TL;DR
The ransomware-as-a-service (RaaS) operation known as Gentlemen has industrialized something most of its peers leave to chance: defeating endpoint detection and response (EDR) tooling before deploying a ransomware payload. Rather than requiring affiliates to source their own EDR-killing capability – the traditional division of labor in the RaaS ecosystem – Gentlemen’s operators build, maintain, and centrally distribute a full portfolio of EDR killers, anchored by an in-house framework ESET has named GentleKiller. The portfolio also absorbs three externally sourced tools (HexKiller, ThrottleBlood, HavocKiller), all run through a shared defense-evasion and impersonation layer that makes the whole catalogue look and behave like a single coherent product line rather than a grab-bag of borrowed code.
This post walks through the full technical picture: the threat actor itself, how the intelligence was obtained, the end-to-end attack chain, the internal architecture of GentleKiller’s driver-abuse template, the third-party tools folded into the suite, the credential-stealer companion tool, an adjacent UEFI-level vulnerability, and the complete IOC and MITRE ATT&CK reference data published alongside the research.
Threat actor profile: Gentlemen
| Attribute | Detail |
|---|---|
| Emergence | ESET places the group’s appearance in late 2025; The Hacker News, citing Ransomware.live data, cites a March 2025 emergence date. The two reports do not agree on the exact timeline. |
| Activity tier | One of the five most active ransomware gangs in Q1 2026. |
| Claimed victims | 504, per Ransomware.live data cited by The Hacker News, as of the report’s publication. |
| Affiliate revenue share | 90% – unusually generous, and paired with a ready-made EDR-killer suite, which substantially lowers the technical bar for new affiliates. |
| Leadership handle(s) | hastalamuerte (primary handle); zeta88 (alias used internally, identified in leaked chat logs as the gang’s leader actively discussing EDR-killer provisioning). |
| Identity disclosure | Group-IB disclosed that Gentlemen was founded by hastalamuerte, described as a disgruntled former Qilin affiliate. PRODAFT tweeted on 17 October 2025 that Gentlemen’s operators had previously been affiliates of Qilin, Embargo, LockBit, Medusa, and BlackLock. On 10 June 2026, Brian Krebs published evidence of hastalamuerte’s real-world identity. Reporting via Krebs and PRODAFT, as cited by The Hacker News, names the individual behind the handle as Alexander Andreevich Yapaev, a 36-year-old Russian national. |
| Encryptor architecture | A Go-based encryptor targeting Windows, Linux, and other platforms, plus a separate C-based variant built specifically for ESXi hypervisors. |
| Extortion model | Standard double extortion: encrypt victim data, exfiltrate it, and threaten publication on a leak site if the ransom isn’t paid. |
The affiliate/operator split here follows the conventional RaaS structure: operators build the ransomware payload, manage decryption keys, run the leak site, often negotiate with victims directly, and supply tooling for a cut of the ransom (industry-typical operator cuts run 5–20%, against which Gentlemen’s 90%-to-affiliate split is notably generous). Affiliates rent the service, handle deployment into victim networks, and are responsible for exfiltration.
Victimology and targeting logic
Most top-tier RaaS gangs, ESET specifically names Qilin, DragonForce, and Akira as examples draw close to half of their publicly claimed victims from the United States; this US-centric bias has become close to a norm for the top tier of the ecosystem.
Gentlemen breaks that pattern. Despite its Q1 2026 ranking among the five most active gangs, its victim list skews toward Southeast Asia, South America, and Western Europe, with both source reports specifically calling out Thailand, Brazil, and France as notably represented countries.
The leaked internal data clarifies why: targeting isn’t geographic strategy at all. Victim candidates are selected and vetted centrally based primarily on the configuration of the target’s FortiGate firewall, and only then assigned out to affiliates. The geographic spread is a downstream artifact of where vulnerable/misconfigured FortiGate deployments happen to cluster, not a deliberate regional focus. This is a useful general reminder for threat-intel consumers: “victimology” in ransomware reporting often reflects infrastructure exposure patterns rather than strategic targeting decisions.
Intelligence provenance: how this picture was assembled
This level of detail didn’t come from a single source. ESET’s account of how it built confidence in the GentleKiller hypothesis is itself part of the story:
- February 2026 – ESET observes a previously undocumented EDR killer deployed by a Gentlemen affiliate, staged in a directory named
GentlemenCollection. They name it GentleKiller and hypothesize without yet being able to confirm – that it is not an affiliate-specific tool but something supplied centrally by Gentlemen’s operators. - Ongoing incident response – ESET subsequently observes the same
GentlemenCollectionstaging pattern (GentleKiller plus other EDR killers dropped to the same directory) across multiple unrelated intrusions, consistently tied to Gentlemen affiliates. - Corroborating reports – Group-IB and Check Point independently publish assessments that Gentlemen operators explicitly offer EDR-disabling capabilities as part of the RaaS program to verified affiliates.
- May 2026 – Gentlemen suffers an internal data leak. Within it, chat logs show zeta88 (hastalamuerte) personally discussing the maintenance and distribution of EDR-killer packages to affiliates – the final piece of evidence converting ESET’s hypothesis into a confirmed finding. The same leak also allows ESET to attribute the OxideHarvest credential stealer to a specific Gentlemen affiliate (see Section 8).
- Check Point additionally identifies a Gentlemen affiliate operating under the handle quant, who maintains a tool referred to internally as
buildx641– the thread that ultimately ties OxideHarvest to the group.
The end-to-end attack chain
Pulling together the TTPs documented across both reports (and the formal MITRE ATT&CK mapping ESET published, reproduced in full in Section 10), the intrusion chain looks like this:
Stage 1 – Candidate selection (pre-intrusion, operator-side). Gentlemen’s operators centrally scan for and vet organizations based on FortiGate firewall configuration/misconfiguration, then distribute viable targets to affiliates. This is a pre-compromise triage step, not opportunistic affiliate-driven targeting.
Stage 2 – Initial access and staging. Once an affiliate has a foothold, EDR-killer payloads are staged to disk in a directory named GentlemenCollection – a consistent artifact ESET has observed across multiple, unrelated intrusions. This directory name is itself a high-value detection artifact (see Section 12).
Stage 3 – Execution (T1059.003 – Command and Scripting Interpreter: Windows Command Shell). GentleKiller and the absorbed third-party tools are console-based executables that run visibly and emit debug strings during execution (see Figure 1 in the original ESET post, showing GentleKiller’s output window).
Stage 4 – Driver installation as a persistence/elevation step (T1543.003 – Create or Modify System Process: Windows Service). Each tool installs and starts its associated vulnerable or outright malicious kernel-mode driver as a Windows service before exploitation occurs.
Stage 5 – Privileged kernel interaction (T1106 – Native API). User-mode components communicate with the now-loaded kernel driver via DeviceIoControl and other native Windows APIs to issue privileged commands – this is the actual mechanism by which user-mode code reaches into kernel space to terminate protected processes.
Stage 6 – Defense impairment (T1685 – Disable or Modify Tools). The driver’s kernel-level privileges are used to terminate security-product processes directly, bypassing user-mode tamper protection entirely. GentleKiller runs this as a persistent scan-and-kill loop, re-checking the live process list and killing matches on a cadence of roughly two seconds, for the duration of the intrusion – not a one-shot kill, but a standing denial-of-defense layer that re-asserts itself even if an EDR’s own watchdog process tries to restart a killed component.
Stage 7 – Masquerading and obfuscation layered over the whole chain (T1036, T1036.001, T1027 – Masquerading, Masquerading: Invalid Code Signature, Obfuscated Files or Information). Every tool in the suite – whether built in-house or absorbed from a third party is run through the same standardization layer: commercial packers (Enigma/Themida), fabricated version information, icons copied from the impersonated vendor, and digital signatures copied from legitimate software (cosmetically convincing but not cryptographically valid). See Section 7 for the full breakdown.
Stage 8 – Credential harvesting. Where deployed, OxideHarvest (Section 8) is used to sweep credentials across a wide range of Chromium- and Gecko-based browsers from compromised hosts, using an operator-supplied host list, username, and password to authenticate and exfiltrate in a multithreaded loop.
Stage 9 – Payload deployment. With EDR neutralized, the affiliate deploys Gentlemen’s ransomware payload: the Go-based encryptor for Windows/Linux estates, or the C-based ESXi-specific variant for virtualized infrastructure – hypervisor-level encryption being treated as close to table stakes among top-tier RaaS operators given how much ransomware economics now depend on taking down virtualization layers in one shot.
Stage 10 – Double extortion. Data is exfiltrated prior to or during encryption, and the victim is threatened with publication on Gentlemen’s leak site if payment isn’t made.
GentleKiller: the in-house framework
GentleKiller is, by ESET’s telemetry, the most prevalent EDR killer observed across the Gentlemen ecosystem. At time of writing, ESET documents at least eight distinct variants.
The shared development template
Despite each variant impersonating a different product and abusing a different driver, ESET found enough shared internal characteristics once the impersonation layer and specific driver are abstracted away – to classify all eight under one umbrella. The defining traits of the shared template:
- Consistent strings across variants.
- Periodic process-termination in a loop (the ~2-second kill cadence described above).
- A broad, shared target list of security-product processes.
- Identical code obfuscation patterns.
ESET’s assessment is that this points to a reusable internal development template, modified only minimally per variant, meaning that standing up a ninth variant is largely a matter of swapping in a new driver and a new impersonation skin rather than writing new logic from scratch. This design choice prioritizes deployment ease and operational flexibility for affiliates while minimizing the operators’ own development overhead, and it’s precisely what allows Gentlemen to integrate a newly disclosed driver-abuse PoC into the toolset within days of public release as happened with two PoCs ESET tracks as UnknownKiller and PoisonKiller.
Naming/suffix convention
GentleKiller’s filenames encode which protection profile was applied via a suffix, per ESET’s Table 1:
| Suffix | Binary protection | Fake digital signature | Fake version information |
|---|---|---|---|
1 | Enigma | Yes | Yes |
2 | Themida | Yes | Yes |
Light | None | Yes | Yes |
Clear | None | No | No |
A small number of observed samples deviate from this pattern, which ESET attributes to inconsistent development practices rather than a different evasion strategy.
The eight documented variants
| Variant impersonates | Filename(s) | Abused driver |
|---|---|---|
| Kaspersky | Kasp<suffix>.exe | eb.sys – a rootkit (PoC) |
| FACEIT Anti-Cheat | FaceIT<suffix>.exe | nseckrnl.sys – NSecsoft NSecKrnl driver (PoC) |
| Valorant | Valorant<suffix>.exe | GameDriverX64.sys, an anti-cheat driver (PoC) per ESET’s variant table – though ESET’s own published IOC list for the sample Valorant2.exe records the dropped driver as vgk.sys, identified as a Tower of Fantasy AntiCheat driver (detection: Win64/VulnDriver.PerfectWorld.A). The source material does not reconcile this discrepancy between the variant table and the IOC table. |
| Javelin | EAAntiCheat<suffix>.exe, EASolo<suffix>.exe | stpm_old.sys / stpm_new.sys – two vulnerable Safetica Process Monitor Driver builds (PoC) |
| WatchDog | BitD<suffix>.exe | dmx.sys – Zemana’s WatchDog Antimalware Driver (PoC) |
| Network Blocker | MB<suffix>.exe | 360netmon_wfp.sys – a vulnerable driver by Qihoo 360 Technology (PoC) |
| Cleaner | Deletor.exe | IMFForceDelete – IObit’s IMF ForceDelete filter driver (PoC); notably dropped to disk without the trailing .sys extension |
| G11 | G11<suffix>.exe, Symantec<suffix>.exe | PoisonX – a rootkit, outright malicious rather than merely vulnerable |
Anti-cheat drivers (FACEIT, Valorant/Tower of Fantasy, EA) are a recurring source pool here – they’re widely installed, kernel-resident by design, and signed, which makes them an attractive BYOVD substrate independent of any single game publisher’s security posture.
Target scope
GentleKiller’s target list spans more than 400 process names, which ESET, using AI-assisted mapping, with the caveat that minor inconsistencies may exist, ties to 48 distinct security products. The full vendor-to-process mapping, as published by ESET:
| Vendor | Targeted processes |
|---|---|
| Acronis | acronis_agent.exe, BackupAndRecoveryAgent.exe, managementagenthost.exe, mms.exe |
| AlienVault | alienvault-agent.exe, osqueryd.exe |
| Avast | afwServ.exe, aswEngSrv.exe, aswidsagent.exe, aswToolsSvc.exe, AvastSvc.exe, AvastUI.exe, avastsvc.exe, avastui.exe, bccavsvc.exe, wsc_proxy.exe |
| AVG | AVGUI.exe, AVGSvc.exe, avgnt.exe, avgsvca.exe, avgToolsSvc.exe |
| Binary Defense | BinaryDefenseAgent.exe |
| Bitdefender | Arrakis3.exe, BDAvScanner.exe, BDFsTray.exe, BDFileServer.exe, BDLived2.exe, BDLogger.exe, BDScheduler.exe, BDStatistics.exe, bdagent.exe, bdemsrv.exe, bdntwrk.exe, bdredline.exe, bdregsvr2.exe, bdservicehost.exe |
| Blumira | BlumiraAgent.exe |
| Bromium | BromiumDaemon.exe, BrDifxapi.exe |
| Carbon Black | cb.exe, cbcomms.exe, cbdefense.exe, carbonsensor.exe, RepMgr.exe |
| Cisco Talos | cfrutil.exe, CiscoAMPCEFWDriver.exe, cisco_amp_connector.exe, immunet.exe |
| CrowdStrike | ARWSRVC.EXE, ARCUpdate.exe, CSFalconContainer.exe, CSFalconService.exe, CSFalconUI.exe, csfalcondataprotect.exe, csfalcondaterepair.exe, REPRSVC.EXE |
| Cynet | CynetEPS.exe, CynetMS.exe, CynetSvc.exe |
| Cybereason | ActiveConsole.exe, cybereason.exe, CybereasonActiveProbe.exe, CybereasonCR.exe |
| Cyvera | CyveraConsole.exe, CyveraService.exe, CyvrAgentSvc.exe, CyvrFsFlt.exe, cyvrfsflt.exe |
| Cylance/BlackBerry | CylanceSvc.exe |
| Darktrace | DarktraceTSA.exe |
| Deep Instinct | DeepInstinct.exe, DeepInstinctService.exe, DIAgentService.exe |
| Elastic | a2guard.exe, a2service.exe |
| ESET | eamonm.exe, eamsi.exe, ecls.exe, efwd.exe, egui.exe, eguiProxy.exe, ekrn.exe, ekrnEpfw.exe, ERAAgent.exe, EraAgentSvc.exe |
| Fortinet | firesvc.exe, firetray.exe, FortiTray.exe, fortiedr.exe, fw.exe |
| G DATA | GDDServer.exe, QHPISVR.EXE, QUHLPSVC.EXE, SAPISSVC.EXE |
| Heimdal | HeimdalsecurityAgent.exe |
| Huntress | HuntressAgent.exe, HuntressRMM.exe |
| Kaspersky | avp.exe, avpsus.exe, avpui.exe, kavfs.exe, kavfsscs.exe, kavfswh.exe, kavfswp.exe, kavtray.exe, klactprx.exe, klcsldcl.exe, klcsweb.exe, klnagent.exe, klnagchk.exe, klscctl.exe, klserver.exe, klwtblfs.exe, kpf4ss.exe, ksde.exe, ksdeui.exe, vapm.exe |
| LogRhythm | LogProcessorService.exe |
| McAfee/Trellix | AGMService.exe, AGSService.exe, masvc.exe, macmnsvc.exe, McAfeeAgent.exe, mcshield.exe, mfeann.exe, mfevtps.exe, mfetp.exe, mfeepehost.exe, mfefire.exe, mfemactl.exe, mfemacsvc.exe, mfemgr.exe, mfemms.exe, MgntSvc.exe, ModuleCoreService.exe, tepfsvc.exe |
| Microsoft Defender | MSASCui.exe, MSASCuiL.exe, MpDefenderCoreService.exe, MsMpEng.exe, MsMpSvc.exe, MsSense.exe, msascuil.exe, msseces.exe, NisSrv.exe, nissrv.exe, SecurityHealthService.exe, SecurityHealthSystray.exe, SenseCncProxy.exe, SenseIR.exe, SenseNdr.exe, SenseSampleUploader.exe, smartscreen.exe, windefend.exe |
| Morphisec | MorphisecService.exe |
| Norton/Symantec | ccApp.exe, ccSvcHst.exe, ccsvchst.exe, ns.exe, nsservice.exe, nortonsecurity.exe, rtvscan.exe, SepMasterService.exe, sepWscSvc64.exe, smc.exe, SmcGui.exe, snac.exe, SymCorpUI.exe, SymWSC.exe |
| OSSEC/Wazuh | ossec-agent.exe, wazuh-agent.exe |
| Palo Alto Networks (Traps/Cortex) | cortexService.exe, trapsagent.exe, trapsd.exe, Traps.exe |
| Panda Security | panda_url_filtering.exe, pavfnsvr.exe, pavsrv.exe, psanhost.exe, PSANHost.EXE, pselamsvc.EXE, PSUAMain.EXE, PSUAService.EXE, pangps.exe |
| Qualys | qualys-cloud-agent.exe, QualysAgent.exe |
| Rapid7 | ir_agent.exe, rapid7_endpoint.exe |
| Red Canary | RedCanaryAgent.exe |
| Sangfor | CSAAgent.exe, CSAService.exe, SangforAgent.exe, SangforCSA.exe, SangforEDR.exe, SangforInterface.exe, SangforMonitor.exe, SangforProtect.exe, SangforService.exe, SangforTray.exe, SangforUD.exe |
| SentinelOne | Sentinel.exe, SentinelAgent.exe, SentinelAgentWorker.exe, SentinelCtl.exe, SentinelHelperService.exe, SentinelMemoryScanner.exe, SentinelPowerShellExtension.exe, SentinelRanger.exe, SentinelServiceHost.exe, SentinelStaticEngine.exe, SentinelStaticEngineScanner.exe, SentinelUI.exe |
| SonicWall | SonicWallClientProtectionService.exe, swc_service.exe |
| Sophos | hmpalert.exe, McsAgent.exe, McsClient.exe, SavApi.exe, SAVAdminService.exe, SAVService.exe, SEDService.exe, SophosADSyncService.exe, SophosClean.exe, SophosCleanM64.exe, SophosFIMService.exe, SophosFS.exe, SophosHealth.exe, SophosLiveQueryService.exe, SophosMTR.exe, SophosMTRExtension.exe, SophosNetFilter.exe, SophosNtpService.exe, SophosOsquery.exe, SophosOsqueryExtension.exe, Sophos.PolicyEvaluation.Service.exe, SophosSafestore64.exe, SophosUI.exe, SophosUpdateMgr.exe, sophosav.exe, sophossps.exe, SSPService.exe |
| Tanium | TaniumClient.exe, TaniumCX.exe, tanclient.exe |
| ThreatLocker | ThreatLockerConsent.exe, threatlockerservice.exe, threatlockertray.exe |
| TrendAI | coreFrameworkHost.exe, coreServiceShell.exe, NTRTScan.exe, ntrtscan.exe, Ntrtscan.exe, OfcService.exe, ofcDdaSvr.exe, PccNTMon.exe, PccNt.exe, TISafe.exe, TISafeSvc.exe, TmCCSF.exe, tmicAgentSetting.exe, TMBMSRV.exe, Tmbmsrv.exe, tm_netsrv.exe, TmListen.exe, tmntsrv.exe, TmPfw.exe, tmproxy.exe, TmProxy.exe, TmPreFilter.exe, TmSSClient.exe, TmsaInstance64.exe, TmWscSvc.exe, VOneAgentConsole.exe, VOneAgentConsoleTray.exe |
| Uptycs | VectorAgent.exe, UptycsAgent.exe |
| Varonis | DatAdvantage.exe, VaronisAgent.exe |
| WatchGuard | wlcsservice.exe |
| Webroot | WRSA.exe, WRSkyClient.exe, WRSVC.exe, wrsa.exe |
| Windows Sysinternals | Sysmon.exe, Sysmon64.exe |
| Zscaler | zlclient.exe |
The breadth here is the point: GentleKiller doesn’t bet on guessing which product a given victim runs, it carries kill-targets for essentially the entire commercial EDR/AV market plus several SIEM/RMM/backup agents, so the same binary functions regardless of which vendor a target organization has standardized on.
Speed of weaponization
Two BYOVD PoC exploits, tracked by ESET as UnknownKiller and PoisonKiller, were integrated into GentleKiller’s arsenal within days of their public GitHub disclosure. Most RaaS operators take weeks to months to productionize a freshly disclosed PoC, if they bother at all. That turnaround implies either a dedicated internal team actively monitoring GitHub/security research for new BYOVD candidates, or a pipeline tight enough that adding a new driver is essentially a templated, mechanical task, likely some combination of both, given the shared-template architecture described above.
Third-party EDR killers absorbed into the suite
Beyond the in-house framework, Gentlemen folds three externally sourced tools into the affiliate-facing portfolio:
| ESET name | Filename(s) | Abused driver |
|---|---|---|
| HexKiller | Avast<suffix>.exe | googleApiUtil64.sys – a Baidu Antivirus BdApi driver |
| ThrottleBlood | Sent<suffix>.exe | ThrottleBlood.sys – a driver by TechPowerUp LLC |
| HavocKiller (also tracked as HwAudKiller) | HwAudKiller.exe, Sophos<suffix>.exe | havoc.sys – a driver impersonating Huawei’s audio stack |
HexKiller
Previously assessed by ESET as exclusive to the Warlock ransomware gang, HexKiller’s appearance in Gentlemen intrusions, staged alongside GentleKiller binaries in the same GentlemenCollection directory, is unexpected. ESET is explicit that this does not, by itself, imply direct collaboration or operational overlap between Gentlemen and Warlock; the tool could plausibly have moved via private exchanges, secondary distribution channels, or a sample leak without any direct contact between the two gangs. The filename googleApiUtil64.sys is itself part of the impersonation, designed to read as a legitimate Google component on casual inspection, even though the underlying driver is from Baidu Antivirus.
ThrottleBlood
Repeatedly observed in MedusaLocker affiliate intrusions and, less frequently, DragonForce affiliate activity. Trend Micro linked it to Gentlemen as early as September 2025, predating ESET’s June 2026 report by several months. ESET states it lacks sufficient evidence to conclusively determine ThrottleBlood’s origin: it could be commercially distributed on underground markets, or developed by MedusaLocker operators and shared with affiliates (some of whom may also have DragonForce ties). Neither hypothesis fully explains how it reached Gentlemen’s possession, so leakage beyond its originally intended context can’t be ruled out. What ESET states with high confidence is that Gentlemen did not develop ThrottleBlood in-house.
HavocKiller / HwAudKiller
The most recent addition to the suite. Huntress publicly disclosed HavocKiller on 19 March 2026, but ESET’s own telemetry shows real-world use dating back to at least 23 January 2026 – meaning the tool was operational for roughly two months before the security community had a name for it. ESET corroborates Huntress’s assessment that all observed deployments were part of ransomware-related activity. Although HavocKiller samples are staged in the same GentlemenCollection directory and carry Gentlemen’s standard evasion treatment, ESET’s analysis finds the underlying implementation differs substantially from GentleKiller, reinforcing the assessment that it’s a third-party tool adapted operationally rather than built in-house.
A tool considered and excluded: DemoKiller
ESET also observed an EDR killer it tracks as DemoKiller across several intrusions but found no ties to Gentlemen. It’s treated as affiliate-specific tooling rather than part of the Gentlemen-maintained portfolio, and explicitly excluded from the suite in ESET’s accounting.
PoisonX.sys is not exclusive to Gentlemen
The rootkit driver PoisonX.sys used in GentleKiller’s “G11” variant has also surfaced independently in other BYOVD campaigns unrelated to Gentlemen, including one used to kill CrowdStrike Falcon, and in a Huntress-documented intrusion in which attackers abused BeyondTrust Remote Support access and paired PoisonX.sys with a second driver, hrwfpdrv.sys, ahead of ransomware deployment. The driver is circulating in the wild beyond Gentlemen’s own usage of it.
The defense-evasion standardization layer
The element that turns Gentlemen’s tool catalogue from a loose grab-bag into a coherent product is a shared evasion layer applied uniformly to both the in-house GentleKiller variants and the absorbed third-party tools. Three things make this layer notable:
- It’s applied at the compiled-binary level, not the source level. This is the key architectural decision: because the evasion treatment is bolted onto a finished executable rather than baked in at compile time, Gentlemen’s operators can apply it to tools they neither wrote nor have source access to, which is exactly how HexKiller, ThrottleBlood, and HavocKiller end up wearing the same disguise as the in-house GentleKiller family.
- Commercial packers – Enigma or Themida are applied to a significant share of samples, with the specific packer (or its absence) encoded in the filename suffix (Section 5.2).
- Vendor impersonation at the metadata level, consisting of three components that all point at the same impersonated vendor/product simultaneously: fabricated version information, an invalid digital signature copied from a legitimate executable, and an icon matching the impersonated product.
The practical attribution consequence ESET highlights: EDR killers that originated with entirely different ransomware gangs come out the other end of Gentlemen’s pipeline looking nearly identical to the in-house tools – same packer signature conventions, same impersonation pattern, same metadata structure. A sample examined in isolation, without intrusion-level context, becomes very hard to confidently attribute to a specific operator. ESET’s own incident-level visibility rather than static sample analysis alone, is what made attribution possible here.
For comparison, ESET notes that RansomHub, another prominent RaaS operation, built a single in-house EDR killer (EDRKillShifter) for affiliate use via its affiliate panel. Gentlemen’s approach is broader and more deliberately product-like: a varied portfolio blending original engineering, rapidly adapted public PoC research, and absorbed third-party tools, unified by one standardization pipeline.
OxideHarvest: the affiliate-maintained credential stealer
OxideHarvest (also tracked under the alias buildx641) is a Rust-written credential stealer. ESET notes Rust is not Gentlemen’s typical language of choice, so the tool is not attributed to the core operators – instead, leaked data plus Check Point reporting tie it to a specific Gentlemen affiliate, handle quant, who maintains a tool internally referred to as buildx641. ESET subsequently located a sample on VirusTotal named buildx641.exe and confirmed it is the same tool as OxideHarvest.
Packaging and usage
OxideHarvest ships wrapped in different packers, often mimicking legitimate software via version information and icon. A similar approach to GentleKiller’s evasion layer, though ESET notes it is not identical. The protected payload itself is a straightforward credential stealer operated via command-line flags:
| Flag | Purpose |
|---|---|
-i | Input file: newline-delimited list of target hosts |
-u | Username to authenticate with |
-p | Password to authenticate with |
-t | Number of threads |
-o | Output file for exfiltrated credentials |
The tool authenticates to the supplied host list using the supplied credentials, runs multithreaded for throughput, and writes harvested credentials to the specified output file.
Browser targeting configuration
OxideHarvest’s embedded configuration targets a broad set of Chromium-based and Gecko-based browsers – well beyond the usual Chrome/Edge/Firefox trio, which maximizes harvest yield across a heterogeneous victim population where employees may run less common browsers.
Chromium-based targets: Google Chrome, Google Chrome Beta, Chrome SxS (“ChromeBeta”), Chromium, Microsoft Edge, Torch, Comodo (Dragon), Nichrome, Maxthon5, Epic Privacy Browser, Vivaldi, QIP Surf, Cent (CentBrowser), Elements Browser, TorBro, CryptoTab Browser, Brave, Opera, OperaGX, Opera Neon.
Gecko-based targets: Mozilla Firefox, Slim (SlimBrowser), Pale Moon, Waterfox, Cyberfox, BlackHawk, IceCat, K-Meleon.
Each entry in the underlying JSON configuration carries the browser’s display name, its profile/user-data path fragment, and a boolean flag (true for most Chromium-family browsers, false for the Gecko family and a handful of Chromium outliers like Opera/OperaGX/Opera Neon) – consistent with differing extraction logic needed for Chromium’s Local State/Login Data structure versus Firefox-style profile stores.
Adjacent threat: a UEFI Secure Boot bypass (related, not part of the Gentlemen toolkit)
Separately from the Gentlemen research, ESET researcher Martin Smolár is credited with identifying a CERT/CC-advised vulnerability affecting multiple vendor-signed UEFI applications, allowing Secure Boot itself to be bypassed during the pre-boot phase via a BYOVD-adjacent attack. Affected vendors include Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill. An attacker with administrative privileges or physical access can use the flaw to execute arbitrary code before the operating system and therefore before any EDR agent ever initializes. CERT/CC’s recommended mitigation is updating the UEFI Forbidden Signature Database (DBX) to revoke trust in the affected signed binaries.
This isn’t part of Gentlemen’s toolkit, but it’s the same structural problem one layer down the stack: implicit trust extended to a signed binary, exploited at boot time instead of at the kernel-driver level. The throughline from BYOVD to UEFI bypass is worth keeping in mind as a single category of risk rather than two unrelated bugs.
MITRE ATT&CK mapping (Framework v19)
| Tactic | ID | Name | How it manifests in Gentlemen’s toolkit |
|---|---|---|---|
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | GentleKiller and related tools are console-based executables that run visibly and emit debug strings during execution. |
| Execution | T1106 | Native API | User-mode components interact directly with kernel drivers via DeviceIoControl and other native Windows APIs to perform privileged actions. |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service | The EDR killers install and start vulnerable or malicious drivers as services prior to exploitation. |
| Defense Evasion | T1036 | Masquerading | Gentlemen’s EDR killers are protected by impersonating legitimate vendors through filenames, version information, icons, and copied digital certificates. |
| Defense Evasion | T1036.001 | Masquerading: Invalid Code Signature | The protection layer adds an invalid code signature as part of the impersonation strategy. |
| Defense Evasion | T1027 | Obfuscated Files or Information | Some executables are protected with packers (Enigma, Themida) and custom control-flow obfuscation. |
| Defense Impairment | T1685 | Disable or Modify Tools | GentleKiller and other EDR killers in Gentlemen’s possession aim to bypass security products such as EDRs. |
Indicators of compromise
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 8AE6BD18B129061F63642531F1B684CF0383C75D | Kasps.exe | Win64/KillAV.EA | GentleKiller (Kaspersky variant) |
| BA914FE77B177B45799403B16DD14765C510A074 | eb.sys | Win64/Agent.ITG | Custom rootkit used by the Kaspersky variant of GentleKiller |
| D605994FC72A2BB59B5CFB1624A1B9170ECA73A2 | FaceIT1.exe | Win64/KillAV.EA | GentleKiller (FACEIT Anti-Cheat variant, Enigma-protected) |
| B0B912A3FD1C05D72080848EC4C92880004021A1 | nseckrnl.sys | Win64/VulnDriver.NSecsoft.A | NSecsoft NSecKrnl driver abused by the FACEIT Anti-Cheat variant |
| 5AA3124E5C4921E5EDFC60133B5D71DA21B07DA3 | Valorant2.exe | Win64/KillAV.EA | GentleKiller (Valorant variant, Themida-protected) |
| 7556AE58C215B8245A43F764F0676C7A8F0FDD1A | vgk.sys | Win64/VulnDriver.PerfectWorld.A | Tower of Fantasy AntiCheat driver abused by the Valorant variant |
| 331879F5EEC8892BBD896F90BDBB1BAD0BF63BD6 | EASolo2Light.exe | Win64/KillAV.EA | GentleKiller (Javelin variant, newer Safetica driver) |
| F11AEBCCB9A86A7E2E653F90BAEC697F233C255F | EASOLO1clear.exe | Win64/KillAV.EA | GentleKiller (Javelin variant, older Safetica driver) |
| EF9CD06683159397F099CAA244E94E6EAAD96EBA | EAAntiCheatLight.exe | Win64/KillAV.EA | GentleKiller (Javelin variant, both drivers) |
| 711EF221526997039E804A18DB9647C91680BBE2 | stpm_old.sys | Win64/VulnDriver.Safetica.A | Safetica Process Monitor Driver (older), abused by Javelin variant |
| 68FEC379F2AE76C3D2CE913F7BE650CEA1D06990 | stpm_new.sys | Win64/VulnDriver.Safetica.H | Safetica Process Monitor Driver (newer), abused by Javelin variant |
| A11EE9CDC59E5CAA59AEFD27B30D104F3AD68E62 | BitD1.exe | Win64/KillAV.EA | GentleKiller (WatchDog variant, Themida-protected) |
| 96F0DBF52AED0AFD43E44500116B04B674F7358E | dmx.sys | Win64/VulnDriver.WatchDogDev.C | Zemana WatchDog Antimalware Driver, abused by WatchDog variant |
| 2F86898528C6CAB3540C486A9BFAA0C029B73950 | MB2.exe | Win64/KillAV.EA | GentleKiller (Network Blocker variant, Themida-protected) |
| 9AD51AD97C01E97AB59214116740785E0F6320A8 | 360netmon_wfp.sys | Win64/VulnDriver.Qihoo360.A | Driver abused by the Network Blocker variant |
| A19117175DBC9BA4D23B5DCE8415E299A2E32192 | Deletor.exe | Win64/KillAV.EA | GentleKiller (Cleaner variant) |
| 12500F6C87CE62712A0ED6652C57468D15C14223 | IMFForceDelete | Win64/VulnDriver.IObit.D.gen | IMF ForceDelete filter driver, abused by Cleaner variant |
| D29670E684E40DDC89B47010C37CBC96737035B6 | Symantec.exe | Win64/KillAV.EA | GentleKiller (G11 variant) |
| 56BEE9DF5833A637F5C54D5911DF98B0812FE643 | G11.sys | Win64/Agent.IYQ | PoisonX rootkit used by the G11 variant |
| CF4D74DF17A91B4A36A2911B22AFEC5D8FA93A01 | Avast.exe | Win32/KillAV.NVL | HexKiller, fitted with Gentlemen’s evasion layer |
| EC296F9501AD71E430810CB5CDC38D954D4BA536 | googleApiUtil64.sys | Win64/VulnDriver.Baidu.B | Baidu Antivirus BdApi driver, abused by HexKiller |
| 7131B377E96016DC1911020C9F95B1B4D042D7B4 | Sent.exe | Win64/KillAV.AT | ThrottleBlood, fitted with Gentlemen’s evasion layer |
| 82ED942A52CDCF120A8919730E00BA37619661A3 | ThrottleBlood.sys | Win64/VulnDriver.GPUZ.B | Driver abused by ThrottleBlood |
| F0537CBB773AE12100B36731E7C39F5A9D852B14 | Sophos.exe | Win64/KillAV.DE | HavocKiller, fitted with Gentlemen’s evasion layer |
| 1FA071303FB846308571E64727501FB98B1C2BE6 | havoc.sys | Win64/VulnDriver.Huawei.D | Vulnerable driver abused by HavocKiller |
| A5CF917EC4A7DFBDFA43621398604805D860C718 | buildx641.exe | Win64/Spy.Agent.AGC | OxideHarvest |
| D4B19141102015D436321E6F26976E98183CFD27 | buildx64.exe | Win64/Spy.Agent.AGC | OxideHarvest |
Detection and mitigation guidance
ESET’s recommendations, grounded in the behavioral patterns documented above:
- Enforce Microsoft’s Vulnerable Driver Blocklist, and supplement it with active driver allowlisting rather than relying on signature validity alone – a valid signature is no longer a meaningful trust signal given how many BYOVD candidates carry legitimate certificates.
- Monitor specifically for the
GentlemenCollectionstaging directory as a known pre-deployment artifact of this operation. - Watch for anomalous kernel driver-loading events – particularly drivers that don’t match the host’s expected software inventory (a gaming anti-cheat driver loading on a server with no games installed is a strong example signal).
- Correlate process-termination patterns against driver installation events. ESET specifically flags this combination as the most reliable behavioral detection signal against GentleKiller and its variants: the ~2-second kill loop produces a distinctive, repeatable termination cadence that’s hard to disguise even when the binary itself is well-packed and well-disguised.
The bigger picture
What makes Gentlemen worth tracking isn’t any single technical trick – BYOVD itself is a well-studied technique at this point. What’s notable is the operational model: a RaaS group that treats EDR evasion as a maintained product line, with rapid PoC-to-production turnaround, a reusable development template for new variants, an acquisitions strategy for absorbing competitors’ tooling, and a standardization layer that launders attribution across the whole portfolio. Compared to RansomHub’s single in-house tool (EDRKillShifter), Gentlemen’s approach is a meaningfully larger engineering investment – closer to running a small internal tooling division than shipping one utility.
Combined with the group’s affiliate-friendly 90% revenue split, this is a model explicitly built to be attractive to a wide pool of less technically sophisticated affiliates: you don’t need offensive tooling expertise to run a Gentlemen intrusion, you need access, and the gang supplies the rest. If the model proves successful for Gentlemen, there’s no structural reason other RaaS operators won’t converge on the same centralized-tooling approach, which would shift the EDR-killer arms race from an affiliate-by-affiliate problem into a vendor-versus-vendor one, fought over driver-blocklist coverage and detection-signature turnaround time rather than individual intrusion tradecraft.
This post first appeared at - The CyberSec Guru