The GentleKiller Toolkit
The Gentlemen ransomware as a service operation has intensified its efforts to bypass endpoint security, employing a specialized suite of utilities designed to disable endpoint detection and response systems. ESET researchers identified a custom tool named GentleKiller as the group’s primary EDR evasion weapon, with at least eight distinct variants. Each variant exploits the bring your own vulnerable driver technique to gain kernel level privileges and terminate security processes. The variants impersonate legitimate software, including Kaspersky, Valorant, and Javelin, and share common code obfuscation methods, targeting logic, and string patterns. The framework allows easy swapping of drivers, enabling the group to quickly weaponize newly disclosed vulnerabilities without significant code changes.
Impact and Scope
GentleKiller targets over 400 processes associated with approximately 48 security vendors, including Microsoft, CrowdStrike, SentinelOne, Palo Alto Networks, and ESET. The group also uses at least three external EDR killing tools: HexKiller, ThrottleBlood, and HavocKiller, likely for redundancy and attribution complexity. A Rust based credential stealer, OxideHarvest, was also observed in attacks. ESET noted that the Gentlemen ransomware selects targets based on FortiGate endpoint configurations, a tactic that aligns with the recent leak of nearly 74,000 FortiGate VPN credentials known as FortiBleed. The group previously compromised the Romanian energy provider Oltenia and operates a SystemBC proxy malware botnet with over 1,570 hosts believed to be corporate victims.
Source: BleepingComputer
