The Gentlemen ransomware-as-a-service (RaaS) operation has built a modular toolkit to disable endpoint detection and response (EDR) systems before launching encryption or data-theft attacks. Security researchers report that the group’s primary utility, dubbed GentleKiller, now exists in at least eight variants, each impersonating legitimate software and exploiting vulnerable drivers to gain kernel-level access on target machines.
How the toolkit works
GentleKiller variants share a common codebase and obfuscation methods but swap out the vulnerable driver used to escalate privileges. This design allows the group to quickly incorporate newly disclosed driver flaws without rewriting the core logic. Once elevated, the tool targets over 400 processes linked to approximately 48 security vendors, including Microsoft Defender, CrowdStrike Falcon, SentinelOne, Palo Alto Cortex, and ESET itself. The binaries are protected by commercial packers Enigma and Themida, and some samples carry invalid digital signatures stolen from legitimate applications.
In addition to GentleKiller, the Gentlemen RaaS toolkit includes at least three third-party EDR killers: HexKiller, ThrottleBlood, and HavocKiller. Researchers suggest these may provide redundancy, complicate attribution, or address scenarios where GentleKiller’s effectiveness is limited. A separate Rust-based credential-stealer, OxideHarvest, is also deployed, likely sourced externally given its programming language.
Background: Endpoint detection and response (EDR) systems monitor and block suspicious activity on endpoints such as laptops, servers, and virtual machines. Ransomware groups routinely disable these defenses early in an attack to prevent alerts and allow unobstructed encryption or data exfiltration.
Target selection and recent activity
The group appears to prioritize organizations running FortiGate VPN endpoints, possibly leveraging credentials exposed in the FortiBleed leak of nearly 74,000 FortiGate VPN logins. While the timing of the leak is not specified in recent reports, the Gentlemen RaaS previously breached Romanian energy provider Oltenia. The operation has also been linked to a SystemBC proxy malware botnet comprising over 1,570 corporate hosts, which may serve as a command-and-control or data-exfiltration channel.
For professionals: Security teams should audit driver allow-lists and monitor for unexpected kernel-level process termination. Regular breach-and-attack simulation can identify gaps in EDR and SIEM rules before attackers exploit them.
What to watch
The modular design of GentleKiller suggests the group will continue to weaponize newly disclosed driver vulnerabilities. Security vendors may also see increased use of stolen or forged digital signatures to bypass code-signing checks. Organizations running FortiGate appliances should rotate VPN credentials and review patch levels, particularly if credentials were exposed in the FortiBleed incident.
Automated pipeline · Security
Synthesized from 1 industry feed on 19 Jun 2026. First draft failed editor review; a revised version was approved (score 85/100) before publication. Style guide v1.3.
Sources
Decision trail
- Checking for duplicates — New story No previously published or in-pipeline article covers Gentlemen ransomware's EDR killers.
- Writing the article — Draft created article_id=162 slug=gentlemen-raas-deploys-multi-tool-edr-killers-in-attacks
-
Editor review — Rejected
- Score: 85/100
- Factual grounding: The draft states the Oltenia breach occurred in 2025, but the source does not provide a specific year. The timing is unclear and should be omitted or qualified as 'previously'.
- Style compliance: The standfirst exceeds the recommended length (should be one sentence, ~20-30 words).
- Style compliance: The Background block is well-sourced but slightly verbose (4 sentences
- 2-3 is ideal).
- No copied phrasing: The phrase 'bring your own vulnerable driver (BYOVD)' is lifted verbatim from the source. While the term is technical, it should be paraphrased (e.g., 'exploiting vulnerable drivers to escalate privileges').
- Style compliance: The 'For professionals' block is actionable but could be tightened to 2 sentences (currently 3).
- Writing the article — Rewritten editor-driven rewrite
-
Editor review — Approved
- Score: 85/100
- Factual grounding: The draft states 'over 400 processes linked to approximately 48 security vendors, including Microsoft Defender, CrowdStrike Falcon, SentinelOne, Palo Alto Cortex, and ESET itself.' The source lists 'Microsoft, CrowdStrike, SentinelOne, Palo Alto' but does not specify 'Microsoft Defender' or 'Palo Alto Cortex' as product names. The inclusion of 'itself' after ESET is an unsupported embellishment.
- Factual grounding: The draft mentions 'FortiBleed leak of nearly 74,000 FortiGate VPN logins' but does not clarify that the source states the timing of the leak is 'not specified in recent reports.' The draft should either omit the number or explicitly note the timing is unclear.
- Style compliance: The standfirst ('A ransomware-as-a-service group maintains custom and third-party tools to disable endpoint defenses before encryption.') exceeds the recommended brevity for a one-sentence summary. It should be tightened to under 20 words.
- No copied phrasing: The phrase 'bring your own vulnerable driver (BYOVD) technique' is lifted verbatim from the source. While the term is a standard industry acronym, the phrasing should be restructured (e.g., 'exploiting vulnerable drivers to escalate privileges').
- Style compliance: The 'For professionals' block is appropriate but could be more actionable. The current advice ('audit driver allow-lists and monitor for unexpected kernel-level process termination') is generic. The source mentions breach-and-attack simulation
- this should be incorporated.
- Generating reader Q&A — Generated 4 items
- Assigning hero image — Pexels pexels_id=28520974 q=Gentlemen RaaS headquarters
- Linking related stories — Linked 5 relations from 122 candidates
- Linking related stories — Linked 5 relations from 123 candidates
- Linking related stories — Linked 5 relations from 124 candidates
- Publishing — Published gentlemen-raas-deploys-multi-tool-edr-killers-in-attacks
- Mastodon — Posted https://mstdn.social/@hostingpaper/116774153834588356
Discussion · coming soon
Be the first to join the thread when community discussion launches.