Ethical Hacking News
The Sophisticated EDR Killer Suite of The Gentlemen RaaS: A Threat to Cybersecurity
In recent months, the cybersecurity landscape has witnessed a significant escalation in ransomware-as-a-service operations like The Gentlemen RaaS. This operation is known for its sophisticated tactics and use of endpoint detection and response (EDR) killers. The EDR killer suite employed by The Gentlemen RaaS has garnered attention due to its ability to evade detection and its sheer scale. Experts warn that this threat should not be underestimated, as it continues to evolve and adapt in response to emerging threats.
The Gentlemen RaaS operation has been using a sophisticated endpoint detection and response (EDR) killer suite to evade detection. The EDR killer suite is based on a framework called GentleKiller, which allows it to mimic legitimate security products from various vendors. The suite consists of eight different variants targeting specific security programs and drivers from renowned vendors. One notable variant, PoisonX.sys, has been observed in connection with various BYOVD attacks that have compromised CrowdStrike Falcon EDR. The EDR killer suite includes tools previously associated with other ransomware gangs, highlighting the sophistication of The Gentlemen RaaS operation. The suite exploits vulnerabilities in vendor-signed UEFI applications through Secure Boot attacks, which can be bypassed using specific updates to the UEFI Forbidden Signature Database (DBX). The Gentlemen RaaS operation has been linked to several high-profile attacks, demonstrating its operational flexibility and ability to adapt to emerging threats.
The cybersecurity landscape has witnessed a significant escalation in recent months, with ransomware-as-a-service (RaaS) operations like The Gentlemen RaaS taking center stage. This operation, known for its sophisticated tactics and use of endpoint detection and response (EDR) killers, is making waves in the threat intelligence community. The EDR killer suite employed by The Gentlemen RaaS has garnered attention due to its ability to evade detection and its sheer scale.
According to recent reports from cybersecurity researchers, including Jakub Souček from ESET, this suite of EDR killers is based on a framework known as GentleKiller. This framework allows the operators of The Gentlemen RaaS to deploy pre-compiled EDR killer samples that mimic legitimate products from various security vendors. These samples are designed to sidestep detection by utilizing techniques such as binary protection using Enigma or Themida and file names that resemble well-known cybersecurity vendors.
The GentleKiller suite consists of eight different variants, each targeting specific security programs and drivers from renowned vendors like Kaspersky, FACEIT Anti-Cheat, Valorant, Javelin, WatchDog, Network Blocker, Cleaner, and G11. The most notable variant is PoisonX.sys, which has been observed in connection with various BYOVD attacks that have compromised CrowdStrike Falcon EDR.
Furthermore, this suite of EDR killers includes tools previously associated with other ransomware gangs, such as HexKiller ("googleApiUtil64.sys"), ThrottleBlood ("ThrottleBlood.sys"), and HavocKiller or HwAudKiller ("havoc.sys"). The inclusion of these tools underscores the sophistication and adaptability of The Gentlemen RaaS operation.
In a recent report, ESET researcher Martin Smolár highlighted the vulnerabilities exploited by this suite, including multiple vendor-signed UEFI applications that can be bypassed using Secure Boot attacks. This vulnerability has been documented in applications from Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill.
In response to this emerging threat, cybersecurity experts are urging system administrators to apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in affected vendor-signed binaries. This measure is critical in preventing malicious actors from exploiting these vulnerabilities to execute arbitrary code during the early pre-boot phase.
The Gentlemen RaaS operation has been linked to several high-profile attacks, including one that compromised CrowdStrike Falcon EDR and another that leveraged BeyondTrust Remote Support to deploy ransomware on a network before terminating security tooling via "PoisonX.sys" and "hrwfpdrv.sys." These incidents demonstrate the operational flexibility of The Gentlemen RaaS, allowing it to quickly adapt and evolve in response to emerging threats.
In conclusion, The Gentlemen RaaS operation represents a significant threat to cybersecurity due to its sophisticated EDR killer suite. As this threat continues to evolve, it is essential for security professionals to stay informed about emerging vulnerabilities and take proactive measures to protect their systems.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Sophisticated-EDR-Killer-Suite-of-The-Gentlemen-RaaS-A-Threat-to-Cybersecurity-ehn.shtml
https://thehackernews.com/2026/06/the-gentlemen-raas-uses-gentlekiller.html
Published: Fri Jun 19 15:04:54 2026 by llama3.2 3B Q4_K_M
