Killing me gently: Inside Gentlemen’s EDR killer framework

ESET Research Shares the Results of a Months-Long Investigation into the Suite of EDR Killers Maintained by the RaaS Gang Gentlemen

ESET researchers analyzed the robust EDR-killing toolset of the ransomware-as-a-service gang Gentlemen. Since the beginning of 2026, Gentlemen has emerged as one of the most active gangs in the ransomware ecosystem. The group distinguishes itself through a mature, operator-maintained set of endpoint detection and response (EDR) killers, i.e., tools for disrupting security software.

Additionally, unlike most top-tier gangs, Gentlemen does not exhibit a strong US-centric victimology, instead targeting victims across Southeast Asia, South America, and Western Europe. While there have been multiple reports covering Gentlemen in recent months, they have not focused on a detailed analysis of the group’s EDR killers. Thanks to ESET’s continued incident-level visibility, we can however provide a uniquely deep view into Gentlemen’s EDR-killer development practices.

The internal data leak that Gentlemen suffered in May 2026 then gave us even more insight into the inner workings of the group. The leak also allowed us to confirm our hypothesis from February 2026 that Gentlemen operators actively develop and maintain a portfolio of EDR killers that they offer to affiliates, centered around their in-house framework we have named GentleKiller. They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller.

These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied legitimate certificates and icons. Gentlemen also demonstrates an ability to unusually quickly operationalize newly disclosed Bring Your Own Vulnerable Driver (BYOVD) proofs-of-concept, often within days of public release.

In this blogpost, we share our findings on Gentlemen’s suite of EDR killers gained through extensive research and corroborated by the recent leak. We aim to provide actionable insights by connecting the EDR killer packages to actual samples, and tying the leaked data to tactics, techniques, and procedures (TTPs). Our findings highlight Gentlemen as one of the most technically agile ransomware-as-a-service (RaaS) gangs active in 2026.

Key Points of the Blogpost

• Gentlemen operators develop and maintain an EDR-killer suite provided directly to affiliates.
• GentleKiller is an in‑house framework with at least eight variants abusing different vulnerable or malicious drivers.
• Gentlemen operators apply a unified evasion strategy across tools that standardizes impersonation and protection.
• Third‑party EDR killers (HexKiller, ThrottleBlood, and HavocKiller) are operationally integrated.
• Gentlemen can rapidly adapt newly released EDR killer proofs-of-concept (PoCs).
• The gang’s victimology is globally distributed and notably not US‑focused.
• Gentlemen also uses OxideHarvest, a credential stealer maintained by one of the group’s affiliates.

Throughout this blogpost, we refer to RaaS operators and affiliates. Operators are responsible for developing the ransomware payload, managing decryption keys, maintaining the dedicated leak site, often negotiating the ransom payment with victims, and offering other tooling and services for a monthly fee or a percentage from the ransom payment (typically 5–20%). Affiliates rent ransomware services from operators, deploy encryptors to victims’ networks, and are also responsible for data exfiltration.

Gentlemen Profile

Gentlemen emerged in late 2025 as a RaaS operation and quickly grew into one of the most active ransomware gangs observed in Q1 2026. The gang offers a generous 90% share to affiliates. Group-IB disclosed that Gentlemen was founded by hastalamuerte, a disgruntled former Qilin affiliate. PRODAFT tweeted on October 17th, 2025 that Gentlemen operators were previously affiliates of Qilin, Embargo, LockBit, Medusa, and BlackLock. On June 10th, 2026 Brian Krebs shared evidence of hastalamuerte’s true identity.

Gentlemen utilizes double extortion – in addition to encrypting the victim data, the group also threatens to leak it if the ransom is not paid. For encryption, the operators offer a variant written in Go targeting Windows, Linux, and other platforms, and an ESXi variant written in C.

One of the things that sets Gentlemen apart is the gang’s willingness to offer more than just encryptors to affiliates – in particular, the gang also provides EDR killers. Recent ESET research has shown that, in most ransomware intrusions, the responsibility for finding a reliable EDR killer typically falls on individual affiliates, not the RaaS operators themselves. Only a small number of exceptions to this model have been documented. One notable case is RansomHub, which invested in developing its own EDR killer from scratch, EDRKillShifter, and then offered it to affiliates through the affiliate panel.

Gentlemen represents a different, and so far underreported, approach. Rather than relying on affiliates to source their own EDR killers, Gentlemen operators actively develop and maintain a portfolio of EDR killers for affiliates. This portfolio combines an in-house developed tool, which we named GentleKiller, along with externally sourced or leaked tooling, standardized through a shared evasion layer and staged in a consistent manner.

ESET researchers hypothesized that GentleKiller was an internal tool back in February 2026, and this was later supported by reports from Group-IB and Check Point – both mention that the gang provides EDR-killing capabilities to its (verified) affiliates. The recently leaked internal data of the gang provided the final piece of evidence: in the leaks, zeta88 (another alias used by hastalamuerte), the leader of the gang, openly talks about maintaining and providing EDR-killer packages. Apart from confirming our suspicion about GentleKiller, the leaked data also allowed us to link a credential stealer we named OxideHarvest to Gentlemen; specifically, to one of its affiliates.

Victimology

While the victimology of large RaaS operations is often shaped more by affiliates’ choices than by operator-led strategy, one particular pattern still tends to emerge. Most major ransomware gangs show a strong and persistent focus on the United States, which frequently accounts for roughly half of all announced victims. This US-centric bias is evident across several prominent groups, including Qilin, DragonForce, and Akira, and has effectively become the norm among top-tier ransomware operations.

Gentlemen stands out as a notable exception to this trend. Despite ranking among the five most active ransomware gangs in Q1 2026, its victimology does not exhibit a comparable US focus. Instead, Gentlemen affiliates consistently target victims across a broad and geographically diverse range of countries, with a significant number of victims coming from regions such as Southeast Asia, South America, and Western Europe. Indeed, the gang’s targeting includes some otherwise unusual countries like Thailand, Brazil, and France.

The recently leaked data provides evidence that when it comes to choosing victims, Gentlemen utilizes a centralized approach of sorting through viable candidates and then distributing them to affiliates. Victims are chosen primarily based on their FortiGate (mis)configuration rather than their geographical location.

EDR Killers

In February 2026, we saw a previously undocumented EDR killer deployed by a Gentlemen affiliate and staged in a directory named GentlemenCollection. We named this tool GentleKiller. At the time, we hypothesized that it was not an affiliate-specific artifact but rather a tool provided to affiliates by the Gentlemen operators. Since then, we have observed the same staging pattern (dropping GentleKiller and other EDR killers to the GentlemenCollection directory) multiple times across unrelated intrusions that we investigated, consistently involving Gentlemen affiliates.

In parallel, two independently published reports by Group-IB and Check Point assessed that the Gentlemen operators explicitly offer EDR-disabling capabilities as part of their RaaS program. Taken together, these observations allowed us to conclude that GentleKiller is a component of an EDR-killer suite maintained by the Gentlemen operators. This was later confirmed in the group’s leaked data.

Besides GentleKiller, the suite also contains HexKiller, HavocKiller, and ThrottleBlood; all ESET names for EDR killers used by affiliates of rival gangs too and obtained by Gentlemen via unknown means. We also saw DemoKiller in several intrusions, but this EDR killer did not exhibit any ties to Gentlemen and therefore we exclude it from the gang’s suite and instead consider it affiliate-specific.

The following part of the blogpost covers these tools in more detail and places them into the broader EDR-killer ecosystem. While these tools are operationally integrated into Gentlemen intrusions, we assess with high confidence that only GentleKiller is developed in-house by the Gentlemen operators, whereas the remaining EDR killers were likely sourced externally and subsequently modified and standardized to fit the operators’ toolset.

Our assessment is based on:

• GentleKiller appearing mainly in Gentlemen-related intrusions, often deployed to the GentlemenCollection directory.
• Continuous development with clear access to the source code that allows creating new variants and supporting newly emerged PoCs.
• Third-party reporting mentioning Gentlemen offering EDR-killing capabilities to trusted affiliates.

Defense Evasion Strategy

Gentlemen operators apply a specific set of defense evasion techniques to the gang’s various EDR killers. These techniques are applied to compiled samples rather than source code. This gives Gentlemen the option to protect even the EDR killers whose source code the gang does not possess.

All the EDR killers that are part of Gentlemen’s portfolio follow these defense-evasion patterns, which points to a standardized strategy, namely:

• Advanced binary protection (Enigma or Themida) is applied to a significant portion of the samples we detected. The filename suffix often identifies the method used (Enigma, Themida, or none).
• Filenames are chosen to closely resemble those of well-known software vendors, particularly companies operating in the cybersecurity domain.
• Executables impersonate the vendors by having the following attributes, all matching the same vendor or product:
  • Fabricated version information.
  • Invalid digital signatures copied from legitimate executables.
  • Icons matching those of the impersonated vendors.

Although a small number of samples deviate from this approach, likely due to inconsistent development practices, the vast majority of observed EDR killers adhere to this pattern.

In Table 1, we show how the suffixes work. Later in the blogpost, we explain how the suffixes are appended to filenames.

Table 1. Naming pattern of the EDR killers maintained by Gentlemen

GentleKiller

GentleKiller is by far the most prevalent EDR killer observed in the Gentlemen ecosystem. At the time of writing, we are aware of at least eight distinct variants, each impersonating a different legitimate product and abusing a different vulnerable or malicious driver. Despite these surface-level differences, we classify all of these samples under the GentleKiller umbrella due to a high degree of shared internal characteristics.

When abstracting away the impersonation layer and the specific drivers used, the underlying code reveals numerous structural and behavioral commonalities that strongly suggest the use of a shared development template. This template is reused across variants, with only minimal modifications.

The defining characteristics of the template include:

• Consistent strings across variants.
• Terminating processes periodically in a loop.
• Targeting a broad set of security solutions.
• Employing identical code obfuscation.

An example of GentleKiller’s output is illustrated in Figure 1, and a code snippet showing the code obfuscation is depicted in Figure 2. This design prioritizes ease of deployment and operational flexibility for affiliates, while minimizing development effort for the operators. It allows the Gentlemen operators to integrate abused drivers into their toolset very soon after an EDR killer PoC is disclosed. This was the case with UnknownKiller and PoisonKiller, which were adopted within a matter of days.

While some builds don’t target all the processes known to GentleKiller, the general set, provided in Table 2, is consistent. We leveraged AI to map the process names to their corresponding vendors, and acknowledge that there might be minor inconsistencies. Overall, GentleKiller targets more than 400 processes that the AI mapped to 48 products.

Table 2. A complete list of process names targeted by GentleKiller, mapped to their corresponding vendors