ESET researchers analyzed the sturdy EDR-killing toolset of the ransomware-as-a-service gang Gents. For the reason that starting of 2026, Gents has emerged as one of the energetic gangs within the ransomware ecosystem. The group distinguishes itself by a mature, operator-maintained set of endpoint detection and response (EDR) killers, i.e., instruments for disrupting safety software program. Moreover, not like most top-tier gangs, Gents doesn’t exhibit a robust US-centric victimology, as a substitute focusing on victims throughout Southeast Asia, South America, and Western Europe.
Whereas there have been a number of stories masking Gents in current months, they haven’t targeted on an in depth evaluation of the group’s EDR killers. Because of ESET’s continued incident-level visibility, we will nevertheless present a uniquely deep view into Gents’s EDR-killer improvement practices. The interior knowledge leak that Gents suffered in Could 2026 then gave us much more perception into the interior workings of the group.
The leak additionally allowed us to verify our speculation from February 2026 that Gents operators actively develop and preserve a portfolio of EDR killers that they provide to associates, centered round their in-house framework we have now named GentleKiller. In addition they incorporate third-party or leaked instruments corresponding to HexKiller, ThrottleBlood, and HavocKiller. These instruments are standardized by a shared defense-evasion layer, impersonating predominantly safety distributors utilizing pretend model info, and copied reliable certificates and icons. Gents additionally demonstrates a capability to unusually shortly operationalize newly disclosed Convey Your Personal Weak Driver (BYOVD) proofs-of-concept, usually inside days of public launch.
On this blogpost, we share our findings on Gents’s suite of EDR killers gained by in depth analysis and corroborated by the current leak. We purpose to offer actionable insights by connecting the EDR killer packages to precise samples, and tying the leaked knowledge to ways, strategies, and procedures (TTPs). Our findings spotlight Gents as one of the technically agile ransomware-as-a-service (RaaS) gangs energetic in 2026.
Key factors of the blogpost:
- Gents operators develop and preserve an EDR-killer suite supplied on to associates.
- GentleKiller is an in‑home framework with no less than eight variants abusing totally different susceptible or malicious drivers.
- Gents operators apply a unified evasion technique throughout instruments that standardizes impersonation and safety.
- Third‑celebration EDR killers (HexKiller, ThrottleBlood, and HavocKiller) are operationally built-in.
- Gents can quickly adapt newly launched EDR killer proofs-of-concept (PoCs).
- The gang’s victimology is globally distributed and notably not US‑targeted.
- Gents additionally makes use of OxideHarvest, a credential stealer maintained by one of many group’s associates.
All through this blogpost, we seek advice from RaaS operators and associates.
Operators are chargeable for growing the ransomware payload, managing decryption keys, sustaining the devoted leak web site, usually negotiating the ransom fee with victims, and providing different tooling and companies for a month-to-month payment or a proportion from the ransom fee (usually 5–20%).
Associates hire ransomware companies from operators, deploy encryptors to victims’ networks, and are additionally chargeable for knowledge exfiltration.
Gents profile
Gents emerged in late 2025 as a RaaS operation and shortly grew into one of the energetic ransomware gangs noticed in Q1 2026. The gang provides a beneficiant 90% share to associates. Group-IB disclosed that Gents was based by hastalamuerte, a disgruntled former Qilin affiliate. PRODAFT tweeted on October 17th, 2025 that Gents operators had been beforehand associates of Qilin, Embargo, LockBit, Medusa, and BlackLock. On June 10th, 2026 Brian Krebs shared proof of hastalamuerte’s true id.
Gents makes use of double extortion – along with encrypting the sufferer knowledge, the group additionally threatens to leak it if the ransom shouldn’t be paid. For encryption, the operators supply a variant written in Go focusing on Home windows, Linux, and different platforms, and an ESXi variant written in C.
One of many issues that units Gents aside is the gang’s willingness to supply extra than simply encryptors to associates – specifically, the gang additionally supplies EDR killers. Current ESET analysis has proven that, in most ransomware intrusions, the accountability for locating a dependable EDR killer usually falls on particular person associates, not the RaaS operators themselves. Solely a small variety of exceptions to this mannequin have been documented. One notable case is RansomHub, which invested in growing its personal EDR killer from scratch, EDRKillShifter, after which supplied it to associates by the affiliate panel.
Gents represents a unique, and up to now underreported, strategy. Reasonably than counting on associates to supply their very own EDR killers, Gents operators actively develop and preserve a portfolio of EDR killers for associates. This portfolio combines an in-house developed software, which we named GentleKiller, together with externally sourced or leaked tooling, standardized by a shared evasion layer and staged in a constant method.
ESET researchers hypothesized that GentleKiller was an inner software again in February 2026, and this was later supported by stories from Group-IB and Verify Level – each point out that the gang supplies EDR-killing capabilities to its (verified) associates. The just lately leaked inner knowledge of the gang supplied the ultimate piece of proof: within the leaks, zeta88 (one other alias utilized by hastalamuerte), the chief of the gang, overtly talks about sustaining and offering EDR-killer packages.
Aside from confirming our suspicion about GentleKiller, the leaked knowledge additionally allowed us to hyperlink a credential stealer we named OxideHarvest to Gents; particularly, to considered one of its associates.
Victimology
Whereas the victimology of enormous RaaS operations is commonly formed extra by associates’ decisions than by operator-led technique, one specific sample nonetheless tends to emerge. Most main ransomware gangs present a robust and chronic concentrate on the US, which ceaselessly accounts for roughly half of all introduced victims. This US-centric bias is obvious throughout a number of distinguished teams, together with Qilin, DragonForce, and Akira, and has successfully turn into the norm amongst top-tier ransomware operations.
Gents stands out as a notable exception to this pattern. Regardless of rating among the many 5 most energetic ransomware gangs in Q1 2026, its victimology doesn’t exhibit a comparable US focus. As an alternative, Gents associates persistently goal victims throughout a broad and geographically numerous vary of nations, with a major variety of victims coming from areas corresponding to Southeast Asia, South America, and Western Europe. Certainly, the gang’s focusing on contains some in any other case uncommon nations like Thailand, Brazil, and France.
The just lately leaked knowledge supplies proof that relating to selecting victims, Gents makes use of a centralized strategy of sorting by viable candidates after which distributing them to associates. Victims are chosen based on their FortiGate (mis)configuration quite than their geographical location.
EDR Killers
In February 2026, we noticed a beforehand undocumented EDR killer deployed by a Gents affiliate and staged in a listing named GentlemenCollection. We named this software GentleKiller. On the time, we hypothesized that it was not an affiliate-specific artifact however quite a software supplied to associates by the Gents operators. Since then, we have now noticed the identical staging sample (dropping GentleKiller and different EDR killers to the GentlemenCollection listing) a number of instances throughout unrelated intrusions that we investigated, persistently involving Gents associates. In parallel, two independently printed stories by Group-IB and Verify Level assessed that the Gents operators explicitly supply EDR-disabling capabilities as a part of their RaaS program.
Taken collectively, these observations allowed us to conclude that GentleKiller is a part of an EDR-killer suite maintained by the Gents operators. This was later confirmed within the group’s leaked knowledge.
Moreover GentleKiller, the suite additionally incorporates HexKiller, HavocKiller, and ThrottleBlood; all ESET names for EDR killers utilized by associates of rival gangs too and obtained by Gents through unknown means. We additionally noticed DemoKiller in a number of intrusions, however this EDR killer didn’t exhibit any ties to Gents and due to this fact we exclude it from the gang’s suite and as a substitute think about it affiliate-specific. The next a part of the blogpost covers these instruments in additional element and locations them into the broader EDR-killer ecosystem. Whereas these instruments are operationally built-in into Gents intrusions, we assess with excessive confidence that solely GentleKiller is developed in-house by the Gents operators, whereas the remaining EDR killers had been seemingly sourced externally and subsequently modified and standardized to suit the operators’ toolset. Our evaluation is predicated on:
- GentleKiller showing primarily in Gents-related intrusions, usually deployed to the GentlemenCollection listing,
- steady improvement with clear entry to the supply code that permits creating new variants and supporting newly emerged PoCs, and
- third-party reporting mentioning Gents providing EDR-killing capabilities to trusted associates.
Protection evasion technique
Gents operators apply a selected set of protection evasion strategies to the gang’s numerous EDR killers. These strategies are utilized to compiled samples quite than supply code. This offers Gents the choice to guard even the EDR killers whose supply code the gang doesn’t possess.
All of the EDR killers which are a part of Gents’s portfolio comply with these defense-evasion patterns, which factors to a standardized technique, specifically:
- Superior binary safety (Enigma or Themida) is utilized to a good portion of the samples we detected. The filename suffix usually identifies the tactic used (Enigma, Themida, or none).
- Filenames are chosen to carefully resemble these of well-known software program distributors, significantly corporations working within the cybersecurity area.
- Executables impersonate the distributors by having the next attributes, all matching the identical vendor or product:
○ fabricated model info,
○ invalid digital signatures copied from reliable executables, and
○ icons matching these of the impersonated distributors.
Though a small variety of samples deviate from this strategy, seemingly as a consequence of inconsistent improvement practices, the overwhelming majority of noticed EDR killers adhere to this sample. In Desk 1, we present how the suffixes work. Later within the blogpost, we clarify how the suffixes are appended to filenames.
Desk 1. Naming sample of the EDR killers maintained by Gents
| Suffix | Safety | Pretend signature | Pretend model info |
| 1 | Enigma | Sure | Sure |
| 2 | Themida | Sure | Sure |
| Mild | None | Sure | Sure |
| Clear | None | No | No |
GentleKiller
GentleKiller is by far probably the most prevalent EDR killer noticed within the Gents ecosystem. On the time of writing, we’re conscious of no less than eight distinct variants, every impersonating a unique reliable product and abusing a unique susceptible or malicious driver. Regardless of these surface-level variations, we classify all of those samples beneath the GentleKiller umbrella as a consequence of a excessive diploma of shared inner traits.
When abstracting away the impersonation layer and the precise drivers used, the underlying code reveals quite a few structural and behavioral commonalities that strongly counsel using a shared improvement template. This template is reused throughout variants, with solely minimal modifications. The defining traits of the template embrace:
- constant strings throughout variants,
- terminating processes periodically in a loop,
- focusing on a broad set of safety options, and
- using similar code obfuscation.
An instance of GentleKiller’s output is illustrated in Determine 1, and a code snippet displaying the code obfuscation is depicted in Determine 2.
This design prioritizes ease of deployment and operational flexibility for associates, whereas minimizing improvement effort for the operators. It permits the Gents operators to combine abused drivers into their toolset very quickly after an EDR killer PoC is disclosed. This was the case with UnknownKiller and PoisonKiller, which had been adopted inside a matter of days.
Whereas some builds don’t goal all of the processes identified to GentleKiller, the final set, supplied in Desk 2, is constant. We leveraged AI to map the method names to their corresponding distributors, and acknowledge that there is perhaps minor inconsistencies. Total, GentleKiller targets greater than 400 processes that the AI mapped to 48 merchandise.
Desk 2. An entire listing of course of names focused by GentleKiller, mapped to their corresponding distributors
| Vendor | Focused processes |
| Acronis | acronis_agent.exe, BackupAndRecoveryAgent.exe, managementagenthost.exe, mms.exe |
| AlienVault | alienvault-agent.exe, osqueryd.exe |
| Avast | afwServ.exe, aswEngSrv.exe, aswidsagent.exe, aswToolsSvc.exe, AvastSvc.exe, AvastUI.exe, avastsvc.exe, avastui.exe, bccavsvc.exe, wsc_proxy.exe |
| AVG | AVGUI.exe, AVGSvc.exe, avgnt.exe, avgsvca.exe, avgToolsSvc.exe |
| Binary Protection | BinaryDefenseAgent.exe |
| Bitdefender | Arrakis3.exe, BDAvScanner.exe, BDFsTray.exe, BDFileServer.exe, BDLived2.exe, BDLogger.exe, BDScheduler.exe, BDStatistics.exe, bdagent.exe, bdemsrv.exe, bdntwrk.exe, bdredline.exe, bdregsvr2.exe, bdservicehost.exe |
| Blumira | BlumiraAgent.exe |
| Bromium | BromiumDaemon.exe, BrDifxapi.exe |
| Carbon Black | cb.exe, cbcomms.exe, cbdefense.exe, carbonsensor.exe, RepMgr.exe |
| Cisco Talos | cfrutil.exe, CiscoAMPCEFWDriver.exe, cisco_amp_connector.exe, immunet.exe |
| CrowdStrike | ARWSRVC.EXE, ARCUpdate.exe, CSFalconContainer.exe, CSFalconService.exe, CSFalconUI.exe, csfalcondataprotect.exe, csfalcondaterepair.exe, REPRSVC.EXE |
| Cynet | CynetEPS.exe, CynetMS.exe, CynetSvc.exe |
| Cybereason | ActiveConsole.exe, cybereason.exe, CybereasonActiveProbe.exe, CybereasonCR.exe |
| Cyvera | CyveraConsole.exe, CyveraService.exe, CyvrAgentSvc.exe, CyvrFsFlt.exe, cyvrfsflt.exe |
| Cylance/BlackBerry | CylanceSvc.exe |
| Darktrace | DarktraceTSA.exe |
| Deep Intuition | DeepInstinct.exe, DeepInstinctService.exe, DIAgentService.exe |
| Elastic | a2guard.exe, a2service.exe |
| ESET | eamonm.exe, eamsi.exe, ecls.exe, efwd.exe, egui.exe, eguiProxy.exe, ekrn.exe, ekrnEpfw.exe, ERAAgent.exe, EraAgentSvc.exe |
| Fortinet | firesvc.exe, firetray.exe, FortiTray.exe, fortiedr.exe, fw.exe |
| G DATA | GDDServer.exe, QHPISVR.EXE, QUHLPSVC.EXE, SAPISSVC.EXE |
| Heimdal | HeimdalsecurityAgent.exe |
| Huntress | HuntressAgent.exe, HuntressRMM.exe |
| Kaspersky | avp.exe, avpsus.exe, avpui.exe, kavfs.exe, kavfsscs.exe, kavfswh.exe, kavfswp.exe, kavtray.exe, klactprx.exe, klcsldcl.exe, klcsweb.exe, klnagent.exe, klnagchk.exe, klscctl.exe, klserver.exe, klwtblfs.exe, kpf4ss.exe, ksde.exe, ksdeui.exe, vapm.exe |
| LogRhythm | LogProcessorService.exe |
| McAfee/Trellix | AGMService.exe, AGSService.exe, masvc.exe, macmnsvc.exe, McAfeeAgent.exe, mcshield.exe, mfeann.exe, mfevtps.exe, mfetp.exe, mfeepehost.exe, mfefire.exe, mfemactl.exe, mfemacsvc.exe, mfemgr.exe, mfemms.exe, MgntSvc.exe, ModuleCoreService.exe, tepfsvc.exe |
| Microsoft Defender | MSASCui.exe, MSASCuiL.exe, MpDefenderCoreService.exe, MsMpEng.exe, MsMpSvc.exe, MsSense.exe, msascuil.exe, msseces.exe, NisSrv.exe, nissrv.exe, SecurityHealthService.exe, SecurityHealthSystray.exe, SenseCncProxy.exe, SenseIR.exe, SenseNdr.exe, SenseSampleUploader.exe, smartscreen.exe, windefend.exe |
| Morphisec | MorphisecService.exe |
| Norton/Symantec | ccApp.exe, ccSvcHst.exe, ccsvchst.exe, ns.exe, nsservice.exe, nortonsecurity.exe, rtvscan.exe, SepMasterService.exe, sepWscSvc64.exe, smc.exe, SmcGui.exe, snac.exe, SymCorpUI.exe, SymWSC.exe |
| OSSEC/Wazuh | ossec-agent.exe, wazuh-agent.exe |
| Palo Alto Networks (Traps/Cortex) | cortexService.exe, trapsagent.exe, trapsd.exe, Traps.exe |
| Panda Safety | panda_url_filtering.exe, pavfnsvr.exe, pavsrv.exe, psanhost.exe, PSANHost.EXE, pselamsvc.EXE, PSUAMain.EXE, PSUAService.EXE, pangps.exe |
| Qualys | qualys-cloud-agent.exe, QualysAgent.exe |
| Rapid7 | ir_agent.exe, rapid7_endpoint.exe |
| Pink Canary | RedCanaryAgent.exe |
| Sangfor | CSAAgent.exe, CSAService.exe, SangforAgent.exe, SangforCSA.exe, SangforEDR.exe, SangforInterface.exe, SangforMonitor.exe, SangforProtect.exe, SangforService.exe, SangforTray.exe, SangforUD.exe |
| SentinelOne | Sentinel.exe, SentinelAgent.exe, SentinelAgentWorker.exe, SentinelCtl.exe, SentinelHelperService.exe, SentinelMemoryScanner.exe, SentinelPowerShellExtension.exe, SentinelRanger.exe, SentinelServiceHost.exe, SentinelStaticEngine.exe, SentinelStaticEngineScanner.exe, SentinelUI.exe |
| SonicWall | SonicWallClientProtectionService.exe, swc_service.exe |
| Sophos | hmpalert.exe, McsAgent.exe, McsClient.exe, SavApi.exe, SAVAdminService.exe, SAVService.exe, SEDService.exe, SophosADSyncService.exe, SophosClean.exe, SophosCleanM64.exe, SophosFIMService.exe, SophosFS.exe, SophosHealth.exe, SophosLiveQueryService.exe, SophosMTR.exe, SophosMTRExtension.exe, SophosNetFilter.exe, SophosNtpService.exe, SophosOsquery.exe, SophosOsqueryExtension.exe, Sophos.PolicyEvaluation.Service.exe, SophosSafestore64.exe, SophosUI.exe, SophosUpdateMgr.exe, sophosav.exe, sophossps.exe, SSPService.exe |
| Tanium | TaniumClient.exe, TaniumCX.exe, tanclient.exe |
| ThreatLocker | ThreatLockerConsent.exe, threatlockerservice.exe, threatlockertray.exe |
| TrendAI | coreFrameworkHost.exe, coreServiceShell.exe, NTRTScan.exe, ntrtscan.exe, Ntrtscan.exe, OfcService.exe, ofcDdaSvr.exe, PccNTMon.exe, PccNt.exe, TISafe.exe, TISafeSvc.exe, TmCCSF.exe, tmicAgentSetting.exe, TMBMSRV.exe, Tmbmsrv.exe, tm_netsrv.exe, TmListen.exe, tmntsrv.exe, TmPfw.exe, tmproxy.exe, TmProxy.exe, TmPreFilter.exe, TmSSClient.exe, TmsaInstance64.exe, TmWscSvc.exe, VOneAgentConsole.exe, VOneAgentConsoleTray.exe |
| Uptycs | VectorAgent.exe, UptycsAgent.exe |
| Varonis | DatAdvantage.exe, VaronisAgent.exe |
| WatchGuard | wlcsservice.exe |
| Webroot | WRSA.exe, WRSkyClient.exe, WRSVC.exe, wrsa.exe |
| Home windows Sysinternals | Sysmon.exe, Sysmon64.exe |
| Zscaler | zlclient.exe |
GentleKiller variants
Every GentleKiller variant impersonates a unique product and abuses a unique malicious or susceptible driver. Desk 3 supplies an inventory of the eight GentleKiller variants we have now noticed up to now. The <suffix> refers back to the naming sample defined in Desk 1. Drivers’ filenames seek advice from how GentleKiller drops them to disk.
Desk 3. Record of GentleKiller variants
| Variant title | Filenames | Abused driver |
| Kaspersky | Kasp<suffix>.exe | eb.sys, a rootkit (PoC) |
| FACEIT Anti-Cheat | FaceIT<suffix>.exe | nseckrnl.sys, NSecsoft NSecKrnl driver (PoC) |
| Valorant | Valorant<suffix>.exe | GameDriverX64.sys, an anti-cheat driver (PoC) |
| Javelin | EAAntiCheat<suffix>.exe EASolo<suffix>.exe |
stpm_(previous|new).sys, two susceptible ProcessMonitor Driver samples by Safetica (PoC) |
| WatchDog | BitD<suffix>.exe | dmx.sys, Zemana’s WatchDog Antimalware Driver (PoC) |
| Community Blocker | MB<suffix>.exe | 360netmon_wfp.sys, a susceptible driver by Qihoo 360 Expertise (PoC) |
| Cleaner | Deletor.exe | IMFForceDelete, IObit’s IMF ForceDelete filter driver (PoC); the motive force is dropped with out the trailing .sys extension |
| G11 | G11<suffix>.exe Symantec<suffix>.exe |
PoisonX, a rootkit (PoC) |
Third-party EDR killers
Aside from the internally developed GentleKiller, Gents has included a number of third-party options into its suite, summarized in Desk 4 and described within the following sections. The <suffix> refers back to the naming sample defined in Desk 1. Driver filenames seek advice from how the related EDR killers drop them to disk.
Desk 4. Record of third-party EDR killers supplied by Gents
| ESET title for the EDR killer | Filenames | Abused driver |
| HexKiller | Avast<suffix>.exe | googleApiUtil64.sys, Baidu Antivirus BdApi driver |
| ThrottleBlood | Despatched<suffix>.exe | ThrottleBlood.sys, driver by TechPowerUp LLC |
| HavocKiller | HwAudKiller.exe Sophos<suffix>.exe |
havoc.sys, Huawei Audio driver |
HexKiller
HexKiller is an EDR killer that we beforehand assessed as being unique to the Warlock gang. Subsequently, its look inside Gents intrusions is sudden and noteworthy.
We discovered HexKiller staged alongside GentleKiller binaries inside the GentlemenCollection listing. Nonetheless, its presence in Gents intrusions doesn’t, by itself, indicate direct collaboration or operational overlap between the Gents and Warlock gangs. It’s believable that Gents operators obtained HexKiller by oblique means, corresponding to personal exchanges, secondary distribution channels, or pattern leaks, with none want for direct interplay with Warlock. We due to this fact don’t think about this to be proof of a deeper relationship between the 2 teams.
ThrottleBlood
This EDR killer has been repeatedly noticed in intrusions carried out by MedusaLocker associates, and, much less ceaselessly, by DragonForce associates. Moreover, it was linked to Gents by Development Micro in September 2025.
At current, we should not have ample proof to conclusively decide the origin of ThrottleBlood. In our telemetry, it seems prominently deployed throughout a number of MedusaLocker intrusions and sporadically in DragonForce-related exercise. These incidents present little operational overlap past using ThrottleBlood itself. One attainable rationalization is that ThrottleBlood is commercially distributed on underground markets, or alternatively a software developed by MedusaLocker operators and shared with their associates, a few of whom might also have ties to DragonForce.
Neither speculation, nevertheless, absolutely explains how a ThrottleBlood pattern appeared in Gents’s possession. Because of this, we can not rule out the opportunity of Gents buying the software by it leaking past the initially meant context. What we state with excessive confidence, nevertheless, is that Gents didn’t develop this EDR killer in-house.
HavocKiller
HavocKiller is the ultimate addition to Gents’s EDR-killer arsenal. Whereas the software was publicly disclosed by Huntress on March 19th, 2026, ESET telemetry confirms its use in real-world intrusions courting again to no less than January 23rd, 2026, indicating that it had been operational for weeks previous to public reporting. We are able to additionally corroborate Huntress’s evaluation relating to its objective: in all instances noticed by ESET, the deployment of HavocKiller was a part of ransomware-related exercise.
Primarily based on its technical traits, we assess that HavocKiller shouldn’t be developed by the Gents operators themselves, however as a substitute was obtained by exterior means. Though the samples had been staged inside the GentlemenCollection listing and Gents’s normal set of protection evasion strategies was utilized to them, the underlying implementation differs considerably from GentleKiller. This strongly means that HavocKiller represents a third-party EDR killer that was tailored operationally, however its structure doesn’t match into Gents’s framework.
OxideHarvest
We additionally detected a number of deployments of a software we named OxideHarvest, a credential stealer written in Rust. Since Rust shouldn’t be the programming language of alternative for Gents, we don’t attribute the software to the group. Nevertheless, as Verify Level famous, a Gents affiliate named quant maintains a software known as buildx641, whose naming and performance instantly reminded us of OxideHarvest. Certainly, after additional investigation, we discovered an OxideHarvest pattern named buildx641.exe uploaded to VirusTotal; we conclude that buildx641 and OxideHarvest are the identical software.
OxideHarvest comes wrapped inside totally different packers, usually mimicking reliable software program in model info and icon (related, however not similar, to what Gents does with GentleKiller). The protected payload is an easy, easy credential stealer. To operate, OxideHarvest requires the person to specify the listing of hosts (-i), username (-u), password (-p), variety of threads (-t), and an output file (-o) as command line choices. The software then makes use of the provided credentials to log into the required hosts (handed as a newline-delimited textual content file), employs multithreading, and exfiltrates credentials into the provided output file. Determine 9 reveals the results of the –help command of OxideHarvest, and Desk 5 reveals its configuration dictating which credentials are focused.
Desk 5. Embedded configuration of OxideHarvest
{
"chronium_browsers": [
[
"Google Chrome",
"GoogleChromeUser Data",
true
],
[
"Google Chrome Beta",
"GoogleChrome BetaUser Data",
true
],
[
"ChromeBeta",
"GoogleChrome SxSUser Data",
true
],
[
"Chromium",
"ChromiumUser Data",
true
],
[
"Microsoft Edge",
"MicrosoftEdgeUser Data",
true
],
[
"Torch",
"TorchUser Data",
true
],
[
"Comodo",
"ComodoDragonUser Data",
true
],
[
"Nichrome",
"NichromeUser Data",
true
],
[
"Maxthon5",
"Maxthon5Users",
true
],
[
"Epic Privacy Browser",
"Epic Privacy BrowserUser Data",
true
],
[
"Vivaldi",
"VivaldiUser Data",
true
],
[
"QIP",
"QIP SurfUser Data",
true
],
[
"Cent",
"CentBrowserUser Data",
true
],
[
"Elements",
"Elements BrowserUser Data",
true
],
[
"TorBro",
"TorBroProfile",
true
],
[
"CryptoTab",
"CryptoTab BrowserUser Data",
true
],
[
"Brave",
"BraveSoftwareBrave-BrowserUser Data",
true
],
[
"Opera",
"Opera SoftwareOpera Stable",
false
],
[
"OperaGX",
"Opera SoftwareOpera GX Stable",
false
],
[
"Opera Neon",
"Opera SoftwareOpera NeonUser Data",
false
]
],
"gecko_browsers": [
[
"Mozila Firefox",
"MozillaFirefoxProfiles",
false
],
[
"Slim",
"FlashPeakSlimBrowserProfiles",
false
],
[
"PaleMoon",
"Moonchild ProductionsPale MoonProfiles",
false
],
[
"Waterfox",
"WaterfoxProfiles",
false
],
[
"Cyberfox",
"8pecxstudiosCyberfoxProfiles",
false
],
[
"BlackHawk",
"NETGATE TechnologiesBlackHawkProfiles",
false
],
[
"IceCat",
"MozillaicecatProfiles",
false
],
[
"KMeleon",
"K-Meleon",
false
]
]
}Conclusion
Gents demonstrates an attention-grabbing strategy: operator-managed EDR killers, prepared to make use of by associates. Whereas most ransomware gangs proceed to delegate EDR killing to associates, Gents has chosen to centralize this operate by providing associates a ready-to-use, standardized EDR-killer suite. This choice makes Gents a beautiful operator for associates because it materially lowers the entry barrier for them, making their job consequently simpler.
This mannequin differs even from the few identified exceptions within the ecosystem. Within the case of RansomHub, the operators invested in a single EDR killer, EDRKillShifter, developed solely in-house. Gents, in contrast, maintains a various portfolio of EDR killers, mixing unique improvement (GentleKiller) with quickly tailored third-party or publicly disclosed tooling (HexKiller, ThrottleBlood, and HavocKiller). The constant utility of protection evasion strategies throughout these instruments additional obscures and complicates easy attribution when samples are noticed in isolation.
As a result of EDR-killer strategies proceed to commoditize and flow into throughout underground communities, this blogpost underscores the need of incident-level investigation and evaluation. With out such context, Gents’s EDR killers are prone to be misattributed, or not attributed in any respect, masking the true extent of this operator’s involvement. Because of our steady perception into Gents intrusions, we had been capable of present safety in opposition to the group’s assaults months earlier than the just lately leaked knowledge confirmed our high-confidence hypotheses on the gang’s EDR-killer suite.
The GentleKiller framework illustrates a deliberate steadiness between in-house improvement and pragmatic reuse of exterior analysis. Whereas some elements present indicators of rushed implementation or inconsistent polish, the general toolset demonstrates excessive operational effectiveness and tight integration into Gents’s ransomware workflow. The group’s skill to adapt newly printed BYOVD PoCs inside days additional underscores its agility.
From a protection perspective, understanding how GentleKiller works permits defenders to higher design their defensive methods and defend even in opposition to yet-to-be-developed, new additions to Gents’s EDR-killing arsenal.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis provides personal APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.
IoCs
Information
| SHA-1 | Filename | Detection | Description |
| 8AE6BD18B129061F6364 |
Kasps.exe | Win64/KillAV.EA | GentleKiller (Kaspersky variant). |
| BA914FE77B177B457994 |
eb.sys | Win64/Agent.ITG | A customized rootkit utilized by the Kaspersky variant of GentleKiller. |
| D605994FC72A2BB59B5C |
FaceIT1.exe | Win64/KillAV.EA | GentleKiller (FACEIT Anti-Cheat variant, Enigma-protected). |
| B0B912A3FD1C05D72080 |
nseckrnl.sys | Win64/VulnDriver |
NSecsoft NSecKrnl driver abused by the FACEIT Anti-Cheat variant of GentleKiller. |
| 5AA3124E5C4921E5EDFC |
Valorant2.exe | Win64/KillAV.EA | GentleKiller (Valorant variant, Themida-protected). |
| 7556AE58C215B8245A43 |
vgk.sys | Win64/VulnDriver |
Tower of Fantasy AntiCheat driver abused by the Valorant variant of GentleKiller. |
| 331879F5EEC8892BBD89 |
EASolo2Light.exe | Win64/KillAV.EA | GentleKiller (Javelin variant abusing Safetica’s newer driver). |
| F11AEBCCB9A86A7E2E65 |
EASOLO1clear.exe | Win64/KillAV.EA | GentleKiller (Javelin variant abusing Safetica’s older driver). |
| EF9CD06683159397F099 |
EAAntiCheatLight |
Win64/KillAV.EA | GentleKiller (Javelin variant abusing each drivers). |
| 711EF221526997039E80 |
stpm_old.sys | Win64/VulnDrive |
Safetica’s Course of Monitor Driver (older) abused by the Javelin variant of GentleKiller. |
| 68FEC379F2AE76C3D2CE |
stpm_new.sys | Win64/VulnDrive |
Safetica’s Course of Monitor Driver (newer) abused by the Javelin variant of GentleKiller. |
| A11EE9CDC59E5CAA59AE |
BitD1.exe | Win64/KillAV.EA | GentleKiller (WatchDog variant, Themida-protected). |
| 96F0DBF52AED0AFD43E4 |
dmx.sys | Win64/VulnDrive |
Zemana’s WatchDog Antimalware Driver abused by the WatchDog variant of GentleKiller. |
| 2F86898528C6CAB3540C |
MB2.exe | Win64/KillAV.EA | GentleKiller (Community Blocker variant, Themida-protected). |
| 9AD51AD97C01E97AB592 |
360netmon_wfp.sys | Win64/VulnDrive |
360netmon.sys driver abused by the Community Blocker variant of GentleKiller. |
| A19117175DBC9BA4D23B |
Deletor.exe | Win64/KillAV.EA | GentleKiller (Cleaner variant). |
| 12500F6C87CE62712A0E |
IMFForceDelete | Win64/VulnDrive |
IMF ForceDelete filter driver abused by the Cleaner variant of GentleKiller. |
| D29670E684E40DDC89B4 |
Symantec.exe | Win64/KillAV.EA | GentleKiller (G11 variant). |
| 56BEE9DF5833A637F5C5 |
G11.sys | Win64/Agent.IYQ | PoisonX rootkit utilized by the G11 variant of GentleKiller. |
| CF4D74DF17A91B4A36A2 |
Avast.exe | Win32/KillAV.NVL | HexKiller included into Gents modus operandi by including the evasion layer. |
| EC296F9501AD71E43081 |
googleApiUtil64 |
Win64/VulnDrive |
Baidu Antivirus BdApi driver abused by HexKiller. |
| 7131B377E96016DC1911 |
Despatched.exe | Win64/KillAV.AT | ThrottleBlood included into Gents modus operandi by including the evasion layer. |
| 82ED942A52CDCF120A89 |
ThrottleBlood.sys | Win64/VulnDrive |
ThrottleStop.sys driver abused by ThrottleBlood. |
| F0537CBB773AE12100B3 |
Sophos.exe | Win64/KillAV.DE | HavocKiller included into Gents modus operandi by including the evasion layer. |
| 1FA071303FB846308571 |
havoc.sys | Win64/VulnDrive |
Weak driver abused by HavocKiller. |
| A5CF917EC4A7DFBDFA43 |
buildx641.exe | Win64/Spy.Agent.AGC | OxideHarvest. |
| D4B19141102015D43632 |
buildx64.exe | Win64/Spy.Agent.AGC | OxideHarvest. |
MITRE ATT&CK strategies
This desk was constructed utilizing model 19 of the MITRE ATT&CK framework.
| Tactic | ID | Title | Description |
| Execution | T1059.003 | Command and Scripting Interpreter: Home windows Command Shell | GentleKiller and associated instruments are console-based executables that run visibly and emit debug strings throughout execution. |
| T1106 | Native API | Consumer-mode elements work together instantly with kernel drivers through DeviceIoControl and different native Home windows APIs to carry out privileged actions. | |
| Persistence | T1543.003 | Create or Modify System Course of: Home windows Service | The EDR killers set up and begin susceptible or malicious drivers as companies previous to exploitation. |
| Stealth | T1036 | Masquerading | Gents’s EDR killers are protected by impersonating reliable distributors by filenames, model info, icons, and copied digital certificates. |
| T1036.001 | Masquerading: Invalid Code Signature | The safety utilized to Gents’s EDR killers provides an invalid code signature as a part of the impersonation technique. | |
| T1027 | Obfuscated Information or Data | Some executables are protected with packers (e.g., Enigma, Themida) and customized control-flow obfuscation. | |
| Protection Impairment | T1685 | Disable or Modify Instruments | GentleKiller and different EDR killers that Gents is in possession of purpose to bypass safety merchandise corresponding to EDRs. |
