Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The Gentlemen ransomware-as-a-service operation maintains an advanced collection of Endpoint Detection and Response killers intended to disable or weaken security products. This arsenal includes the group’s in-house GentleKiller framework as well as embedded third-party utilities such as HexKiller and HavocKiller. The operators follow a consistent evasion model built around binary protection and vendor impersonation to slip past defensive controls.
Investigation
ESET researchers carried out a multi-month investigation that was strengthened by a May 2026 data leak tied to the Gentlemen group. Their analysis connected several EDR-disabling tools to the gang’s broader operational workflow and verified the presence of the GentleKiller framework. The research also confirmed that the group relies on Bring Your Own Vulnerable Driver techniques to obtain elevated privileges and evade endpoint defenses.
Mitigation
Organizations should deploy strong monitoring for driver loads to identify unauthorized or vulnerable driver installation associated with BYOVD activity. Hardening endpoint settings to block execution of unsigned or improperly signed drivers is essential. Security teams should also watch for suspicious process-killing loops and unusual staging paths such as GentlemenCollection, which may provide an early signal of attack preparation.
Response
If this activity is detected, responders should isolate impacted endpoints immediately to stop further driver-based abuse. A full review of system services and kernel-mode drivers should be performed to locate and remove malicious or vulnerable components. Teams should also investigate possible credential theft by auditing browser data access and reviewing unauthorized outbound connections from unknown Rust-based binaries.
"graph TB %% Class Definitions Section classDef tool fill:#cccccc classDef action fill:#99ccff classDef technique fill:#ff9999 %% Node Definitions for Phase 1: Defense Impairment tool_gentlekiller["<b>Tool</b>: GentleKiller<br/><b>Description</b>: In-house framework used for<br/>disrupting security software via kernel-level privileges."] class tool_gentlekiller tool tool_thirdparty["<b>Tools</b>: HexKiller, ThrottleBlood, HavocKiller<br/><b>Description</b>: Third-party tools utilized for<br/>security software termination."] class tool_thirdparty tool action_byovd["<b>Action</b>: Bring Your Own Vulnerable Driver (BYOVD)<br/><b>Technique</b>: T1543.004<br/><b>Description</b>: Installing vulnerable drivers such as<br/>eb.sys, nseckrnl.sys, or stpm_new.sys to<br/>gain kernel-level privileges."] class action_byovd technique action_terminate_edr["<b>Action</b>: Terminate Security Processes<br/><b>Description</b>: Disruption of EDR and Antivirus solutions<br/>including ESET, Microsoft Defender, and CrowdStrike."] class action_terminate_edr action %% Node Definitions for Phase 2: Stealth and Masquerading action_obfuscation["<b>Action</b>: Binary Protection and Masquerading<br/><b>Technique</b>: T1036.005<br/><b>Description</b>: Using Enigma or Themida to protect binaries<br/>and applying fake version info, icons, and<br/>invalid digital signatures to mimic vendors."] class action_obfuscation technique %% Node Definitions for Phase 3: Credential Access tool_oxideharvest["<b>Tool</b>: OxideHarvest<br/><b>Description</b>: Rust-based credential stealer targeting<br/>web browser user data."] class tool_oxideharvest tool action_credential_access["<b>Action</b>: Credential Exfiltration<br/><b>Technique</b>: T1555<br/><b>Description</b>: Accessing and exfiltrating credentials from<br/>Google Chrome, Microsoft Edge, and Mozilla Firefox."] class action_credential_access action %% Connections and Attack Flow tool_gentlekiller –>|executes| action_byovd tool_thirdparty –>|executes| action_byovd action_byovd –>|leads_to| action_terminate_edr action_terminate_edr –>|enables| action_obfuscation action_obfuscation –>|facilitates| tool_oxideharvest tool_oxideharvest –>|performs| action_credential_access "
Attack Flow
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to disable the local EDR agent to facilitate further post-exploitation activities. To evade detection, they utilize the “GentleKiller” framework, which has been modified to rename its executable to
acronis_agent.exe. By masquerading as a legitimate backup service, the attacker hopes to blend into the noise of standard administrative processes. The attacker executes the renamed binary with the--helpflag to test its functionality in the current environment. -
Regression Test Script:
# Simulation of GentleKiller masquerading as Acronis Agent $TargetDir = "$env:TEMPGentleKillerSim" New-Item -ItemType Directory -Path $TargetDir -Force | Out-Null # Create a dummy executable to simulate the malicious binary $DummyExe = Join-Path $TargetDir "acronis_agent.exe" New-Item -ItemType File -Path $DummyExe -Force | Out-Null # In a real scenario, this would be the actual GentleKiller binary. # For simulation, we trigger the detection logic by calling a process # that matches the filename and command line pattern. # Note: Since we can't run a real EDR killer, we use cmd to simulate the telemetry signature. Start-Process "cmd.exe" -ArgumentList "/c echo simulating_gentlekiller > $DummyExe && acronis_agent.exe --help" -WindowStyle Hidden # To ensure the detection rule (which looks for the specific image name) # fires in a real SIEM, the telemetry must show 'acronis_agent.exe' # in the Image field. -
Cleanup Commands:
# Remove the simulated malicious directory and files Remove-Item -Path "$env:TEMPGentleKillerSim" -Recurse -Force