ESET researchers analyzed the robust EDR-killing toolset of the ransomware-as-a-service gang Gentlemen. Since the beginning of 2026, Gentlemen has emerged as one of the most active gangs in the ransomware ecosystem. The group distinguishes itself through a mature, operator-maintained set of endpoint detection and response (EDR) killers — tools for disrupting security software. Additionally, unlike most top-tier gangs, Gentlemen does not exhibit a strong US-centric victimology, instead targeting victims across Southeast Asia, South America, and Western Europe.
While there have been multiple reports covering Gentlemen in recent months, they have not focused on a detailed analysis of the group’s EDR killers. Thanks to ESET’s continued incident-level visibility, we can provide a uniquely deep view into Gentlemen’s EDR-killer development practices. The internal data leak that Gentlemen suffered in May 2026 gave us even more insight into the inner workings of the group.
The leak also allowed us to confirm our hypothesis from February 2026 that Gentlemen operators actively develop and maintain a portfolio of EDR killers offered to affiliates, centered around their in-house framework we have named GentleKiller. They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller. These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied legitimate certificates and icons. Gentlemen also demonstrates an ability to unusually quickly operationalize newly disclosed Bring Your Own Vulnerable Driver (BYOVD) proofs-of-concept, often within days of public release.
In this post, we share our findings on Gentlemen’s suite of EDR killers gained through extensive research and corroborated by the recent leak. We aim to provide actionable insights by connecting the EDR killer packages to actual samples, and tying the leaked data to tactics, techniques, and procedures (TTPs). Our findings highlight Gentlemen as one of the most technically agile ransomware-as-a-service (RaaS) gangs active in 2026.
Key points:
- Gentlemen operators develop and maintain an EDR-killer suite provided directly to affiliates.
- GentleKiller is an in-house framework with at least eight variants abusing different vulnerable or malicious drivers.
- Gentlemen operators apply a unified evasion strategy across tools that standardizes impersonation and protection.
- Third-party EDR killers (HexKiller, ThrottleBlood, and HavocKiller) are operationally integrated.
- Gentlemen can rapidly adapt newly released EDR killer proofs-of-concept (PoCs).
- The gang’s victimology is globally distributed and notably not US-focused.
- Gentlemen also uses OxideHarvest, a credential stealer maintained by one of the group’s affiliates.
Throughout this post, we refer to RaaS operators and affiliates.
Operators are responsible for developing the ransomware payload, managing decryption keys, maintaining the dedicated leak site, often negotiating the ransom payment with victims, and offering other tooling and services for a monthly fee or a percentage from the ransom payment (typically 5–20%).
Affiliates rent ransomware services from operators, deploy encryptors to victims’ networks, and are also responsible for data exfiltration.
Gentlemen Profile
Gentlemen emerged in late 2025 as a RaaS operation and quickly grew into one of the most active ransomware gangs observed in Q1 2026. The gang offers a generous 90% share to affiliates. Group-IB disclosed that Gentlemen was founded by hastalamuerte, a disgruntled former Qilin affiliate. PRODAFT reported on October 17th, 2025 that Gentlemen operators were previously affiliates of Qilin, Embargo, LockBit, Medusa, and BlackLock. On June 10th, 2026, Brian Krebs shared evidence of hastalamuerte’s true identity.
Gentlemen utilizes double extortion — in addition to encrypting victim data, the group also threatens to leak it if the ransom is not paid. For encryption, the operators offer a variant written in Go targeting Windows, Linux, and other platforms, and an ESXi variant written in C.
One of the things that sets Gentlemen apart is the gang’s willingness to offer more than just encryptors to affiliates — in particular, the gang also provides EDR killers. Recent ESET research has shown that, in most ransomware intrusions, the responsibility for finding a reliable EDR killer typically falls on individual affiliates, not the RaaS operators themselves. Only a small number of exceptions to this model have been documented. One notable case is RansomHub, which invested in developing its own EDR killer from scratch — EDRKillShifter — and then offered it to affiliates through the affiliate panel.
Gentlemen represents a different, and so far underreported, approach. Rather than relying on affiliates to source their own EDR killers, Gentlemen operators actively develop and maintain a portfolio of EDR killers for affiliates. This portfolio combines an in-house developed tool, which we named GentleKiller, along with externally sourced or leaked tooling, standardized through a shared evasion layer and staged in a consistent manner.
ESET researchers hypothesized that GentleKiller was an internal tool back in February 2026, and this was later supported by reports from Group-IB and Check Point — both mention that the gang provides EDR-killing capabilities to its verified affiliates. The recently leaked internal data of the gang provided the final piece of evidence: in the leaks, zeta88 (another alias used by hastalamuerte), the leader of the gang, openly talks about maintaining and providing EDR-killer packages.
Apart from confirming our suspicion about GentleKiller, the leaked data also allowed us to link a credential stealer we named OxideHarvest to Gentlemen; specifically, to one of its affiliates.
Victimology
While the victimology of large RaaS operations is often shaped more by affiliates’ choices than by operator-led strategy, one particular pattern still tends to emerge. Most major ransomware gangs show a strong and persistent focus on the United States, which frequently accounts for roughly half of all announced victims. This US-centric bias is evident across several prominent groups, including Qilin, DragonForce, and Akira, and has effectively become the norm among top-tier ransomware operations.
Gentlemen stands out as a notable exception to this trend. Despite ranking among the five most active ransomware gangs in Q1 2026, its victimology does not exhibit a comparable US focus. Instead, Gentlemen affiliates consistently target victims across a broad and geographically diverse range of countries, with a significant number of victims coming from regions such as Southeast Asia, South America, and Western Europe. The gang’s targeting includes some otherwise unusual countries such as Thailand, Brazil, and France.
The recently leaked data provides evidence that when it comes to choosing victims, Gentlemen utilizes a centralized approach of sorting through viable candidates and then distributing them to affiliates. Victims are chosen primarily based on their FortiGate (mis)configuration rather than their geographical location.
EDR Killers
In February 2026, we observed a previously undocumented EDR killer deployed by a Gentlemen affiliate and staged in a directory named GentlemenCollection. We named this tool GentleKiller. At the time, we hypothesized that it was not an affiliate-specific artifact but rather a tool provided to affiliates by the Gentlemen operators. Since then, we have observed the same staging pattern — dropping GentleKiller and other EDR killers to the GentlemenCollection directory — multiple times across unrelated intrusions that we investigated, consistently involving Gentlemen affiliates. In parallel, two independently published reports by Group-IB and Check Point assessed that the Gentlemen operators explicitly offer EDR-disabling capabilities as part of their RaaS program.
Taken together, these observations allowed us to conclude that GentleKiller is a component of an EDR-killer suite maintained by the Gentlemen operators. This was later confirmed in the group’s leaked data.
Besides GentleKiller, the suite also contains HexKiller, HavocKiller, and ThrottleBlood — all ESET names for EDR killers used by affiliates of rival gangs and obtained by Gentlemen via unknown means. We also observed DemoKiller in several intrusions, but this EDR killer did not exhibit any ties to Gentlemen and is therefore considered affiliate-specific rather than part of the gang’s suite.
While these tools are operationally integrated into Gentlemen intrusions, we assess with high confidence that only GentleKiller is developed in-house by the Gentlemen operators, whereas the remaining EDR killers were likely sourced externally and subsequently modified and standardized to fit the operators’ toolset. Our assessment is based on:
- GentleKiller appearing mainly in Gentlemen-related intrusions, often deployed to the
GentlemenCollectiondirectory, - continuous development with clear access to the source code that allows creating new variants and supporting newly emerged PoCs, and
- third-party reporting mentioning Gentlemen offering EDR-killing capabilities to trusted affiliates.
Defense Evasion Strategy
Gentlemen operators apply a specific set of defense evasion techniques to the gang’s various EDR killers. These techniques are applied to compiled samples rather than source code, giving Gentlemen the option to protect even the EDR killers whose source code the gang does not possess.
All EDR killers that are part of Gentlemen’s portfolio follow these standardized defense-evasion patterns:
- Advanced binary protection (Enigma or Themida) is applied to a significant portion of detected samples. The filename suffix often identifies the method used (Enigma, Themida, or none).
- Filenames are chosen to closely resemble those of well-known software vendors, particularly companies operating in the cybersecurity domain.
- Executables impersonate those vendors using fake version information and copied legitimate certificates and icons, making them harder to identify as malicious at a glance.
This standardized approach to defense evasion across all tools in the portfolio — regardless of origin — is a defining characteristic of Gentlemen’s operational discipline and reflects the operators’ active role in managing and packaging the toolkit their affiliates deploy.