit, Medusa, and BlackLock—according to PRODAFT, a cyber intelligence firm that tracks the group under the name Phantom Mantis.
The split with Qilin was public and acrimonious: hastalamuerte accused the operators, on the RAMP forum, of making a ransom negotiation disappear from the Tox chat—an alleged exit scam involving $48,000. Five days before this post, the first known sample of the “The Gentlemen” locker had already appeared on VirusTotal: the infrastructure for the new program was ready even before the official split.
On June 10, 2026, Brian Krebs published the results of an investigation linking hastalamuerte/zeta88 to a real-world identity: Alexander Andreevich Yapaev, 36, from Izhevsk (Republic of Udmurtia, Russia). The man publicly presents himself as a B2B marketing director at an electrical engineering company. Krebs’s investigation, corroborated by Check Point, Intel 471, and PRODAFT, is based on cross-referencing IP addresses, a Russian phone number linked to hacked government databases, and a GitHub username (SantaMuerte) associated with exploitation tools.
To date, the group has claimed 517 victims (according to Ransomware.live data), spread across Southeast Asia, South America, and Western Europe, with a notable presence in Thailand, Brazil, and France. The United States remains the most affected country, but its relative share (~16%) is significantly lower than the industry standard, where U.S. victims typically account for half of the claims made by top-tier groups such as Qilin, DragonForce, or Akira. The victim profile for The Gentlemen is more geographically dispersed, with a significant presence in Thailand, France, and Brazil. An internal leak revealed that targets are selected centrally, primarily based on misconfigurations in their FortiGate firewalls, and then assigned to affiliates. The program offers a 90/10 revenue split in favor of the affiliate, well above the market standard.
The group’s emergence in the summer of 2025, its RaaS model, and its initial campaigns were covered as soon as it issued its first claims of responsibility. The group’s internal organization, extortion methods, and use of AI were subsequently exposed by a leak of 16 GB of internal data analyzed in May 2026. ESET’s study provides the missing piece of the puzzle: the precise functioning of the EDR neutralization arsenal.
Why The Gentlemen’s Approach Is a Game-Changer
Neutralizing EDR before deploying encryption has become a critical step in virtually all ransomware intrusions. But the responsibility for finding a reliable tool to do so almost always falls on individual affiliates, not on RaaS operators. The ESET study “EDR Killers Explained: Beyond the Drivers,” published in March 2026, documented this division of labor as the norm within the ecosystem. The only notable precedent was the now-defunct RansomHub, whose operators had developed a single tool—EDRKillShifter—entirely in-house and distributed it via the affiliate dashboard.
The Gentlemen takes this logic a step further. Rather than a single tool, the group maintains a diversified portfolio combining an in-house framework (GentleKiller) and third-party tools sourced through unidentified channels (HexKiller, ThrottleBlood, HavocKiller), all standardized by a common evasion layer applied to the compiled binaries. “This design prioritizes ease of deployment and operational flexibility for affiliates, while minimizing development effort for the operators,” summarizes Jakub Souček, the ESET researcher who led the investigation. With the demise of RansomHub, The Gentlemen is now the only active RaaS operator whose researchers have documented this model of centralizing EDR killers.
GentleKiller, a modular framework with eight variants
GentleKiller is the most frequently observed EDR killer in intrusions linked to The Gentlemen. ESET has identified at least eight distinct variants, each impersonating a different legitimate product and exploiting a different vulnerable or malicious driver via the BYOVD (Bring Your Own Vulnerable Driver) technique. Beneath the impersonation layer and the choice of driver, the underlying code reveals structural characteristics that remain consistent across variants: identical character strings, a process termination loop executed periodically, broad targeting of security solutions, and similar code obfuscation. All of this points to the use of a shared development template, modified only marginally depending on the variant.
The list of variants reveals a particularly cynical camouflage strategy. The operators systematically choose filenames that mimic well-known security or gaming products: BitD.exe to impersonate Bitdefender, MB.exe for Malwarebytes, and Kasp.exe for Kaspersky— all to blend into the environment they are about to disable. Here are the details of the eight variants documented by ESET:
- Kaspersky —
Kasp<suffix>.exefile, exploits the eb.sys rootkit; - FACEIT Anti-Cheat —
FaceIT<suffix>.exefile, exploits the NSecsoft driver nseckrnl.sys; - Valorant — file
named Valorant<suffix>.exe, exploits the GameDriverX64.sys anti-cheat driver; - Javelin —
EAAntiCheat<suffix>.exe/EASolo<suffix>.exefiles, exploits Safetica’s ProcessMonitor drivers (stpm_old.sys / stpm_new.sys); - WatchDog —
BitD<suffix>.exefile (mimics Bitdefender), exploits the Zemana dmx.sys antimalware driver; - Network Blocker —
MB<suffix>.exefile (mimics Malwarebytes), exploits the Qihoo 360 driver 360netmon_wfp.sys; - Cleaner —
Deletor.exefile, exploits the IObit IMFForceDelete driver (dropped without a .sys extension); - G11 —
G11<suffix>.exe/Symantec<suffix>.exefiles, exploits the PoisonX rootkit.
The <suffix> in each filename is significant: it encodes the level of protection applied to the executable. ESET has documented four systematic variations:
- suffix 1: Enigma protection, fake digital signature, and fake version information;
- suffix 2: Themida protection, fake digital signature, and fake version information;
- Light suffix: no packer, but a fake digital signature and fake version information;
- suffix Clear: no protection, no fake digital signature; the tool is deployed unmasked.
The existence of Clear variants is telling: operators sometimes deploy a completely raw EDR killer, without any camouflage, when they believe the target environment is sufficiently unprotected that evasion efforts are unnecessary.
The scope of the targeting is considerable. The general list of processes targeted by GentleKiller exceeds 400 process names, associated with 48 security products: major vendors such as CrowdStrike, SentinelOne, Microsoft Defender, Sophos, ESET, Kaspersky, Palo Alto Networks, and Trend Micro, as well as more specialized players such as Huntress, Binary Defense, Blumira, ThreatLocker, Darktrace, and Heimdal.
BYOVD proof-of-concepts operationalized in a matter of days
GentleKiller’s modular architecture—a shared template into which a new vulnerable driver is inserted—has a direct operational impact: it allows The Gentlemen’s operators to integrate newly disclosed BYOVD exploits with unusual speed. ESET cites two specific cases: the UnknownKiller and PoisonKiller exploits were adopted “within days ” of the publication of their respective proof-of-concepts. “This design prioritizes ease of deployment and operational flexibility for affiliates, while minimizing development effort for the operators. It allows The Gentlemen’s operators to integrate abused drivers into their toolkit very shortly after the disclosure of an EDR killer proof-of-concept,” explains Jakub Souček (ESET).
This agility reduces the protection window between the public disclosure of a driver vulnerability and its exploitation in real-world conditions.
A standardized evasion layer, including for third-party tools
Beyond the GentleKiller framework itself, operators apply a unified evasion strategy to all EDR killers in their portfolio. The key technical point: this layer is applied to compiled binaries, not to source code. This means that operators can protect even tools for which they do not possess the source code—which is the case for third-party EDR killers integrated into the suite.
In practice, the evasion relies on a coherent three-pronged approach: filenames mimicking those of recognized security vendors, fabricated version information accompanied by invalid digital signatures copied from legitimate executables, and icons corresponding to the spoofed product. In addition, a significant portion of the samples are protected by commercial packers(Enigma or Themida). The operational effect is twofold: affiliates have ready-to-use tools disguised as familiar software, and attribution becomes difficult when an isolated sample is examined outside the context of an incident.
Three third-party EDR killers integrated into the portfolio
In addition to GentleKiller, the suite distributed to affiliates includes three externally sourced tools, each exploiting a different driver via BYOVD. ESET assesses with high confidence that these were not developed in-house by The Gentlemen, but rather acquired and then adapted for operational use.
HexKiller (Baidu driver BdApi googleApiUtil64.sys, deployed under the name Avast<suffix>.exe) was previously considered exclusive to the Warlock gang. Its presence in the GentlemenCollection directory is described by ESETas “unexpected and noteworthy” (unexpected and noteworthy). Researchers note, however, that this does not necessarily imply direct collaboration between the two groups: the tool may have been obtained through private exchanges, secondary distribution channels, or sample leaks. This finding is particularly revealing of the ecosystem’s porosity, where tools circulate among competing groups through channels that are difficult to trace.
ThrottleBlood (the legitimate ThrottleStop.sys driver from TechPowerUp, renamed ThrottleBlood.sys by the attackers and deployed under the name Sent<suffix>.exe) has been repeatedly observed in MedusaLocker intrusions and, more sporadically, among DragonForce affiliates. Trend Micro had linked it to The Gentlemen as early as September 2025. ESET proposes two hypotheses regarding its origin: either a tool sold on underground markets, or a tool developed by the MedusaLocker operators themselves and shared with their affiliates—in which case MedusaLocker would have anticipated, on a smaller scale, the centralization model adopted by The Gentlemen. However, neither hypothesis fully explains how a sample ended up in the group’s hands.
HavocKiller (the Huawei audio driver havoc.sys, deployed under the names HwAudKiller.exe / Sophos<suffix>.exe) was publicly documented by Huntress on March 19, 2026, but ESET’s telemetry confirms its use in an actual intrusion as early as January 23, 2026—nearly two months before the public report. Its architecture differs substantially from that of GentleKiller, confirming its external origin, even though the group’s standardized evasion layer has been applied to it.
ESET also notes the presence of DemoKiller in several intrusions but excludes this tool from the group’s official suite: it shows no connection to the operators and is considered specific to certain affiliates.
OxideHarvest, a credential stealer linked to the “quant” affiliate
The investigation also brought to light OxideHarvest, a credential stealer written in Rust, deployed in several intrusions linked to the group. Since Rust is not the preferred language of The Gentlemen’s operators, ESET does not attribute the tool to the group itself but to one of its affiliates, known by the pseudonym “quant.” Check Point had previously identified a tool maintained by “quant” under the name buildx641 in the leaked data. ESET found an OxideHarvest sample bearing the same name on VirusTotal, confirming that buildx641 and OxideHarvest are the same tool.
OxideHarvest targets credentials stored in 28 browsers across two families. Chromium-based browsers: Google Chrome (including Beta and SxS), Chromium, Microsoft Edge, Torch, Comodo Dragon, Nichrome, Maxthon5, Epic Privacy Browser, Vivaldi, QIP Surf, Cent Browser, Elements Browser, TorBro, CryptoTab, Brave, Opera, Opera GX, and Opera Neon. Gecko-based browsers: Mozilla Firefox, Slim Browser, Pale Moon, Waterfox, Cyberfox, BlackHawk, IceCat, and K-Meleon. The inclusion of ultra-niche browsers such as IceCat, K-Meleon, CryptoTab, and Cyberfox shows that the developer has conducted an exhaustive survey; no browser is considered too obscure to be overlooked.
The tool operates via the command line: the user provides a list of hosts, login credentials, a number of threads, and an output file. OxideHarvest then connects to the specified hosts using multithreading and exfiltrates the harvested credentials to the specified file.
From Framework to Detection: What GentleKiller Reveals to SOC Analysts
The existence of a centralized portfolio of EDR killers, maintained and distributed by the operators of a RaaS program, represents a paradigm shift in the ecosystem. Whereas RansomHub had invested in a single tool, The Gentlemen combine in-house development with the pragmatic reuse of public research and third-party tools, all unified by a common evasion layer that obscures attribution. Without incident context, The Gentlemen’s EDR killers risk being misattributed—or not attributed at all—masking the true extent of the group’s involvement.
“Understanding how GentleKiller works allows security teams to better design their defensive strategies and protect themselves even against future additions to the group’s arsenal,” concludes Jakub Souček.
ESET’s study provides a set of directly actionable indicators of compromise. The table below summarizes the filenames and drivers associated with each variant:
| Variant | Executable | Loaded Driver |
|---|---|---|
| Kaspersky | Kasp*.exe | eb.sys |
| FACEIT | FaceIT*.exe | nseckrnl.sys |
| Valorant | Valorant*.exe | GameDriverX64.sys |
| Javelin | EAAntiCheat*.exe / EASolo*.exe | stpm_old.sys / stpm_new.sys |
| Bitdefender | BitD*.exe | dmx.sys |
| Malwarebytes | MB*.exe | 360netmon_wfp.sys |
| Cleaner | Deletor.exe | IMFForceDelete |
| G11 | G11*.exe / Symantec*.exe | PoisonX |
| HexKiller | Avast*.exe | googleApiUtil64.sys |
| ThrottleBlood | Sent*.exe | ThrottleBlood.sys |
| HavocKiller | Sophos*.exe / HwAudKiller.exe | havoc.sys |
The G11 variant warrants special attention: it exploits the PoisonX rootkit, which Xcitium has documented as being used in attacks specifically targeting CrowdStrike Falcon. Finally, the GentlemenCollection staging directory is a recurring behavioral IOC in intrusions attributed to the group.
The speed with which the group incorporates new vulnerable drivers serves as a reminder that these indicators have a limited lifespan: detection teams should treat them as a starting point, not as a static list
Sources:
- WeLiveSecurity (ESET): Killing me gently: Inside Gentlemen’s EDR killer framework
- WeLiveSecurity (ESET): EDR killers explained: Beyond the drivers
- The Hacker News: The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting Over 400 Security Tool Processes
- Help Net Security: GentleKiller targets more than 400 security processes across 48 products
- Krebs on Security: Who Runs the Ransomware Group ‘The Gentlemen’?
- PRODAFT: Inside the Phantom Mantis Operation
- Group-IB: Hasta la vista, Hastalamuerte: An Overview of The Gentlemen’s TTPs
- Check Point Research: Thus Spoke…The Gentlemen
- Check Point Research: DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy
- Ransomware.live: The Gentlemen
