The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes Malware

It allows The Gentlemen operators to integrate abused drivers into their toolset very soon after an EDR killer PoC is disclosed.” The third-party, BYOVD-based EDR killers employed by the group are below - - HexKiller (“googleApiUtil64.sys”), a tool previously assumed to be exclusive to the Warlock ransomware gang - ThrottleBlood (“ThrottleBlood.sys”), a tool observed in attacks mounted by MedusaLocker and DragonForce affiliates - HavocKiller or HwAudKiller (“havoc.sys”) ESET said it also detected a Rust-based credential stealer codenamed OxideHarvest (aka buildx641) that’s capable of harvesting data from popular web browsers, including Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, BlackHawk, and IceCat. “These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied legitimate certificates and icons.” The Slovakian cybersecurity company also called out the ransomware crew for its ability to “unusually quickly operationalize” newly disclosed proof-of-concept (PoC) exploits related to an attack technique called the bring your own vulnerable driver (BYOVD) technique, in many cases within days of their public release.

The Campaign

The list of drivers exploited by each of the variants is as follows - - Kaspersky (“eb.sys”) - FACEIT Anti-Cheat (“nseckrnl.sys”) - Valorant (“GameDriverX64.sys”) - Javelin (“stpm_old.sys” or “stpm_new.sys”) - WatchDog (“dmx.sys”) - Network Blocker (“360netmon_wfp.sys”) - Cleaner (“IMFForceDelete.sys”) - G11 (“PoisonX.sys”) It’s worth noting that the abuse of “PoisonX.sys” has been recorded in recent months in connection with various BYOVD attacks, one of which was used to kill CrowdStrike Falcon EDR.

Further details indicate that “If a target system trusts the affected vendor’s certificate, an attacker [with administrative privileges or physical access] can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes,” CERT/CC said.

“To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process.”

“They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller,” ESET security researcher Jakub Souček said in a report shared with The Hacker News.

“They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller,”, Spokesperson

Impact

& Targeting

The most prevalent of them is GentleKiller, which comes in eight different variants, each mimicking a different legitimate product and abusing a different vulnerable or malicious driver as part of the BYOVD attack. The impacted applications are from Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill. “If a target system trusts the affected vendor’s certificate, an attacker [with administrative privileges or physical access] can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes,” CERT/CC said.

Analysis

Organizations should review their exposure and apply available mitigations promptly.

Defenders should immediately review endpoint detection and response telemetry for any signs of the described malware family or associated behaviors. Network traffic analysis can reveal command-and-control communications, data exfiltration patterns, or lateral movement that might otherwise go unnoticed. Organizations are advised to update their threat intelligence feeds and ensure that endpoint protection platforms, email gateways, and intrusion prevention systems have the latest detection signatures. Incident response playbooks should be reviewed to confirm they cover malware of this type, including isolation procedures, forensic collection steps, and communication protocols. Security awareness training may also need refreshes if the malware leverages social engineering as an initial access vector.