ESET: the Gentlemen RaaS gang centrally builds and maintains its affiliates' EDR-killer framework

ESET's months-long investigation into the Gentlemen ransomware-as-a-service operation reveals a structural departure from the affiliate norm: rather than each affiliate sourcing its own evasion tooling, the operators build, maintain and distribute a modular EDR-killing framework — GentleKiller — centrally (ESET, 2026-06-18; Help Net Security, 2026-06-18). GentleKiller comprises at least eight variants, each abusing a different legitimately-signed driver via BYOVD (T1543.003), targeting 400+ named security processes mapped to 48 EDR/AV/XDR product families. The defining operational pattern is speed: ESET documents the gang operationalising newly disclosed BYOVD proof-of-concepts within days of public release, and in one case wielding a Huawei-audio-driver kill technique before its public disclosure — ESET telemetry shows the gang using it since at least 2026-01-23, weeks ahead of the technique's public write-up (by Huntress) on 2026-03-19. Common evasion across variants includes Enigma/Themida packing and invalid copies of digital certificates impersonating major AV vendors; a Rust-based credential stealer (OxideHarvest) handles browser-credential theft. The gang reached top-5 most-active RaaS in Q1 2026, offers affiliates a 90% cut, and shows globally distributed victimology including Western Europe — a profile overlapping Swiss critical-sector exposure. Why it matters to us: an operator-curated EDR-killer means affiliates of even modest skill get current BYOVD capability on day one of a PoC. Enable the Microsoft Vulnerable Driver Blocklist (HVCI) and enforce WDAC driver allowlisting; hunt for service creation loading unexpected kernel drivers and DeviceIoControl calls from non-security processes, plus process-termination loops targeting security software (Sysmon EID 6 / kernel-callback telemetry).