ESET researchers found that the Gentlemen ransomware group centrally maintains and distributes a standardized suite of EDR killers to affiliates, led by its in-house framework GentleKiller and supplemented with tools like HexKiller, ThrottleBlood, and HavocKiller. The gang targets victims worldwide rather than focusing on the United States, and its leaked internal data in May 2026 confirmed its rapid BYOVD adoption, operational tooling practices, and link to the credential stealer OxideHarvest. #Gentlemen #GentleKiller #HexKiller #ThrottleBlood #HavocKiller #OxideHarvest
Keypoints
- Gentlemen is a ransomware-as-a-service gang that emerged in late 2025 and became one of the most active groups in early 2026.
- The group offers affiliates a centrally managed EDR-killer suite instead of leaving them to find their own tools.
- GentleKiller is the main in-house framework and has at least eight variants abusing different malicious or vulnerable drivers.
- Gentlemen also integrates third-party or leaked EDR killers, including HexKiller, ThrottleBlood, and HavocKiller.
- The gang applies a standardized defense-evasion layer using masquerading, fake version data, copied certificates, and packers.
- Gentlemen has a globally distributed victim profile, with notable activity in Southeast Asia, South America, and Western Europe rather than a US-heavy focus.
- Leaked internal data also linked OxideHarvest, a Rust-based credential stealer, to one of Gentlemen’s affiliates.
MITRE Techniques
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The tools are console-based and run visibly during execution (‘GentleKiller and related tools are console-based executables that run visibly and emit debug strings during execution’).
- [T1106 ] Native API – The killers interact directly with drivers through Windows native APIs to carry out privileged actions (‘User-mode components interact directly with kernel drivers via DeviceIoControl and other native Windows APIs’).
- [T1543.003 ] Create or Modify System Process: Windows Service – The drivers are installed and started as services before use (‘The EDR killers install and start vulnerable or malicious drivers as services prior to exploitation’).
- [T1036 ] Masquerading – The tools impersonate legitimate security vendors through filenames, icons, certificates, and version data (‘impersonating legitimate vendors through filenames, version information, icons, and copied digital certificates’).
- [T1036.001 ] Masquerading: Invalid Code Signature – The impersonation layer includes invalid copied signatures (‘The protection applied to Gentlemen’s EDR killers adds an invalid code signature as part of the impersonation strategy’).
- [T1027 ] Obfuscated Files or Information – Samples are protected with packers and custom obfuscation (‘protected with packers (e.g., Enigma, Themida) and custom control-flow obfuscation’).
- [T1685 ] Disable or Modify Tools – The EDR killers are designed to bypass and disable security products, especially EDRs (‘aim to bypass security products such as EDRs’).
Indicators of Compromise
- [File hashes ] GentleKiller and related tool samples in the IoC table – 8AE6BD18B129061F63642531F1B684CF0383C75D, D605994FC72A2BB59B5CFB1624A1B9170ECA73A2, and other 16 hashes
- [File names ] EDR killer and stealer binaries mentioned throughout the report – Kasps.exe, FaceIT1.exe, buildx641.exe, and other related filenames
- [Driver file names ] Abused or dropped driver components used by the tools – eb.sys, nseckrnl.sys, havoc.sys, and other driver names such as 360netmon_wfp.sys
- [Service/utility names ] Legitimate-product-mimicking executable names used for masquerading – Avast.exe, Sophos.exe, Symantec.exe, and other vendor-themed filenames