The Gentlemen ransomware-as-a-service operation is actively developing and maintaining a suite of EDR killers that it hands out to affiliates. The goal is straightforward: disable endpoint defenses before deploying the encryptor.
This mature portfolio of EDR-terminating tools is centered around a framework known as GentleKiller. The Gentlemen ransomware EDR killer framework includes both custom tools and third-party or leaked utilities.
What sets The Gentlemen apart is technical agility. The group operationalizes newly disclosed proof-of-concept exploits within days of their public release.
Since emerging in March 2025, The Gentlemen has claimed 504 victims. Most are located in Southeast Asia, South America, and Western Europe.
The GentleKiller Framework
GentleKiller comes in eight different variants. Each variant mimics a different legitimate product. Each abuses a different vulnerable or malicious driver as part of a BYOVD (bring your own vulnerable driver) attack.
BYOVD is a technique where attackers load a legitimate but vulnerable driver onto a system. That driver has kernel-level access. The attacker exploits the vulnerability to gain that access themselves.
GentleKiller specifically looks for 400 processes associated with 48 distinct security programs from multiple vendors. It terminates them systematically.
The drivers exploited by each variant include:
1. Kaspersky ("eb.sys")
2. FACEIT Anti-Cheat ("nseckrnl.sys")
3. Valorant ("GameDriverX64.sys")
4. Javelin ("stpm_old.sys" or "stpm_new.sys")
5. WatchDog ("dmx.sys")
6. Network Blocker ("360netmon_wfp.sys")
7. Cleaner ("IMFForceDelete.sys")
8. G11 ("PoisonX.sys")
PoisonX.sys has been recorded in recent months in connection with various BYOVD attacks. One campaign used it to kill CrowdStrike Falcon EDR. Another involved BeyondTrust Remote Support to terminate security tooling via PoisonX.sys and hrwfpdrv.sys.
The Third-Party Tools
The Gentlemen ransomware EDR killer framework also incorporates third-party tools:
HexKiller ("googleApiUtil64.sys"). Previously assumed to be exclusive to the Warlock ransomware gang.
ThrottleBlood ("ThrottleBlood.sys"). Observed in attacks by MedusaLocker and DragonForce affiliates.
HavocKiller or HwAudKiller ("havoc.sys").
These tools are standardized through a shared defense-evasion layer. They impersonate security vendors using fake version information, copied legitimate certificates, and icons.
The Layer of Impersonation
The compiled EDR killer samples are intended to bypass detection. They utilize binary protection methods such as Enigma and Themida. They will utilize file names that are similar to those of popular cybersecurity vendors.
Version information, digital signatures, and icon files will all be replicated from legitimate products creating a tool that appears to be legitimate to both security software and human investigators.
OxideHarvest: The Credential Stealer
The Gentlemen ransomware EDR killer framework also includes a Rust-based credential stealer called OxideHarvest (also known as buildx641).
It gathers information from many of the most commonly used web browsers:
1. Google Chrome and Microsoft Edge
2. Torch and Comodo and Epic Privacy Browser
3. Vivaldi and Brave and Opera and OperaGX
4. Mozilla Firefox and Waterfox and BlackHawk and IceCat
The data collection includes credentials and cookies and personal information. This information can be used for initial access or follow-on attacks.
Why This Matters
The majority of ransomware organizations assign the task of disabling EDR systems to their affiliates and expect those affiliates to determine how to disable those systems on their own. However, by providing a pre-packaged, standardized package of tools, The Gentlemen has centralized that responsibility and reduced the difficulty of entering the affiliate space. Affiliates only have to use the tools provided with little or no technical expertise.
As one researcher noted: "This design prioritizes ease of deployment and operational flexibility for affiliates, while minimizing development effort for the operators."
The Russian Connection
Recent reporting has identified a 36-year-old Russian national named Alexander Andreevich Yapaev as the leader of The Gentlemen. He previously acted as an affiliate for other ransomware schemes, including Qilin.
The group's technical sophistication and rapid growth suggest a professional operation. They are not opportunistic. They are strategic.
UEFI Secure Boot Bypass
Separately, the CERT Coordination Center issued an advisory about multiple vendor-signed UEFI applications vulnerable to Secure Boot bypass via BYOVD.
The impacted applications are from:
1. Acer, AMD, ASUS
2. ECS, Getac, GIGABYTE
3. Toshiba, Uniwill
If a target system trusts the affected vendor's certificate, an attacker with administrative privileges or physical access can exploit these applications to execute arbitrary code during the early pre-boot phase.
The mitigation is to apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries.
What to Do
If your organization uses any of the affected EDR products, review your defenses. The Gentlemen ransomware EDR killer framework is actively targeting security tools.
1. Watch out for BYOVD Growth. Check if the drivers referenced above are loaded or not as they may have been loaded unexpectedly.
2. Review EDR logs. Check for termination attempts. The tools target specific processes. Alert on multiple process terminations in a short window.
3. Apply UEFI DBX updates. If you use affected hardware, apply the vendor updates.
4. Treat EDR as a potential target. Defense-in-depth matters. Do not rely on a single tool.
The Bottom Line
The Gentlemen ransomware EDR killer framework represents a new level of technical sophistication in the ransomware ecosystem. Custom tools. Third-party integrations. Rapid exploitation of newly disclosed vulnerabilities.
The group is growing fast. They are recruiting affiliates. And they are providing the tools those affiliates need to succeed.
Check your EDR logs. Monitor for BYOVD. And remember: the ransomware that gets through is the one that killed your defenses first.
FAQ Section
What is the Gentlemen ransomware EDR killer framework?
It is a suite of tools used by The Gentlemen ransomware group to disable endpoint detection and response (EDR) software before deploying ransomware.
How does GentleKiller work?
GentleKiller uses BYOVD (bring your own vulnerable driver) attacks. It loads legitimate but vulnerable drivers with kernel-level access, then exploits them to terminate security processes.
Which drivers does GentleKiller abuse?
GentleKiller abuses drivers from Kaspersky, FACEIT Anti-Cheat, Valorant, Javelin, WatchDog, Network Blocker, Cleaner, and G11.
What third-party tools does the group use?
The group uses HexKiller, ThrottleBlood, and HavocKiller. These are standardized through a shared defense-evasion layer.
How Many Victims have been Reported to Date from The Gentlemen?
Since March 2025 there have been at least 504 people identified as infected by The Gentlemen.
What Can My Company Do to Increase Security?
Detect BYOVD activity within your company; searching the EDR logs will provide insight regarding termination attempts; apply UEFI DBX updates; view EDR as a valuable entity to continue tracking.
