The Gentlemen — EDR-killer framework documented, OT-adjacent victim claimed, operator named

The Gentlemen RaaS operation moved from tooling disclosure to victim impact to attribution across three days. On 2026-06-18 ESET published a months-long investigation showing the gang centrally builds and maintains its affiliates' GentleKiller EDR-killer framework — a structural departure from the affiliate norm in which each affiliate sources its own evasion tooling (ESET, 2026-06-19; daily 06-19). On 2026-06-18 Mackay Sugar — Australia's second-largest sugar producer — confirmed an intrusion around 10 June that halted milling at two of three mills, an OT-adjacent impact the group later claimed (The Record, 2026-06-18; daily 06-20). Separately, KrebsOnSecurity published OSINT attribution identifying the group's administrator ("Hastalamuerte" / "Zeta88") as a 36-year-old from Izhevsk, Russia, who reportedly uses AI tooling to develop ransomware and assist post-exploitation (KrebsOnSecurity, 2026-06-10).

The defender signal is the centralised EDR-killer model: because the BYOVD evasion tooling is built once and pushed to all affiliates, detection content that catches GentleKiller's driver-load and EDR-tamper behaviour generalises across every affiliate intrusion rather than needing per-affiliate tuning. The Krebs attribution is an analytical claim, not an indictment — treat it as context, not actionable IOC.