"They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller," ESET security researcher Jakub Souček said.
GentleKiller: an EDR-killer framework with eight variants
ESET's analysis shows The Gentlemen ransomware-as-a-service (RaaS) operation has developed a mature portfolio of endpoint detection and response (EDR) killers centered on a framework called GentleKiller. The framework comes in eight variants, each designed to imitate a different legitimate product and to abuse a different vulnerable or malicious driver as part of a bring your own vulnerable driver (BYOVD) attack.
GentleKiller specifically looks for 400 processes associated with 48 distinct security programs from multiple vendors, and the compiled samples include binary protection via Enigma or Themida. ESET reported the samples use file names, version information, digital signatures and icons that mimic well-known security vendors in order to evade detection.
BYOVD technique and the drivers GentleKiller abuses
GentleKiller's design pairs impersonation with driver abuse. ESET lists the drivers exploited by the different GentleKiller variants:
- Kaspersky ("eb.sys")
- FACEIT Anti-Cheat ("nseckrnl.sys")
- Valorant ("GameDriverX64.sys")
- Javelin ("stpm_old.sys" or "stpm_new.sys")
- WatchDog ("dmx.sys")
- Network Blocker ("360netmon_wfp.sys")
- Cleaner ("IMFForceDelete.sys")
- G11 ("PoisonX.sys")
ESET emphasized that when operators "abstract away the impersonation layer and the specific drivers used, the underlying code reveals numerous structural and behavioral commonalities that strongly suggest the use of a shared development template," Souček said. That template, ESET said, prioritizes ease of deployment and operational flexibility for affiliates.
Third-party BYOVD killers and recent operational links
In addition to GentleKiller, The Gentlemen operation packages and distributes third-party or leaked BYOVD-based EDR killers. ESET named HexKiller ("googleApiUtil64.sys"), ThrottleBlood ("ThrottleBlood.sys"), and HavocKiller/HwAudKiller ("havoc.sys"). HexKiller had previously been associated with the Warlock ransomware gang, and ThrottleBlood has been observed in attacks by MedusaLocker and DragonForce affiliates, according to ESET's report.
ESET also noted recent campaigns involving the abuse of "PoisonX.sys." That driver has been linked to BYOVD attacks in recent months, including one campaign used to kill CrowdStrike Falcon EDR and a separate intrusion documented by Huntress in which unknown threat actors terminated security tooling via "PoisonX.sys" and "hrwfpdrv.sys" before deploying ransomware via BeyondTrust Remote Support.
OxideHarvest credential stealer and data collection targets
Alongside EDR-killer tooling, ESET detected a Rust-based credential stealer named OxideHarvest (aka buildx641). ESET said OxideHarvest can harvest data from a broad set of web browsers, naming Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, BlackHawk and IceCat.
What this means for technologists, procurement leaders, and CERT/CC
Technologists and security teams: The Gentlemen operation centralizes EDR-killing capabilities and supplies a standardized suite to affiliates, which, ESET warned, "materially lowers the entry barrier" for affiliates. Security teams should note the combination of binary protection (Enigma/Themida), vendor impersonation and rapid integration of BYOVD proofs of concept that ESET observed, including operationalizing PoC exploits "in many cases within days of their public release."
Procurement leaders and vendors: The CERT Coordination Center (CERT/CC) advisory referenced in ESET's disclosure concerns multiple vendor-signed UEFI applications vulnerable to Secure Boot bypass via BYOVD. CERT/CC named impacted applications from Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill. CERT/CC recommended applying updates to the UEFI Forbidden Signature Database (DBX) to revoke trust in affected vendor-signed binaries and prevent their execution during the boot process.
Incident responders and coordination centers: The combination of a centralized EDR-killer offering, third-party BYOVD tools, and a credential stealer that targets many popular browsers suggests layered threats: pre-boot or kernel-level bypasses to disable protections, followed by credential harvesting and encryption. ESET's findings—and CERT/CC's advisory—point to both immediate mitigation actions (DBX updates) and the need to track driver-abuse techniques closely.
The Gentlemen RaaS has risen quickly since it emerged in March 2025, claiming 504 victims to date with the majority in Southeast Asia, South America and Western Europe, according to Ransomware.live. Recent reporting by Brian Krebs and PRODAFT identified a 36-year-old Russian national, Alexander Andreevich Yapaev (aka hastalamuerte), as leading the operation after prior activity as an affiliate for other ransomware schemes, ESET’s report noted.
ESET's assessment paints a clear operational choice by The Gentlemen: invest in tooling that simplifies and accelerates exploitation for affiliates, and pair that tooling with credential theft and rapid adoption of public PoC exploits. CERT/CC's DBX recommendation is a concrete countermeasure for the Secure Boot vector; whether vendors and administrators will apply those updates at scale remains the immediate next step.
