The Gentlemen ransomware operation is expanding its defense-evasion capabilities with a growing collection of EDR-killing tools designed to disable endpoint protections before ransomware deployment.
At the center of the toolkit is GentleKiller, a framework that reportedly abuses vulnerable drivers to gain kernel-level privileges and interfere with security software. Investigators also identified additional EDR killers and a Rust-based credential-stealing utility linked to the group’s operations.
The findings highlight a growing trend in modern ransomware campaigns: disrupting endpoint visibility before or during broader intrusion activity, including credential access, lateral movement, and ransomware deployment.
Ransomware operators increasingly recognize that defeating security tools can be just as important as deploying ransomware itself. Recent analysis of the Gentlemen ransomware operation reveals continued investment in specialized tools designed to disable endpoint detection and response (EDR) solutions before the main attack phase begins. Rather than relying solely on ransomware payloads, the group appears to be building a broader ecosystem focused on defense evasion, credential access, and operational resilience.
The latest findings provide insight into how modern ransomware affiliates may attempt to reduce visibility across targeted environments, potentially creating opportunities for follow-on malicious activity with fewer security alerts.
Gentlemen has expanded GentleKiller, its EDR-killing framework, into multiple variants.
The variants reportedly impersonate legitimate software or security products, including Kaspersky, Valorant, Javelin, and WatchDog. This approach can make malicious components appear less suspicious during cursory inspection while helping operators blend into legitimate software environments.
Public reporting indicates that GentleKiller targets more than 400 processes linked to approximately 48 security vendors and products. The targeted ecosystem reportedly includes endpoint protection and EDR technologies from several major cybersecurity providers.
The operation’s tooling extends beyond GentleKiller itself. Investigators also documented the use of additional EDR-killing utilities, including HexKiller, ThrottleBlood, and HavocKiller. Maintaining multiple tools for a similar purpose suggests a deliberate effort to preserve operational flexibility if one tool becomes ineffective due to vendor mitigations, software updates, or improved detections.
A key element of the campaign is the use of bring-your-own-vulnerable-driver (BYOVD) attacks.
In a BYOVD attack, adversaries load a legitimately signed but vulnerable driver onto a system and exploit its weaknesses to gain elevated privileges. Because these drivers are legitimately signed but vulnerable, attackers may abuse them to obtain kernel-level capabilities when operating system and security controls allow the driver to load.
According to public analysis, GentleKiller leverages this technique to interfere with security processes and defensive software. Kernel-level privileges can provide attackers with greater control over endpoint operations and may enable actions that are difficult to perform from user space alone.
The framework reportedly appears adaptable, allowing operators to use different vulnerable or malicious drivers across variants. This flexibility can help attackers adapt as vendors patch known weaknesses or introduce protections against specific drivers.
Additional tactics observed within the toolkit include obfuscation, packing techniques, and software impersonation. Together, these methods are intended to increase the likelihood that malicious activity remains undetected long enough for subsequent attack stages to proceed.
Vulnerability Assessment with Hexnode UEM + XDR
Learn how UEM and XDR work together to provide real-time threat visibility across managed devices.
Why Ransomware Groups Are Investing in EDR Killers
The growing use of EDR killers reflects a shift in how ransomware operations approach intrusion campaigns.
Many modern ransomware groups invest in specialized tooling that supports different stages of an intrusion, including access, privilege escalation, credential acquisition, defense evasion, and ransomware deployment.
Disabling security controls can provide several operational advantages.
Reduced endpoint visibility may make it more difficult for defenders to identify suspicious behavior during the early stages of an intrusion. This can potentially give attackers additional time to conduct reconnaissance, search for privileged accounts, move between systems, or prepare ransomware deployment.
The presence of OxideHarvest, a Rust-based credential-stealing utility associated with the group’s activity, further illustrates this broader operational focus. While publicly available reporting links the tool to the operation, details regarding its role in individual incidents remain limited.
Taken together, the toolset suggests that the group is investing in multiple stages of the attack lifecycle rather than relying on a single ransomware payload.
What Is Confirmed and What Remains Unclear
Several aspects of the operation have been publicly documented.
Confirmed reporting indicates that:
GentleKiller ransomware exists in multiple variants.
The framework abuses vulnerable drivers to obtain elevated privileges.
The toolkit targets a large number of security-related processes.
Additional EDR-killing tools have been observed alongside GentleKiller.
OxideHarvest has been associated with the group’s activity.
At the same time, important details remain unclear.
Public reporting has not confirmed:
Which organizations were targeted using the newly documented tools.
Whether credential theft was successful in specific incidents.
Whether data was exfiltrated during campaigns involving these tools.
How frequently each EDR killer is deployed during ransomware operations.
Whether all affiliates use the same tooling throughout the attack lifecycle.
As is often the case with ransomware-as-a-service ecosystems, operational methods may differ between affiliates and individual campaigns.
Why Driver Governance Has Become a Security Priority
The widespread use of BYOVD techniques highlights a challenge that extends beyond a single ransomware operation.
Vulnerable drivers represent a unique security risk because they can transform trusted software components into attack tools. Rather than exploiting a vulnerability in the target environment itself, attackers may abuse weaknesses within already trusted drivers to gain elevated access.
This trend reinforces the importance of driver governance as part of endpoint security programs.
Organizations should consider measures such as:
Maintaining strong patch management practices
Reducing unnecessary software installations
Enforcing application control policies
Monitoring for unexpected driver loading activity
Reviewing endpoint hardening standards
Using vulnerable-driver blocklists where supported
Driver abuse is increasingly being leveraged as an enabler for broader attack objectives, making it an important area of focus for security teams.
Featured resource
Hexnode UEM Capability Statement
Explore how Hexnode UEM helps organizations manage, secure, and automate endpoint operations across diverse devices.
How Hexnode Can Help Strengthen Endpoint Resilience
Defending against defense-evasion techniques requires a combination of endpoint hardening, visibility, and rapid response capabilities.
Hexnode UEM
Hexnode UEM can help organizations strengthen endpoint posture through:
Device policy enforcement
Application management
Patch management
Device compliance monitoring
Security configuration management
These capabilities can help organizations manage patches, enforce application policies, and maintain device compliance across managed endpoints.
Hexnode XDR
Hexnode XDR provides endpoint-focused detection, investigation, and response capabilities that can support security teams when suspicious activity is identified.
Security teams can use Hexnode XDR to:
Investigate threats using endpoint data and query-based threat hunting
Review audit trails, endpoint data, and threat context during investigations
Isolate compromised devices
Terminate malicious processes
Quarantine identified malicious files
These capabilities can help support incident response efforts when endpoint tampering or ransomware-related activity is suspected.
Hexnode IdP
Strong identity controls remain an important layer of defense against credential-focused attacks.
These controls can help strengthen access governance and support policies that limit unauthorized access from unmanaged or non-compliant devices.
Conclusion
The latest findings surrounding the Gentlemen ransomware operation demonstrate how ransomware groups continue to expand beyond traditional encryption-focused tooling.
By combining GentleKiller, additional EDR-killing utilities, and credential-focused tooling, the operation appears to be investing heavily in defense evasion and attack preparation. BYOVD attacks demonstrate how attackers can weaponize trusted components to undermine endpoint protections.
For security teams, the lesson is clear: ransomware defense is no longer just about detecting encryptors. Monitoring for security tool tampering, suspicious driver activity, credential-access behavior, and other early-stage indicators can provide critical opportunities to investigate and contain threats before ransomware deployment occurs.
Strengthen Your Security Posture
Get insights on ransomware trends, threat detection, incident response, and modern endpoint defense strategies.
I write at the intersection of technology, process, and people, focusing on explaining complex products with clarity. I break down tools, systems, and workflows without any noise, jargon, or the hype.
