Researchers at ESET have analyzed the EDR-killing toolkit used by the ransomware-as-a-service group Gentlemen, focusing on how the gang disables endpoint detection and response defenses before launching attacks. Since the beginning of 2026, Gentlemen has become one of the most active ransomware groups, and its standout feature is a mature, operator-managed set of tools built specifically to weaken security software.
A Different Ransomware Model
Gentlemen stands out because it does not just hand affiliates encryptors and let them improvise. Instead, the operators maintain and distribute a portfolio of EDR killers through an in-house framework ESET has named GentleKiller. That setup gives affiliates a ready-made way to disrupt security tools, which makes the gang’s operations more standardized and potentially more effective.
The group also differs from many of the biggest ransomware operations in its victim profile. While top ransomware gangs often focus heavily on the United States, Gentlemen has targeted victims across Southeast Asia, South America and Western Europe, including countries such as Thailand, Brazil and France. That broader spread makes its activity unusual compared with the more US-centric patterns seen in the sector.
How GentleKiller Works
ESET says GentleKiller is the most common EDR killer in the gang’s ecosystem, and it now includes eight distinct variants. Each variant impersonates a different legitimate product and abuses a different vulnerable or malicious driver, but all share a common internal structure that lets ESET group them under one umbrella.
The tools use defense-evasion tricks that are applied to compiled samples rather than source code. That approach gives Gentlemen flexibility, because even if it does not control the original codebase, it can still protect and operationalize the final binaries it distributes to affiliates. The tools also fake version information and copy legitimate certificates and icons to make themselves look like trusted software.
Third-Party Tools And Fast Turnaround
Gentlemen does not rely only on its own tools. ESET found that the gang also uses third-party or leaked utilities such as HexKiller, ThrottleBlood and HavocKiller, which are integrated into the same defense-evasion layer. That shared framework helps the group standardize how the tools behave and how they appear on infected systems.
One of the more concerning details is the group’s speed in adapting newly disclosed Bring Your Own Vulnerable Driver proof-of-concepts. ESET says Gentlemen often operationalizes those tools within days of public release, showing that the group can move quickly from vulnerability disclosure to active abuse.
Broader Ransomware Operation
Gentlemen emerged in late 2025 and quickly grew into one of the most active ransomware operations observed in the first quarter of 2026. The gang uses double extortion, meaning it both encrypts victim data and threatens to leak it if the ransom is not paid, and it reportedly offers affiliates a 90% revenue share.
ESET also identified a credential stealer called OxideHarvest, which it says was developed by one of the gang’s affiliates. Taken together, the findings show a ransomware ecosystem that is not only active but also increasingly industrialized, with operator-maintained tooling and rapid adoption of new attack methods.
