The Gentlemen ransomware-as-a-service (RaaS) operation has been actively enhancing its capabilities by developing and distributing a suite of endpoint detection and response (EDR) evasion tools to its affiliates. Central to this arsenal is a framework known as GentleKiller, designed to disable security defenses prior to deploying ransomware payloads.
These EDR-terminating tools are not limited to GentleKiller alone; the group also utilizes third-party or leaked utilities such as HexKiller, ThrottleBlood, and HavocKiller. These tools are standardized through a shared defense-evasion layer, often masquerading as legitimate security software by mimicking version information, digital certificates, and icons.
Since its emergence in March 2025, The Gentlemen has rapidly ascended to become one of the most active ransomware groups, claiming over 500 victims to date. The majority of these victims are located in Southeast Asia, South America, and Western Europe.
Recent investigations have identified a 36-year-old Russian national, Alexander Andreevich Yapaev, also known by the alias ‘hastalamuerte,’ as the leader of The Gentlemen operation. Prior to establishing this group, Yapaev acted as an affiliate for other ransomware schemes, including Qilin.
The Gentlemen’s technical agility is evident in their rapid adoption of newly disclosed proof-of-concept exploits, particularly those related to the ‘bring your own vulnerable driver’ (BYOVD) technique. In many instances, they have operationalized these exploits within days of their public release.
To evade detection, the group employs several strategies, including protecting their binaries with tools like Enigma or Themida. They also use filenames that closely resemble those of well-known cybersecurity vendors, complete with matching version information, digital signatures, and icons.
GentleKiller, the most prevalent tool in their arsenal, exists in eight different variants. Each variant impersonates a different legitimate product and exploits a specific vulnerable or malicious driver as part of the BYOVD attack. Notably, GentleKiller targets 400 processes associated with 48 distinct security programs from various vendors.
The drivers exploited by each variant include:
- Kaspersky (‘eb.sys’)
- FACEIT Anti-Cheat (‘nseckrnl.sys’)
- Valorant (‘GameDriverX64.sys’)
- Javelin (‘stpm_old.sys’ or ‘stpm_new.sys’)
- WatchDog (‘dmx.sys’)
- Network Blocker (‘360netmon_wfp.sys’)
- Cleaner (‘IMFForceDelete.sys’)
- G11 (‘PoisonX.sys’)
It’s noteworthy that the ‘PoisonX.sys’ driver has been associated with recent BYOVD attacks aimed at disabling security solutions like CrowdStrike Falcon EDR. In one such campaign, attackers leveraged BeyondTrust Remote Support to deploy ransomware, terminating security tools using ‘PoisonX.sys’ and ‘hrwfpdrv.sys.’
Analysis of the underlying code reveals structural and behavioral similarities across these tools, suggesting the use of a shared development template. This design prioritizes ease of deployment and operational flexibility for affiliates while minimizing development efforts for the operators. It enables The Gentlemen to integrate various drivers and impersonate different security products with minimal adjustments.
The rapid evolution and sophistication of The Gentlemen’s tactics underscore the critical need for organizations to adopt proactive and adaptive cybersecurity measures. Staying ahead of such threats requires continuous monitoring, timely patching of vulnerabilities, and the implementation of robust defense mechanisms to detect and mitigate advanced evasion techniques employed by threat actors.
