GentleKiller targets more than 400 processes associated with approximately 48 security vendors and products, according to ESET researchers.
GentleKiller and the BYOVD technique
ESET's analysis shows that the Gentlemen ransomware-as-a-service (RaaS) actor has developed a standardized EDR-killing utility researchers call GentleKiller. The tool — used to disable defenses in the early phases of attacks so data theft or encryption can proceed unimpeded — relies on the "bring your own vulnerable driver" (BYOVD) technique to escalate privileges and neutralize security engines. Each GentleKiller variant uses different vulnerable drivers to reach kernel-level privileges, yet the variants share common strings, identical code obfuscation techniques, and similar process‑killing logic and targeting scope.
Variants and impersonation of legitimate products
GentleKiller exists in at least eight variants. ESET reports the binaries impersonate legitimate security and software products, including Kaspersky, Valorant, Javelin, and WatchDog. The binaries are protected with commercial packing and code-protection tools — Enigma and Themida — and the threat actor also uses stolen digital signatures from legitimate software, although ESET notes those signatures are invalid.
External EDR killers and the credential-stealer OxideHarvest
Beyond GentleKiller, ESET observed the Gentlemen RaaS ecosystem incorporating at least three externally sourced EDR killers: HexKiller (previously used by the Warlock gang), ThrottleBlood (linked to MesudaLocker and DragonForce attacks), and HavocKiller (seen in other ransomware operations). ESET suggests Gentleman RaaS may have added these external tools for redundancy, to complicate attribution, or for cases where GentleKiller’s effectiveness is limited.
Separately, researchers documented OxideHarvest, a Rust-based credential-stealer. ESET believes OxideHarvest was likely developed externally, based in part on the choice of programming language.
Targeting context: FortiGate configuration and prior compromises
ESET's analysis indicates Gentlemen selects targets in part by the configuration of their FortiGate endpoints. The researchers noted this choice of targeting in the context of a recent disclosure dubbed “FortiBleed,” described in the same reporting as a collection of nearly 74,000 FortiGate VPN credentials. The Gentlemen RaaS has previously compromised the Romanian energy provider Oltenia and has been linked to a SystemBC proxy malware botnet with over 1,570 hosts that are believed to be corporate victims.
What this means for technologists, procurement leaders, and defenders
- Technologists and security teams: ESET’s findings point to an attacker framework built for quick adaptation — variants that swap vulnerable drivers and use shared obfuscation and process-killing logic. Defensive teams will likely need to monitor for BYOVD abuse, unexpected driver loads, and processes matching the more than 400 targeted names ESET enumerated (including products from Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky).
- Procurement and vendor risk managers: The campaign’s impersonation of legitimate products and use of stolen, invalid digital signatures underscores a risk vector tied to supply chain artifacts and code signing; attention to driver provenance and executable packing (Enigma, Themida) will be relevant when vetting third-party tools.
- Incident responders and enterprise defenders: The inclusion of externally sourced EDR killers (HexKiller, ThrottleBlood, HavocKiller) and a Rust-based credential stealer suggests operators maintain a modular toolset. Teams confronting an intrusion should account for multiple, potentially overlapping EDR‑evasion techniques and for possible credential theft via OxideHarvest.
Gentlemen’s toolkit, as described by ESET, reads as a deliberate exercise in adaptability: a standardized, multi-variant EDR killer that can swap vulnerable drivers, coupled with externally sourced killers and a credential-stealing component. That mix increases operational resilience for the ransomware operator and complicates attribution and single-point defenses. The practical question the analysis leaves in plain terms: given a framework designed to allow easy driver swaps and rapid weaponization of newly disclosed flaws, which newly disclosed driver vulnerabilities will be next to roll into these variants?
