The Gentlemen Collection: HexKiller, ThrottleBlood, and HavocKiller in Action

Recent forensic analysis of the Gentlemen Ransomware-as-a-Service (RaaS) operation reveals a highly structured, centralized methodology for neutralizing Endpoint Detection and Response (EDR) solutions. This unified defense evasion framework distinguishes the group from typical opportunistic actors, effectively lowering the technical barrier to entry for affiliates. This “plug-and-play” evasion capability has propelled the gang into the top five most active ransomware operations as of Q1 2026.

Emerging in late 2025, Gentlemen rapidly scaled its operations by offering an aggressive 90% revenue share to affiliates. Threat intelligence from Group-IB suggests the group was founded by hastalamuerte, a former Qilin affiliate with deep-rooted connections to established cybercrime syndicates. Researchers from PRODAFT have further linked the operation to several major players, including LockBit, Embargo, Medusa, and BlackLock. Notably, the real-world identity of a key operator was reportedly exposed by Brian Krebs on June 10, 2026.

While many premier ransomware groups focus their efforts on high-value U.S. enterprises, Gentlemen pursues a geographically diverse victimology. Their intrusions have been heavily concentrated in Southeast Asia, South America, and Western Europe, with confirmed breaches documented in Thailand, Brazil, and France.

The Technical Core: Unifying HexKiller, ThrottleBlood, and HavocKiller

Analysis of internal data leaks suggests that the group’s targeting is driven by technical vulnerabilities rather than purely geographic ones. Specifically, operators actively scan for and weaponize misconfigured FortiGate appliances to gain initial access. Once a foothold is established, the group deploys a double-extortion playbook utilizing a Go-based encryptor for Windows and Linux environments, complemented by a specialized C-based variant for ESXi hypervisors.

The linchpin of their operational success is GentleKiller, a proprietary EDR-disabling framework first documented by ESET in February 2026. Security researchers have identified at least eight distinct variants of this tool. While each iteration leverages a different vulnerable or malicious driver, they all follow a standardized development template characterized by recurring internal strings, continuous process-termination loops, and uniform code obfuscation.

GentleKiller is engineered for maximum aggression, capable of terminating over 400 processes associated with 48 different security products. This includes major enterprise solutions such as CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, and ESET. Furthermore, the group maintains an incredibly rapid weaponization cycle, integrating new Bring Your Own Vulnerable Driver (BYOVD) proof-of-concept exploits—such as UnknownKiller and PoisonKiller—often within days of public disclosure.

Beyond the in-house GentleKiller framework, the GentlemenCollection directory stages three externally sourced EDR killers through a standardized evasion layer:

• HexKiller: Abuses the Baidu Antivirus BdApi driver. While previously associated with the Warlock gang, researchers believe this represents tool acquisition rather than direct operational collaboration.
• ThrottleBlood: Leverages a driver digitally signed by TechPowerUp LLC, a technique previously seen in MedusaLocker and DragonForce campaigns, suggesting these drivers are sourced from underground markets.
• HavocKiller: Exploits a Huawei Audio driver (havoc.sys). While Huntress publicly disclosed this driver in March 2026, ESET telemetry confirms Gentlemen was utilizing it in live environments as early as January 23, 2026.

To maintain high levels of Operational Security (OPSEC), Gentlemen applies a consistent evasion strategy across its toolkit. This includes the use of Enigma or Themida binary packers, the forging of version metadata, the application of duplicate/invalid digital signatures, and the spoofing of vendor-impersonating icons post-compilation.

Affiliates are also expanding the group’s toolkit. For example, an affiliate known as quant has integrated OxideHarvest, a Rust-based credential stealer targeting Chromium and Gecko-based browsers, deploying it under the filename buildx641.exe.

Defensive Posture: Defending against the Gentlemen RaaS requires moving beyond static IoCs (Indicators of Compromise) toward robust behavioral analysis. Security teams should prioritize detecting BYOVD driver abuse, anomalous process-termination loops, and unauthorized attempts at vendor impersonation.