CyberSecurityBoardThreat Intel · CVEs · Products
Malware

The Gentlemen RaaS Deploys GentleKiller EDR Framework Targeting 400 Security Processes

June 25, 2026

The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor. This mature portfolio of EDR-terminating tools is centered around a framework known as GentleKiller.

According to ESET security researcher Jakub Souček, the group also incorporates third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller. These tools are standardized through a shared defense-evasion layer, impersonating security vendors using fake version information, copied legitimate certificates, and icons.

Since its emergence in March 2025, The Gentlemen has claimed 504 victims, with most located in Southeast Asia, South America, and Western Europe. Recent reports have identified a 36-year-old Russian national named Alexander Andreevich Yapaev (aka hastalamuerte) as the leader, who previously acted as an affiliate for other ransomware schemes, including Qilin.

GentleKiller comes in eight variants, each mimicking a different legitimate product and abusing a different vulnerable driver as part of bring your own vulnerable driver (BYOVD) attacks. The drivers exploited include those from Kaspersky, FACEIT Anti-Cheat, Valorant, Javelin, WatchDog, Network Blocker, Cleaner, and G11. The group also uses a Rust-based credential stealer codenamed OxideHarvest that targets data from popular web browsers.

ESET described The Gentlemen as one of the most technically agile RaaS groups, using binary protection tools like Enigma or Themida and file names that resemble well-known cybersecurity vendors. The disclosure also highlights a CERT/CC advisory about multiple vendor-signed UEFI applications being vulnerable to Secure Boot bypass via BYOVD attacks, impacting Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill.

CVEs: CVE-2026-11645

Attack groups: The Gentlemen, Qilin, MedusaLocker, DragonForce, Warlock

Malware: GentleKiller, HexKiller, ThrottleBlood, HavocKiller, HwAudKiller, OxideHarvest

Companies: ESET, PRODAFT, Huntress, Bitdefender, CERT/CC, Kaspersky, FACEIT, Valorant, Javelin, WatchDog, Network Blocker, Cleaner

Products: GentleKiller, Enigma, Themida, CrowdStrike Falcon, BeyondTrust Remote Support, Microsoft Defender