ESET exposes Gentlemen ransomware gang's EDR-killer framework

ESET Research has published a deep-dive analysis of Gentlemen, a ransomware-as-a-service (RaaS) operation that emerged in late 2025 and ranked among the five most active ransomware gangs in the first quarter of 2026. The Bratislava-based security vendor says its findings, informed in part by an internal data leak the gang suffered in May 2026, reveal an unusually mature and operator-maintained suite of endpoint detection and response (EDR) killers provided directly to affiliates.

The centrepiece of Gentlemen's arsenal is GentleKiller, an in-house framework for which ESET has so far identified eight distinct variants. Each variant impersonates a different legitimate software product and abuses a different vulnerable or malicious driver, yet all share enough internal characteristics for ESET to treat them as a single family. Beyond its own tooling, the gang integrates third-party or leaked EDR killers, including HexKiller, ThrottleBlood, and HavocKiller. A shared defence-evasion layer is applied across the entire portfolio at the compiled-binary level, allowing operators to standardise impersonation techniques, such as fake version metadata and copied certificates, even for tools whose source code they do not control.

How the gang operates

ESET researcher Jakub Souček, who tracks EDR killers, noted that Gentlemen can operationalise newly disclosed Bring Your Own Vulnerable Driver (BYOVD) proofs-of-concept within days of public release. "From a defense perspective, understanding how GentleKiller works allows defenders to better design their defensive strategies and defend even against yet-to-be-developed additions to Gentlemen's EDR-killing arsenal," he said. ESET also identified a credential-stealing tool, named OxideHarvest, developed by one of the gang's affiliates rather than its operators directly.

Gentlemen offers affiliates a 90 per cent revenue share, an unusually generous cut in the RaaS market, and employs double extortion: encrypting victim data while threatening to publish it unless a ransom is paid. Unlike most top-tier ransomware operations, where the United States typically accounts for roughly half of all announced victims, Gentlemen's target set is geographically spread across Southeast Asia, South America, and Western Europe, with notable activity in Thailand, Brazil, and France.

Market and threat landscape

The broader EDR-killer ecosystem has grown significantly since the CrowdStrike driver incident of mid-2024 drew widespread attention to the attack surface created by kernel-level security software. Several RaaS operators now either bundle or broker EDR-killing capabilities, but ESET's analysis positions Gentlemen as unusual in that operators, not affiliates, own the development pipeline. That model offers the gang tighter quality control and a faster patch cycle when defensive vendors update their detection logic.

For enterprise security teams, the findings reinforce a wider trend: perimeter and endpoint defences are increasingly targeted before payload delivery, not after. Security operations centre (SOC) teams are advised to treat unexpected driver-load events and certificate-impersonation artefacts as high-priority indicators of compromise, not merely background noise. The BYOVD technique remains difficult to block cleanly without a combination of driver allowlisting, kernel-integrity monitoring, and up-to-date vulnerable-driver blocklists, all of which require active maintenance.

From a regulatory standpoint, the NIS2 Directive, which entered EU national law in late 2024, requires operators of essential services to maintain detection and response capabilities adequate to counter techniques of this sophistication. Organisations operating in the sectors Gentlemen is actively targeting, particularly in France and across Western Europe more broadly, face direct compliance and operational risk. ESET has published the full technical breakdown on its WeLiveSecurity blog, including indicators of compromise and guidance on GentleKiller detection.