- Gentlemen operators develop and maintain an EDR-killer suite provided directly to affiliates.
- GentleKiller, an in-house framework, has at least eight variants abusing different vulnerable or malicious drivers.
- Gentlemen operators apply a unified evasion strategy across tools to standardize impersonation and protection.
- Third-party EDR killers (HexKiller, ThrottleBlood, and HavocKiller) are operationally integrated.
- The gang’s victimology is globally distributed and notably not US focused.
BRATISLAVA, Slovakia, June 18, 2026 (GLOBE NEWSWIRE) -- ESET researchers analyzed the robust EDR-killing toolset of the ransomware-as-a-service (RaaS) gang Gentlemen. Since the beginning of 2026, Gentlemen has emerged as one of the most active gangs in the ransomware ecosystem. The group distinguishes itself through a mature, operator-maintained set of endpoint detection and response (EDR) killers — tools for disrupting security software. Additionally, unlike most top-tier gangs, Gentlemen does not exhibit a strong US-centric victimology, instead targeting victims across Southeast Asia, South America, and Western Europe. The gang’s targeting includes some otherwise rarely targeted countries like Thailand, Brazil, and France.
“While there have been multiple reports covering Gentlemen in recent months, they have not focused on a detailed analysis of the group’s EDR killers. Thanks to ESET’s continued incident-level visibility, we can provide a uniquely deep view into Gentlemen’s EDR-killer development practices. The internal data leak that Gentlemen suffered in May 2026 gave us more insight into the inner workings of the group,” says ESET researcher Jakub Souček, who tracks EDR killers. “The leak also allowed us to confirm the hypothesis we formed in February 2026: that Gentlemen operators actively develop and maintain a portfolio of EDR killers that they offer to affiliates, centered around their in-house framework, which we have named GentleKiller.”
Additionally, the group incorporates third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller. These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors by using fake version information and copied legitimate certificates and icons. Gentlemen also demonstrates an ability to unusually quickly operationalize newly disclosed Bring Your Own Vulnerable Driver proofs-of-concept, often within days of public release. Apart from the EDR killers, we also identified a credential stealer we named OxideHarvest; this tool was developed by one of Gentlemen’s affiliates.
For context, Gentlemen emerged in late 2025 as a RaaS operation and quickly grew into one of the most active ransomware gangs observed in Q1 2026. The gang offers a generous 90% share to affiliates. Gentlemen utilizes double extortion — in addition to encrypting the victim data, the group also threatens to leak the data if the ransom is not paid.
One of the things that sets Gentlemen apart is the gang’s willingness to offer more than just encryptors to affiliates — in particular, the gang also provides EDR killers. Gentlemen represents a different, and so far underreported, approach. Rather than relying on affiliates to source their own EDR killers, Gentlemen operators actively develop and maintain a portfolio of EDR killers for affiliates.
While the victimology of large RaaS operations is often shaped more by affiliates’ choices than by operator-led strategy, one particular pattern still tends to emerge. Most major ransomware gangs show a strong and persistent focus on the United States, which frequently accounts for roughly half of all announced victims. Gentlemen stands out as a notable exception to this trend. Despite ranking among the five most active ransomware gangs in Q1 2026, its victimology does not exhibit a comparable US focus. Instead, Gentlemen affiliates consistently target victims across a broad and geographically diverse range of countries, with a significant number of victims coming from regions such as Southeast Asia, South America, and Western Europe.
Gentlemen operators apply a specific set of defense evasion techniques to the gang’s various EDR killers. These techniques are applied to compiled samples rather than source code. This gives Gentlemen the option to also protect the EDR killers whose source code the gang does not possess. GentleKiller is by far the most prevalent EDR killer observed in the Gentlemen ecosystem.
To date, ESET Research has discovered eight distinct variants, each impersonating a different legitimate product and abusing a different vulnerable or malicious driver. Despite these surface-level differences, ESET classifies all of these samples under the GentleKiller umbrella due to a high degree of shared internal characteristics.
“From a defense perspective, understanding how GentleKiller works allows defenders to better design their defensive strategies and defend even against yet-to-be-developed additions to Gentlemen’s EDR-killing arsenal,” concludes Souček.
For a more details about Gentlemen’s EDR killers, check out the ESET Research blog post “Killing me gently: Inside Gentlemen’s EDR killer framework” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
About ESET
ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.
Media contact: Jessica Beffa jessica.beffa@eset.com 720-413-4938
