Skip to main content
Blog

The "Gentlemen" RaaS and the GentleKiller EDR-Killer Framework

  • June 25, 2026
  • 0 replies
  • 70 views
Aaron Beardslee
Forum|alt.badge.img

TL;DR

  • The Gentlemen (operators tracked by Microsoft as Storm-2697) is a Russian-speaking, financially motivated ransomware-as-a-service operation that emerged mid-2025 from a Qilin affiliate split; its distinguishing feature is that operators centrally build, maintain, and distribute a full EDR-killer suite anchored by the in-house GentleKiller framework (8+ BYOVD variants) directly to affiliates, lowering the bar for affiliate-led intrusions.
  • GentleKiller and its companion third-party killers (HexKiller, ThrottleBlood, HavocKiller) all work via Bring Your Own Vulnerable Driver (BYOVD): drop a signed-but-vulnerable kernel driver, load it as a service, then send IOCTLs to terminate 400+ security processes mapped to 48 vendors, defeating user-mode tamper protection from Ring 0. The single best detection surface is kernel driver-load telemetry (Sysmon Event ID 6 / Event ID 7045 service install) plus the GentlemenCollection staging directory.
  • FortiGate edge compromise (CVE-2024-55591) is the group's primary initial-access vector, but the June 2026 "FortiBleed" leak is NOT confirmed to be a Gentlemen operation -- it is attributed to a separate Russian-speaking initial-access broker. Treat the relationship as a supply-chain/thematic overlap only.

Key Findings

Attribution and lineage. The Gentlemen is run by a Russian-speaking actor using the aliases hastalamuerte and zeta88, identified by Brian Krebs (June 10, 2026) as Alexander Andreevich Yapaev, a 36-year-old from Izhevsk, Russia. Before launching The Gentlemen, hastalamuerte ran a high-volume Qilin affiliate crew known as ArmCorp. A July 2025 RAMP-forum payment dispute (~$48,000 in unpaid commission) formalized the split; a Gentlemen sample with an embedded leak-site URL was uploaded to VirusTotal on July 17, 2025, five days before the public dispute, showing the brand was already in development. PRODAFT reported (Oct 17, 2025) that operators previously affiliated with Qilin, Embargo, LockBit, Medusa, and BlackLock. Microsoft tracks the operators as Storm-2697.

Business model. Classic RaaS with an unusually generous 90% affiliate / 10% operator split. This is a deliberate recruiting weapon: per Halcyon, the 90% share is "among the highest in the current underground market," noting that "most RaaS programs offer affiliates between 70% and 80% of ransom proceeds, with only RansomHub previously matching The Gentlemen's 90/10 split." Double extortion (encrypt + leak via Tor DLS and a branded social-media account). The group explicitly prohibits targeting Russia/CIS, consistent with Russian-speaking eCrime norms.

Scale and velocity. One of the fastest-scaling RaaS operations on record. Halcyon's Ransomware Research Center assessed the group "has claimed nearly 300 victims across 66 countries since mid-2025, scaling faster than any group on record." Trajectory: ~48 victims by October 2025, ~130 by early February 2026, 320+ by April 2026, and 478 claimed by mid-June 2026. Per Check Point, the 320+ claim by April made it "the #2 most active ransomware group by victim count so far this year." NCC Group's April 2026 data (via Computer Weekly) corroborates: Gentlemen ranked 2nd with 73 attacks (10%) versus Qilin's 107 (14%); NCC separately counted 48 Gentlemen attacks in January and (per other reporting) rising month-over-month. NTT, reported by IT Pro, assessed that The Gentlemen "has become one of the most active ransomware operators, accounting for 10% of all attacks and second only to the notorious Qilin."

Victimology. Notably not US-centric. Per ESET (via TechTimes, June 19, 2026): "Unlike most large ransomware operations -- which draw roughly half their victims from the United States -- Gentlemen's US concentration sits at approximately 13 percent." Heavy targeting across Southeast Asia, South America, and Western Europe; SOCRadar notes "significant victim concentrations in Thailand, the United Kingdom, Brazil, Germany, and India." ESET found victims are selected primarily based on FortiGate (mis)configuration rather than geography. Sectors hit include manufacturing, technology, healthcare, financial services, construction, insurance, energy, government, and education, with no restraint toward hospitals/critical infrastructure. Notable victims: Romania's Oltenia Energy Complex (Complexul Energetic Oltenia, Dec 26, 2025), Mackay Sugar (June 2026, forced physical mill shutdown), and the Adaptavist Group.

The EDR-killer suite. This is the group's signature differentiator. ESET (June 18, 2026 report, authored by Jakub Souček) confirmed, via a May 2026 internal data leak in which zeta88 openly discusses maintaining EDR-killer packages, that Gentlemen operators develop/maintain the suite and offer it to vetted affiliates. This is a rare operator-managed model (RansomHub's EDRKillShifter is the main precedent, but Gentlemen maintains a diverse portfolio rather than one tool).

Details

1. Threat Actor Profile

  • Type: Cybercriminal RaaS operation (not nation-state), approximately 20 members per Group-IB. Centrally operated locker, panel, negotiation platform, and tooling; affiliates conduct intrusions and exfiltration.
  • Encryptors: Go-based cross-platform locker (Windows, Linux, NAS, BSD) obfuscated with Garble, plus a dedicated C-based ESXi locker. Per-file hybrid crypto: X25519/Curve25519 key exchange + XChaCha20 stream cipher, per-file ephemeral keys. Hardcoded extension .axfsmg; ransom note README-GENTLEMEN.txt; group marker string GENTLEMEN. Operator password gate (e.g., G7Vz9eyG) required to run -- it is an execution gate, NOT the encryption key. Speed modes encrypt 0.3 to 3% of large files; --wipe overwrites free space; --spread turns the encryptor into a self-propagating worm that enumerates AD computers and attempts ~21 lateral-execution techniques per host.
  • AI assistance: Krebs/Check Point report the panel and tooling were reportedly built with AI coding assistants.
  • Internal leak (May 2026): On May 4, 2026 the admin acknowledged a backend database compromise; data was briefly sold for $10,000 BTC then dumped publicly, exposing 9 internal accounts (zeta88, qbit, quant, Kunder, JeLLy, Protagor, Bl0ck, Wick, donpakto, mAst3r) and the group's FortiGate access dashboard, TTPs, and EDR-killer discussions.

2. EDR-Killer Framework -- Technical Deep Dive

Architecture: A suite, not a single tool. The centerpiece is GentleKiller (ESET's name), an in-house framework with at least 8 variants. All variants share a common code template: consistent strings, identical code obfuscation, a process-termination loop (scanning/killing every ~2 seconds), and a shared target list of 400+ processes mapped to 48 security products (Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto/Cortex, Trend Micro, ESET, Bitdefender, McAfee/Trellix, Kaspersky, Sangfor, Cybereason, Carbon Black, Elastic, Huntress, ThreatLocker, Sysmon, etc.). The framework is designed for rapid driver swaps: per ESET, "the UnknownKiller and PoisonKiller proof-of-concepts were both adopted within days of their public release," distinguishing Gentlemen from RaaS operators who "typically wait weeks or months."

GentleKiller variants and abused drivers:

Variant Filename(s) Abused Driver Notes
Kaspersky Kasp<suffix>.exe eb.sys Custom rootkit (UnknownKiller PoC)
FACEIT Anti-Cheat FaceIT<suffix>.exe nseckrnl.sys NSecsoft NSecKrnl
Valorant Valorant<suffix>.exe GameDriverX64.sys / vgk.sys Anti-cheat driver (PerfectWorld/Tower of Fantasy in IOCs)
Javelin EAAntiCheat<suffix>.exe, EASolo<suffix>.exe stpm_old.sys / stpm_new.sys Safetica Process Monitor driver
WatchDog BitD<suffix>.exe dmx.sys Zemana WatchDog Antimalware driver (CVE-2022-42045)
Network Blocker MB<suffix>.exe 360netmon_wfp.sys Qihoo 360 driver
Cleaner Deletor.exe IMFForceDelete IObit IMF ForceDelete filter driver (CVE-2025-26125)
G11 G11<suffix>.exe, Symantec<suffix>.exe PoisonX (G11.sys) Rootkit; also seen paired with hrwfpdrv.sys in non-Gentlemen intrusions

Third-party EDR killers integrated into the suite:

  • HexKiller (Avast<suffix>.exe) -- abuses googleApiUtil64.sys (Baidu Antivirus BdApi driver); previously assessed exclusive to the Warlock gang.
  • ThrottleBlood (Sent<suffix>.exe) -- abuses ThrottleBlood.sys / ThrottleStop.sys (TechPowerUp); seen in MedusaLocker and DragonForce intrusions; linked to Gentlemen by Trend Micro (Sept 2025).
  • HavocKiller (HwAudKiller.exe, Sophos<suffix>.exe) -- abuses havoc.sys (Huawei audio driver HWAudioOs2Ec.sys, signed by Huawei Device Co.); publicly disclosed by Huntress March 19, 2026 but in real-world use since at least Jan 23, 2026.

Mechanics (how it disables EDR): All are BYOVD. The flow: gain local admin, drop a signed-but-vulnerable .sys to disk (often %TEMP%), register/load as a kernel service via sc create … type=kernel / sc start or NtLoadDriver, open a handle to the driver's device (e.g., \\.\HWAudioX64), then send a crafted IOCTL with the target PID. The vulnerable driver invokes ZwOpenProcess (PROCESS_ALL_ACCESS) + ZwTerminateProcess from kernel mode with no validation, terminating even PPL/tamper-protected security processes that resist user-mode kills. HavocKiller's IOCTL is 0x2248DC with a 4-byte PID buffer. Because the driver carries a valid signature, Driver Signature Enforcement loads it without complaint. (Related public BYOVD tooling such as RealBlindingEDR additionally strips kernel callbacks -- ObRegisterCallbacks, PsSetCreateProcessNotifyRoutine, minifilter callbacks -- to blind rather than kill; GentleKiller's documented behavior is loop-based process termination rather than callback stripping.)

Anti-analysis / evasion layer (standardized across the whole suite): Applied at the compiled-binary level (so it can be bolted onto tools they don't have source for): commercial packers Enigma or Themida; filenames impersonating security vendors; fabricated version info, copied (invalid) digital signatures from legitimate executables, and matching icons. ESET's suffix scheme: 1 = Enigma + fake sig + fake version; 2 = Themida + fake sig + fake version; Light = no packer but fake sig/version; Clear = none. Staging directory: GentlemenCollection.

Companion credential stealer: OxideHarvest (Rust; ESET name), maintained by affiliate quant as buildx641/buildx64. Command-line stealer (-i hosts, -u user, -p pass, -t threads, -o output) targeting Chromium and Gecko browser credential stores; multithreaded remote login + credential exfiltration.

3. Kill Chain and Attack Flow

  1. Initial access: FortiGate edge exploitation via CVE-2024-55591 (FortiOS/FortiProxy auth bypass, CWE-288, CVSS 9.6 to 9.8; Node.js WebSocket getAdminSession() fails to validate local_access_token on /ws/cli/, granting unauth super-admin) -- referenced 81 times in leaked chats as their primary way in. Also: brute-forced/stolen VPN creds, infostealer logs (sourced via Snusbase), internet-facing RDP, SSL VPN, and remote-management tools. The group actively tracks CVE-2025-32433 (Erlang/OTP SSH, Cisco context) and CVE-2025-33073 (NTLM relay, operationalized via RelayKing/ntlmrelayx). Also patches noted for Veeam (CVE-2023-27532) and VMware ESXi (CVE-2024-37085).
  2. Recon/validation: From a foothold (often the firewall is AD-integrated), reach a Domain Controller with Domain Admin; systematic credential validation, AD enumeration (Advanced IP Scanner, Nmap), targeting Domain/Enterprise Admins.
  3. Privilege escalation: PowerRun.exe (UAC bypass / SYSTEM), plus the BYOVD drivers for kernel-level operations (T1068).
  4. Defense evasion (where the EDR killer lands, pre-encryption): GentleKiller/suite deployed from GentlemenCollection. PowerShell to disable Defender real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring $true), add process/path exclusions (Add-MpPreference -ExclusionProcess, -ExclusionPath C:\), disable firewall, enable SMB1, loosen LSA anonymous-access (RestrictSendingNTLMTraffic=0, DisableRestrictedAdmin=0), lower RDP SecurityLayer. Delete shadow copies (vssadmin/wmic), clear System/Application/Security logs (wevtutil cl), delete Prefetch, Defender support logs, RDP logs, and PowerShell history.
  5. C2 and lateral movement: SystemBC (SOCKS5, custom RC4-encrypted protocol) + Cobalt Strike; Mimikatz/comsvcs.dll for credential theft; PsExec, WMI, WinRM, scheduled tasks, services, PuTTY/SSH; AnyDesk + RDP for persistence. A newer custom C2 named G-BOT is reportedly replacing Cobalt Strike (moderate confidence). Huntress observed SystemBC beaconing to 193.233.202[.]17:44729.
  6. Impact: GPO weaponization -- copy locker to NETLOGON share, create malicious GPO with immediate scheduled task, force policy refresh, then near-simultaneous domain-wide encryption within minutes. Or the --spread worm mode. Exfiltration (hundreds of GB to multiple TB) via WinSCP before encryption; double extortion.

4. FortiBleed Connection -- Clarified

FortiBleed is NOT a confirmed Gentlemen operation. Disclosed June 17-18, 2026 by Bob Diachenko (SecurityDiscovery) and Hudson Rock, FortiBleed is a dataset of credentials for 73,932 FortiGate firewall/SSL-VPN URLs across 194 countries (~21,632 unique domains), with broader figures climbing to ~86,000 devices. Kevin Beaumont independently confirmed the data is genuine and recent; the affected IPs differ from the January 2025 Belsen Group leak (~15,000 devices).

  • It is not a single CVE/zero-day. Fortinet PSIRT (Carl Windsor, June 19, 2026) states it is credential reuse + brute force: "This is not a new Fortinet vulnerability, and this activity is not related to any recent incident or advisory." The underlying config theft is tied to older flaws including CVE-2022-40684, CVE-2023-27997 (XORtigate), CVE-2024-55591, and the FortiCloud SSO trio CVE-2026-24858 / CVE-2025-59718 / CVE-2025-59719, compounded by a FortiOS weakness where upgrading does not re-hash legacy SHA-256 admin passwords (PBKDF2 introduced in 7.2.11/7.4.8/7.6.1) until an admin re-authenticates, leaving crackable hashes.
  • Attribution: A separate, unnamed Russian-speaking multi-operator initial-access broker (forum alias "SantaAd" per SpyCloud; Arctic Wolf assesses Russian-speaking with only low confidence and explicitly declines to name an actor). Attackers ran ~1.16B credential attempts vs. 320,777 FortiGate targets and 2.1B vs. 163,650 MSSQL systems, cracking SSL-VPN hashes on a 45-GPU Hashtopolis cluster. Recorded Future/Insikt linked IP 85.11.187.8 to FortiBleed infrastructure. No ransomware group has claimed FortiBleed.
  • Relationship to Gentlemen: Circumstantial/supply-chain only. Both are Russian-speaking and FortiGate-centric, and FortiBleed-type access is exactly what RaaS affiliates buy, but no source documents a transaction, shared operator, or shared infrastructure. Critically, The Gentlemen maintains its own separate FortiGate stockpile. Per ESET, "the operators maintain a curated database of approximately 14,700 already-compromised FortiGate devices, allowing affiliates to skip reconnaissance and gain immediate network access," plus ~969 validated brute-forced VPN credentials (operator qbit's dashboard, surfaced in the May 2026 internal leak), which is distinct from the FortiBleed dataset. The ESET finding that Gentlemen selects victims by FortiGate configuration is what makes FortiBleed operationally relevant to defenders, not evidence of common identity. The "SantaAd"/"SantaMuerte" alias resemblance is unverified and likely coincidental.

5. Indicators of Compromise (selected, from ESET/Check Point/Huntress)

EDR-killer and driver files (SHA-1, ESET):

  • Kasps.exe 8AE6BD18B129061F63642531F1B684CF0383C75D (GentleKiller Kaspersky)
  • eb.sys BA914FE77B177B45799403B16DD14765C510A074 (rootkit)
  • FaceIT1.exe D605994FC72A2BB59B5CFB1624A1B9170ECA73A2
  • nseckrnl.sys B0B912A3FD1C05D72080848EC4C92880004021A1
  • Valorant2.exe 5AA3124E5C4921E5EDFC60133B5D71DA21B07DA3
  • vgk.sys 7556AE58C215B8245A43F764F0676C7A8F0FDD1A
  • stpm_old.sys 711EF221526997039E804A18DB9647C91680BBE2
  • stpm_new.sys 68FEC379F2AE76C3D2CE913F7BE650CEA1D06990
  • BitD1.exe A11EE9CDC59E5CAA59AEFD27B30D104F3AD68E62
  • dmx.sys 96F0DBF52AED0AFD43E44500116B04B674F7358E (Zemana WatchDog)
  • MB2.exe 2F86898528C6CAB3540C486A9BFAA0C029B73950
  • 360netmon_wfp.sys 9AD51AD97C01E97AB59214116740785E0F6320A8
  • Deletor.exe A19117175DBC9BA4D23B5DCE8415E299A2E32192
  • IMFForceDelete 12500F6C87CE62712A0ED6652C57468D15C14223
  • Symantec.exe D29670E684E40DDC89B47010C37CBC96737035B6 (G11)
  • G11.sys 56BEE9DF5833A637F5C54D5911DF98B0812FE643 (PoisonX)
  • Avast.exe CF4D74DF17A91B4A36A2911B22AFEC5D8FA93A01 (HexKiller)
  • googleApiUtil64.sys EC296F9501AD71E430810CB5CDC38D954D4BA536 (Baidu)
  • Sent.exe 7131B377E96016DC1911020C9F95B1B4D042D7B4 (ThrottleBlood)
  • ThrottleBlood.sys 82ED942A52CDCF120A8919730E00BA37619661A3
  • Sophos.exe F0537CBB773AE12100B36731E7C39F5A9D852B14 (HavocKiller)
  • havoc.sys 1FA071303FB846308571E64727501FB98B1C2BE6 (Huawei)
  • buildx641.exe A5CF917EC4A7DFBDFA43621398604805D860C718 (OxideHarvest)
  • buildx64.exe D4B19141102015D436321E6F26976E98183CFD27 (OxideHarvest)

Encryptor (SHA-256): earliest sample 51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2 (July 17, 2025); Check Point IOCs 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a, 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235.

Network: SystemBC SOCKS5 C2 193.233.202[.]17:44729, prior 77.110.122[.]137:37182; Check Point DFIR 45.86.230[.]112, 91.107.247[.]163. FortiBleed (separate): 85.11.187.8.

Host artifacts: staging dir GentlemenCollection; SystemBC binary svchost32.exe in C:\Windows\Temp; scheduled tasks WindowsConnSvc (2-min interval, SYSTEM); kernel services named Havoc; ransom note README-GENTLEMEN.txt; extension .axfsmg; downloaded nmap-7.97-setup.exe under a fortigate user profile.

6. MITRE ATT&CK Mapping (v19)

  • Initial Access: T1190 Exploit Public-Facing Application (CVE-2024-55591, CVE-2025-32433); T1133 External Remote Services (SSL VPN/RDP); T1078 Valid Accounts (brute-forced/stealer creds).
  • Execution: T1059.001 PowerShell; T1059.003 Windows Command Shell; T1106 Native API (DeviceIoControl/IOCTL); T1047 WMI; T1053.005 Scheduled Task.
  • Persistence: T1543.003 Create/Modify System Service (vulnerable driver loaded as service; AnyDesk service); T1547 Boot/Logon Autostart.
  • Privilege Escalation: T1068 Exploitation for Priv Esc (BYOVD kernel access); T1548 Abuse Elevation (PowerRun UAC bypass).
  • Defense Evasion: T1562.001 Impair Defenses: Disable/Modify Tools (EDR killers, Defender disable) and T1685 Disable or Modify Tools (ESET's mapping); T1014 Rootkit; T1574 Hijack Execution Flow; T1036 / T1036.001 Masquerading + Invalid Code Signature; T1027 Obfuscated Files (Enigma/Themida); T1070.001 Clear Windows Event Logs; T1070.003 Clear Command History; T1112 Modify Registry; T1484.001 GPO Modification; T1564 Hide Artifacts.
  • Credential Access: T1003.001 LSASS Memory (Mimikatz/comsvcs.dll); T1557.001 LLMNR/NBT-NS/NTLM relay; T1555.003 Credentials from Web Browsers (OxideHarvest).
  • Discovery: T1046 Network Service Discovery; T1018 Remote System Discovery; T1087 Account Discovery.
  • Lateral Movement: T1021.001 RDP; T1021.002 SMB/Admin Shares (PsExec); T1021.004 SSH; T1570 Lateral Tool Transfer.
  • C2: T1090 Proxy (SystemBC SOCKS5); T1071 App-Layer Protocol; T1219 Remote Access Software (AnyDesk).
  • Exfiltration: T1048 Exfil over Alternative Protocol (WinSCP).
  • Impact: T1486 Data Encrypted for Impact; T1490 Inhibit System Recovery (shadow-copy deletion); T1489 Service Stop; T1561 Disk Wipe (--wipe).

7. Detection Opportunities

Highest-value telemetry -- kernel/driver layer (detect the load, not just the kill):

  • Sysmon Event ID 6 (Driver Loaded) is the single most important BYOVD signal. Log all driver loads with hash + SignatureStatus, cross-reference against the LOLDrivers list and the specific Gentlemen-abused drivers (eb.sys, nseckrnl.sys, GameDriverX64/vgk.sys, stpm_old/new.sys, dmx.sys, 360netmon_wfp.sys, IMFForceDelete, PoisonX/G11.sys, googleApiUtil64.sys, ThrottleBlood.sys, havoc.sys). Critically filter on both Signature AND SignatureStatus to catch stolen/revoked certs. Alert on drivers loaded from non-standard paths (e.g., %TEMP%, C:\Users\Public).
  • Windows System Event ID 7045 (Service Installed) for kernel-type service creation; Sysmon Event ID 1 for sc.exe create … type=kernel command lines.
  • Splunk ESCU analytics "Windows Vulnerable Driver Loaded" and "Suspicious Driver Loaded Path" are directly applicable; SOC Prime publishes Sigma rules for The Gentlemen; Microsoft published Defender detections/hunting guidance with its Storm-2697 analysis.

Behavioral correlation (the kill-chain signature): download, then sc create, then service start, then security process unexpectedly dies. Alert on unexpected termination of AV/EDR processes and on loss of EDR telemetry from a host (treat as compromise). Monitor for the periodic (~2s) process-termination loop targeting security binaries.

PowerShell/Defender tampering: alert on Set-MpPreference -DisableRealtimeMonitoring, Add-MpPreference -ExclusionPath 'C:' / -ExclusionProcess, firewall disable, SMB1 enable, LSA registry changes; restrict who can run Set-MpPreference and enforce Tamper Protection.

Detection gaps when EDR is dead: Once the killer reaches Ring 0, user-mode tamper protection is moot. Pivot to surfaces that survive EDR death:

  • Identity/AD logs: anomalous DC logons, failed-then-successful logon bursts from a DC, GPO creation/modification (Event ID 5136/5137), unusual ADMIN$/NETLOGON writes, scheduled-task creation under SYSTEM.
  • Network: SystemBC SOCKS5 beaconing (e.g., 193.233.202[.]17), Cobalt Strike, unexpected SOCKS5 from workstations, WinSCP exfil, edge-device auth anomalies.
  • Cloud/edge: FortiGate admin-config changes, new rogue super-admin accounts, FortiCloud SSO anomalies; cross-check devices against the Hudson Rock FortiBleed lookup.

Recommendations

Immediate (0-7 days):

  1. Block the BYOVD core. Enable HVCI (Memory Integrity) and enforce Microsoft's Vulnerable Driver Blocklist; verify the specific Gentlemen-abused drivers (Safetica/Zemana/Qihoo360/IObit/Huawei/Baidu/TechPowerUp + the rootkits) are blocked. Where supported, deploy WDAC driver allow-listing.
  2. Patch and assume-breach FortiGate. Patch CVE-2024-55591 on all FortiOS/FortiProxy; treat any device exposed during the vulnerability window as potentially compromised given the group's ~14,700-device stockpile. Disable internet-facing management interfaces; restrict via local-in policies. Rotate ALL FortiGate admin + SSL-VPN credentials (force PBKDF2 re-hash by interactive admin login post-upgrade), terminate active VPN/admin sessions, enforce phishing-resistant MFA, and check devices against the FortiBleed dataset. Audit for rogue admin accounts (e.g., forticloud-sync, fortigate-tech-support-style names).
  3. Turn on/validate Sysmon Event ID 6 + 7045 ingestion and deploy LOLDrivers + Gentlemen-specific driver-hash detections. https://github.com/fluffybunnies-h4x/FT-Sysmon-Config

Short-term (1-4 weeks): 4. Harden Domain Controllers (the crown jewel of the kill chain): restrict interactive/network logons, monitor GPO changes, ADMIN$/NETLOGON writes, and RPC-launched binaries. Lock down GPO creation. 5. Enforce EDR Tamper Protection, password-protect agent uninstall, enable a secondary/independent telemetry source that survives primary-EDR death, and alert on EDR process death / telemetry loss. 6. Eliminate internet-facing RDP; inventory and restrict AnyDesk/ScreenConnect/remote-management tools; segment IT-management from production. 7. Maintain immutable, offline, tested backups isolated from domain-joined systems (the group specifically targets NAS/Exchange/backups pre-encryption).

Thresholds that change posture: Any Sysmon EVID 6 load of a known-vulnerable driver from %TEMP%/user-writable paths, any unexpected AV/EDR process termination, any Set-MpPreference -DisableRealtimeMonitoring, or any new immediate-trigger GPO on a DC should be treated as active intrusion and trigger IR. Detection of SystemBC, ThrottleBlood, or HexKiller signatures should trigger a hunt for co-located GentleKiller variants and a DC compromise assessment.

Caveats

  • Dates/figures reflect a fast-moving 2026 campaign and vary by source: victim counts (~300/320->478), FortiBleed device counts (73,932->86,000+), and SystemBC botnet size (1,570+) are point-in-time and partly self-reported (leak-site claims may be inflated/recycled).
  • The FortiBleed/Gentlemen link is unconfirmed -- explicitly circumstantial. No source documents shared operators/infrastructure or a transaction; the "SantaAd"/"SantaMuerte" alias resemblance is unverified and likely coincidental. Do not report them as the same actor.
  • Process-to-vendor mapping for GentleKiller's 400+ targets was AI-assisted by ESET and may contain minor inconsistencies.
  • Attribution of hastalamuerte to Alexander Yapaev is journalist/researcher name-and-shame (Krebs, PRODAFT); there is no public indictment, sanction, or takedown as of late June 2026.
  • Some technical details (G-BOT replacing Cobalt Strike; CWE-244 partial-key-recovery from memory) are lower-confidence/newer and should be validated against current builds.
  • BYOVD requires local admin first -- it is an escalation/evasion technique, not initial access; reducing admin counts is a high-impact control.

References

Primary Research and Analysis

  1. Souček, Jakub. "Killing Me Gently: Inside Gentlemen's EDR Killer Framework." ESET WeLiveSecurity, June 18, 2026. https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/

  2. "Gentlemen Ransomware Uses Multiple EDR Killers to Disable Defenses." Bleeping Computer, June 2026. https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/

  3. "DFIR Report: The Gentlemen and SystemBC -- A Sneak Peek Behind the Proxy." Check Point Research, 2026. https://research.checkpoint.com/2026/dfir-report-the-gentlemen/

  4. "Thus Spoke...The Gentlemen." Check Point Research, 2026. https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/

  5. "How Hastalamuerte Operates: Group-IB's Analysis of The Gentlemen's Attack Methods." Group-IB, 2026. https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/

  6. "Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed." Trend Micro, September 2025. https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html

Threat Actor Profiling and RaaS Analysis

  1. "The Gentlemen Ransomware Group Is Scaling Faster Than Any Other Group on Record." Halcyon Ransomware Research Center, 2026. https://www.halcyon.ai/ransomware-research-reports/threat-assessment-the-gentlemen-ransomware-group

  2. "The Gentlemen: RaaS Ecosystem Analysis." Falconfeeds, 2026. https://falconfeeds.io/blogs/the-gentlemen-russia-raas-operation-rocket-leak-analysis/

  3. "Inside The Gentlemen Ransomware Leak: When the Hunter Becomes the Hunted." SOCRadar, 2026. https://socradar.io/blog/gentlemen-ransomware-leak/

  4. "The Gentlemen Ransomware: What the Internal Leak Reveals About Their Playbook." SOS Ransomware, 2026. https://sosransomware.com/en/ransomware-groups/the-gentlemen-ransomware-what-the-internal-leak-reveals-about-their-playbook/

  5. "Modus Operandi: The Gentlemen (Storm-2697)." CyberWarrior76 via Substack, 2026. https://cyberwarrior76.substack.com/p/modus-operandi-the-gentlemen-storm

  6. "The Gentlemen Ransomware: A Rapidly Scaling RaaS Threat." Hive Pro, 2026. https://www.hivepro.com/threat-advisory/the-gentlemen-ransomware-a-rapidly-scaling-raas-threat

  7. "The Gentlemen Ransomware -- Threat Actor." FortiGuard Labs, 2026. https://fortiguard.fortinet.com/threat-actor/6387/the-gentlemen-ransomware

  8. "The Gentlemen Ransomware Group Deploys Dual-Extortion Tactics, Encrypting and Exfiltrating Data." GBHackers, 2026. https://gbhackers.com/gentlemen-ransomware-2/

FortiBleed Coverage

  1. "FortiBleed Leak Exposes Fortinet VPN Credentials for 73,000 Devices." Bleeping Computer, June 2026. https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/

  2. "Technical Advisory: FortiBleed Credential Exposure Campaign Targeting Internet-Facing Fortinet Devices." Bitdefender Business Insights, 2026. https://www.bitdefender.com/en-gb/blog/businessinsights/technical-advisory-fortibleed-credential-exposure-campaign-targeting-internet-facing-fortinet-devices

CVE and Vulnerability References

  1. "CVE-2024-55591 -- FortiOS/FortiProxy Authentication Bypass." NVD / Fortinet PSIRT. https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity

  2. "CVE-2022-42045 -- Zemana WatchDog Antimalware Driver Privilege Escalation." NVD. https://nvd.nist.gov/vuln/detail/CVE-2022-42045

  3. "CVE-2025-26125 -- IObit IMF ForceDelete Driver Vulnerability." NVD. https://nvd.nist.gov/vuln/detail/CVE-2025-26125

Additional Supporting Sources

  1. "GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes." Cryptika Cybersecurity, 2026. https://www.cryptika.com/gentlekiller-ransomware-abuses-vulnerable-drivers-to-disable-400-edr-security-processes/

  2. "Gentlemen Ransomware Builds Modular EDR Killer Suite From Rival Gang Tools." Cybersecurity Insiders, 2026. https://www.cybersecurity-insiders.com/gentlemen-ransomware-edr-killer-suite/

  3. LOLDrivers Project -- Vulnerable Driver Reference. https://www.loldrivers.io/