Full Report
ESET Research shares the results of a months-long investigation into the suite of EDR killers maintained by the RaaS gang Gentlemen
Analysis Summary
# Tool/Technique: GentleKiller Framework (and associated EDR Killers)
## Overview
GentleKiller is a sophisticated, operator-maintained framework designed to disrupt and disable Endpoint Detection and Response (EDR) and Antivirus (AV) software. Maintained by the **Gentlemen** Ransomware-as-a-Service (RaaS) gang, the framework serves as a centralized suite that incorporates both in-house developed tools and modified third-party EDR killers to clear the path for ransomware deployment.
## Technical Details
- **Type:** Malware Toolset / EDR Killer Framework
- **Platform:** Windows (x64)
- **Capabilities:** Bring Your Own Vulnerable Driver (BYOVD), process termination, service disruption, and defense evasion.
- **First Seen:** Early 2026 (Investigation began February 2026)
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1106 - Native API
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Windows Service
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1068 - Exploitation for Privilege Escalation (BYOVD)
- T1036 - Masquerading
- T1036.001 - Masquerading: Invalid Code Signature
- T1027 - Obfuscated Files or Information
## Functionality
### Core Capabilities
- **EDR/AV Termination:** Actively seeks and terminates processes associated with major security vendors.
- **Kernel-Level Interference:** Uses vulnerable third-party drivers to gain kernel-mode privileges (BYOVD) to bypass protected process light (PPL) protections.
- **Service Management:** Ability to install, start, and stop system services to disable security agents.
### Advanced Features
- **Shared Evasion Layer:** A standardized protection layer applied to all tools in the suite, featuring fake version information, legitimate-looking icons, and copied digital certificates to masquerade as trusted software (e.g., Sophos).
- **Rapid Operationalization:** Extremely fast turnaround in turning newly disclosed driver vulnerabilities into functional attack tools (often within days of a PoC release).
- **Multi-Tool Integration:** Incorporates and "repackages" leaked or third-party tools like *HexKiller*, *ThrottleBlood*, and *HavocKiller* into the GentleKiller ecosystem.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `6731E7C39F5A9D852B14` (Sophos.exe / HavocKiller)
- `E64727501FB98B1C2BE6` (havoc.sys / Vulnerable Huawei Driver)
- `1E6F26976E98183CFD27` (buildx64.exe / OxideHarvest)
- **File Names:**
- `Sophos.exe` (Masqueraded name)
- `GentleKiller.exe`
- `buildx64.exe` / `buildx641.exe`
- `havoc.sys`
- **Behavioral Indicators:**
- Installation of unusual or known vulnerable drivers (e.g., Huawei, MSI, Micro-Star).
- High volume of `DeviceIoControl` calls to non-standard drivers.
- Unexpected termination of security-related processes (`WinDefend`, `SentinelAgent`, etc.).
- Console-based execution emitting debug strings related to process killing.
## Associated Threat Actors
- **Gentlemen (RaaS Gang):** An active ransomware group targeting Southeast Asia, South America, and Western Europe.
## Detection Methods
- **Signature-based:** Detection scripts for the `Win64/KillAV.DE` and `Win64/VulnDriver` families.
- **Behavioral:**
- Monitoring for the `SeLoadDriverPrivilege` usage by non-system accounts.
- Identifying "Impersonation" signatures where the binary's internal metadata does not match its digital signature validity.
- **YARA:** Rules targeting the shared evasion layer strings and the specific implementation of the "GentleKiller" debug messages.
## Mitigation Strategies
- **Driver Blocklisting:** Enable and maintain Windows Recommended Driver Block Rules to prevent the loading of known vulnerable drivers.
- **Credential Guard & HVCI:** Enable Hypervisor-Protected Code Integrity (HVCI) to prevent unauthorized drivers from being loaded.
- **Privilege Limitation:** Restrictions on administrative accounts to prevent the installation of new system services.
- **EDR Protection:** Enable "Tamper Protection" features within EDR settings to prevent service and process termination.
## Related Tools/Techniques
- **HexKiller / ThrottleBlood / HavocKiller:** Third-party EDR killers integrated into the Gentlemen suite.
- **OxideHarvest:** A data collection/exfiltration tool associated with the group.
- **BYOVD (Bring Your Own Vulnerable Driver):** The underlying technique used for kernel-land access.