ESET researchers analyzed the sturdy EDR-killing toolset of the ransomware-as-a-service gang Gents. For the reason that starting of 2026, Gents has emerged as one of the crucial lively gangs within the ransomware ecosystem. The group distinguishes itself by a mature, operator-maintained set of endpoint detection and response (EDR) killers, i.e., instruments for disrupting safety software program. Moreover, in contrast to most top-tier gangs, Gents doesn’t exhibit a powerful US-centric victimology, as a substitute focusing on victims throughout Southeast Asia, South America, and Western Europe.<\/p>\n
Whereas there have been a number of studies masking Gents in latest months, they haven’t centered on an in depth evaluation of the group\u2019s EDR killers. Due to ESET\u2019s continued incident-level visibility, we will nonetheless present a uniquely deep view into Gents\u2019s EDR-killer improvement practices. The interior knowledge leak that Gents suffered in Might 2026 then gave us much more perception into the internal workings of the group.<\/p>\n
The leak additionally allowed us to verify our speculation from February 2026 that Gents operators actively develop and keep a portfolio of EDR killers that they provide to associates, centered round their in-house framework we have now named GentleKiller. Additionally they incorporate third-party or leaked instruments reminiscent of HexKiller, ThrottleBlood, and HavocKiller. These instruments are standardized by a shared defense-evasion layer, impersonating predominantly safety distributors utilizing faux model info, and copied respectable certificates and icons. Gents additionally demonstrates a capability to unusually rapidly operationalize newly disclosed Deliver Your Personal Weak Driver (BYOVD) proofs-of-concept, usually inside days of public launch.<\/p>\n
On this blogpost, we share our findings on Gents\u2019s suite of EDR killers gained by intensive analysis and corroborated by the latest leak. We goal to supply actionable insights by connecting the EDR killer packages to precise samples, and tying the leaked knowledge to ways, methods, and procedures (TTPs). Our findings spotlight Gents as one of the crucial technically agile ransomware-as-a-service (RaaS) gangs lively in 2026.<\/p>\n
\nKey factors of the blogpost:<\/strong><\/p>\n
\n
- Gents operators develop and keep an EDR-killer suite offered on to associates.<\/li>\n
- GentleKiller is an in\u2011home framework with not less than eight variants abusing totally different weak or malicious drivers.<\/li>\n
- Gents operators apply a unified evasion technique throughout instruments that standardizes impersonation and safety.<\/li>\n
- Third\u2011social gathering EDR killers (HexKiller, ThrottleBlood, and HavocKiller) are operationally built-in.<\/li>\n
- Gents can quickly adapt newly launched EDR killer proofs-of-concept (PoCs).<\/li>\n
- The gang\u2019s victimology is globally distributed and notably not US\u2011centered.<\/li>\n
- Gents additionally makes use of OxideHarvest, a credential stealer maintained by one of many group\u2019s associates.<\/li>\n<\/ul>\n<\/blockquote>\n
All through this blogpost, we check with RaaS operators<\/strong> and associates<\/strong>.<\/p>\n
Operators<\/strong> are liable for growing the ransomware payload, managing decryption keys, sustaining the devoted leak web site, usually negotiating the ransom cost with victims, and providing different tooling and providers for a month-to-month price or a proportion from the ransom cost (sometimes 5\u201320%).<\/p>\n
Associates<\/strong> lease ransomware providers from operators, deploy encryptors to victims\u2019 networks, and are additionally liable for knowledge exfiltration.<\/p>\n
Gents profile<\/h2>\n
Gents emerged in late 2025 as a RaaS operation and rapidly grew into one of the crucial lively ransomware gangs noticed in Q1 2026. The gang affords a beneficiant 90% share to associates. Group-IB disclosed<\/a> that Gents was based by hastalamuerte<\/span>, a disgruntled former Qilin affiliate. PRODAFT tweeted<\/a> on October 17th<\/sup>, 2025 that Gents operators have been beforehand associates of Qilin, Embargo, LockBit, Medusa, and BlackLock. On June 10th<\/sup>, 2026 Brian Krebs shared proof<\/a> of hastalamuerte<\/span>\u2019s true id.<\/p>\n
Gents makes use of double extortion \u2013 along with encrypting the sufferer knowledge, the group additionally threatens to leak it if the ransom shouldn’t be paid. For encryption, the operators provide a variant written in Go focusing on Home windows, Linux, and different platforms, and an ESXi variant written in C.<\/p>\n
One of many issues that units Gents aside is the gang\u2019s willingness to supply extra than simply encryptors to associates \u2013 specifically, the gang additionally supplies EDR killers. Latest ESET analysis<\/a> has proven that, in most ransomware intrusions, the duty for locating a dependable EDR killer sometimes falls on particular person associates, not the RaaS operators themselves. Solely a small variety of exceptions to this mannequin have been documented. One notable case is RansomHub<\/a>, which invested in growing its personal EDR killer from scratch, EDRKillShifter, after which provided it to associates by the affiliate panel.<\/p>\n
Gents represents a special, and to this point underreported, method. Slightly than counting on associates to supply their very own EDR killers, Gents operators actively develop and keep a portfolio of EDR killers for associates. This portfolio combines an in-house developed software, which we named GentleKiller, together with externally sourced or leaked tooling, standardized by a shared evasion layer and staged in a constant method.<\/p>\n
ESET researchers hypothesized that GentleKiller was an inside software again in February 2026, and this was later supported by studies from Group-IB<\/a> and Verify Level<\/a> \u2013 each point out that the gang supplies EDR-killing capabilities to its (verified) associates. The just lately leaked inside knowledge<\/a> of the gang offered the ultimate piece of proof: within the leaks, zeta88<\/span> (one other alias utilized by hastalamuerte<\/span>), the chief of the gang, brazenly talks about sustaining and offering EDR-killer packages.<\/p>\n
Other than confirming our suspicion about GentleKiller, the leaked knowledge additionally allowed us to hyperlink a credential stealer we named OxideHarvest to Gents; particularly, to one in all its associates.<\/p>\n
Victimology<\/h3>\n
Whereas the victimology of enormous RaaS operations is commonly formed extra by associates\u2019 decisions than by operator-led technique, one specific sample nonetheless tends to emerge. Most main ransomware gangs present a powerful and protracted give attention to the US, which regularly accounts for roughly half of all introduced victims. This US-centric bias is clear throughout a number of distinguished teams, together with Qilin, DragonForce, and Akira, and has successfully develop into the norm amongst top-tier ransomware operations.<\/p>\n
Gents stands out as a notable exception to this pattern. Regardless of rating among the many 5 most lively ransomware gangs in Q1 2026, its victimology doesn’t exhibit a comparable US focus. As a substitute, Gents associates constantly goal victims throughout a broad and geographically numerous vary of nations, with a major variety of victims coming from areas reminiscent of Southeast Asia, South America, and Western Europe. Certainly, the gang\u2019s focusing on consists of some in any other case uncommon nations like Thailand, Brazil, and France.<\/p>\n
The just lately leaked knowledge supplies proof that relating to selecting victims, Gents makes use of a centralized method of sorting by viable candidates after which distributing them to associates. Victims are chosen based on their FortiGate (mis)configuration quite than their geographical location.<\/p>\n
EDR Killers<\/h2>\n
In February 2026, we noticed a beforehand undocumented EDR killer deployed by a Gents affiliate and staged in a listing named GentlemenCollection<\/span>. We named this software GentleKiller. On the time, we hypothesized that it was not an affiliate-specific artifact however quite a software offered to associates by the Gents operators. Since then, we have now noticed the identical staging sample (dropping GentleKiller and different EDR killers to the GentlemenCollection<\/span> listing) a number of instances throughout unrelated intrusions that we investigated, constantly involving Gents associates. In parallel, two independently printed studies by Group-IB<\/a> and Verify Level<\/a> assessed that the Gents operators explicitly provide EDR-disabling capabilities as a part of their RaaS program.<\/p>\n
Taken collectively, these observations allowed us to conclude that GentleKiller is a part of an EDR-killer suite maintained by the Gents operators. This was later confirmed within the group\u2019s leaked knowledge.<\/p>\n
In addition to GentleKiller, the suite additionally accommodates HexKiller, HavocKiller, and ThrottleBlood; all ESET names for EDR killers utilized by associates of rival gangs too and obtained by Gents through unknown means. We additionally noticed DemoKiller in a number of intrusions, however this EDR killer didn’t exhibit any ties to Gents and due to this fact we exclude it from the gang\u2019s suite and as a substitute think about it affiliate-specific. The next a part of the blogpost covers these instruments in additional element and locations them into the broader EDR-killer ecosystem. Whereas these instruments are operationally built-in into Gents intrusions, we assess with excessive confidence that solely GentleKiller is developed in-house by the Gents operators, whereas the remaining EDR killers have been seemingly sourced externally and subsequently modified and standardized to suit the operators\u2019 toolset. Our evaluation is predicated on:<\/p>\n
\n
- GentleKiller showing primarily in Gents-related intrusions, usually deployed to the GentlemenCollection<\/span> listing,<\/li>\n
- steady improvement with clear entry to the supply code that enables creating new variants and supporting newly emerged PoCs, and<\/li>\n
- third-party reporting mentioning Gents providing EDR-killing capabilities to trusted associates.<\/li>\n<\/ul>\n
Protection evasion technique<\/h3>\n
Gents operators apply a particular set of protection evasion methods to the gang\u2019s varied EDR killers. These methods are utilized to compiled samples quite than supply code. This offers Gents the choice to guard even the EDR killers whose supply code the gang doesn’t possess.<\/p>\n
All of the EDR killers which are a part of Gents\u2019s portfolio comply with these defense-evasion patterns, which factors to a standardized technique, particularly:<\/p>\n
\n
- Superior binary safety (Enigma or Themida) is utilized to a good portion of the samples we detected. The filename suffix usually identifies the strategy used (Enigma, Themida, or none).<\/li>\n
- Filenames are chosen to carefully resemble these of well-known software program distributors, significantly corporations working within the cybersecurity area.<\/li>\n
- Executables impersonate the distributors by having the next attributes, all matching the identical vendor or product:<\/li>\n<\/ul>\n
\u25cb<\/span> fabricated model info,<\/span><\/p>\n
\u25cb<\/span> invalid digital signatures copied from respectable executables, and<\/span><\/p>\n
\u25cb<\/span> icons matching these of the impersonated distributors.<\/span><\/p>\n
Though a small variety of samples deviate from this method, seemingly resulting from inconsistent improvement practices, the overwhelming majority of noticed EDR killers adhere to this sample. In Desk\u00a01, we present how the suffixes work. Later within the blogpost, we clarify how the suffixes are appended to filenames.<\/p>\n
Desk\u00a01. Naming sample of the EDR killers maintained by Gents<\/em><\/p>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/gentlemen\/figure-1.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/gentlemen\/figure-2.png\" "\\"Figure")