The Gentlemen RaaS Deploys GentleKiller to Disable 400 EDR Processes

The Gentlemen ransomware-as-a-service (RaaS) operation has emerged as one of the most technically agile cybercrime crews since launching in March 2025, according to ESET researcher Jakub Souček. The group has claimed 504 victims to date across Southeast Asia, South America, and Western Europe, per Ransomware.live data. Investigators have identified a 36-year-old Russian national, Alexander Andreevich Yapaev (aka hastalamuerte), as the operation's leader, following reporting from Brian Krebs and PRODAFT. Yapaev previously operated as an affiliate for the Qilin ransomware scheme. Organizations concerned about exposure can verify whether corporate credentials have surfaced in known compromises using an email breach checker.

At the center of The Gentlemen's tradecraft is GentleKiller, an endpoint detection and response (EDR) killer framework that ships in eight distinct variants. Each variant impersonates a different legitimate security vendor by adopting matching version information, digital signatures, and icons, while abusing a unique vulnerable driver to terminate protections. GentleKiller specifically scans for 400 processes tied to 48 distinct security programs, neutralizing defenses before the encryptor deploys. The affiliate toolkit also includes HexKiller, ThrottleBlood, and HavocKiller, all standardized through a shared defense-evasion layer. Compiled samples are additionally hardened with Enigma or Themida protectors.

The group's tooling leans heavily on the bring your own vulnerable driver (BYOVD) technique, which it operationalizes within days of new proof-of-concept exploits being published. Drivers exploited across the GentleKiller variants include eb.sys (impersonating Kaspersky), nseckrnl.sys (FACEIT Anti-Cheat), GameDriverX64.sys (Valorant), stpm_old.sys and stpm_new.sys (Javelin), dmx.sys (WatchDog), 360netmon_wfp.sys (Network Blocker), IMFForceDelete.sys (Cleaner), and PoisonX.sys (G11). The PoisonX.sys abuse in particular has been linked to multiple BYOVD attacks in recent months, including one that disabled CrowdStrike Falcon. Defenders can audit exposed attack surfaces and open services through a port scanner to identify soft spots before threat actors do.

Security teams should treat the Gentlemen operation as a high-priority threat actor given its rapid exploit-to-weaponization cycle and layered impersonation tradecraft. Monitoring for unsigned or impersonated driver loads, especially those abusing the BYOVD drivers listed above, should be a priority for SOC teams running CrowdStrike Falcon, Kaspersky, or similar EDR products. Administrators can further validate domain hygiene and certificate posture with a SSL/TLS checker to ensure attackers are not leveraging look-alike infrastructure for payload delivery.