Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
🇷🇺 RU7 malware families

Gentlemen

Also known asgentlemen

Gentlemen is a ransomware-as-a-service (RaaS) operation that emerged in 2025 and became one of the most active ransomware groups in 2026. Reporting in the provided content describes it as a Russian-speaking ransomware group and links its founding to a former Qilin affiliate using the handle hastalamuerte; some reporting also identifies the leader as zeta88/hastalamuerte. Gentlemen uses a double-extortion model, combining data theft with file encryption, and operates an affiliate program. The group has been observed advertising on underground forums including Rehub since September 2025. A defining characteristic of Gentlemen is that its operators centrally develop, maintain, and distribute endpoint detection and response (EDR) killing tools to affiliates rather than leaving defense evasion to individual operators. ESET named the group’s in-house framework GentleKiller. The content states that GentleKiller has at least eight variants, uses bring-your-own-vulnerable-driver techniques, abuses vulnerable or malicious kernel drivers, repeatedly terminates security processes in a loop, and targets more than 400 process names associated with 48 security products. The group also uses externally sourced EDR-killing tools including HexKiller, ThrottleBlood, and HavocKiller, standardized through a shared evasion and impersonation layer using fake version information, copied or invalid signatures, matching icons, and sometimes Enigma or Themida protection. The content also links the Rust-based credential stealer OxideHarvest, also referred to as buildx641, to a Gentlemen affiliate named quant. Victimology in the provided content is concentrated in Southeast Asia, South America, and Western Europe rather than being primarily US-focused. The content states that target selection is driven largely by FortiGate configuration or misconfiguration. Reported victims or claimed victims include Mackay Sugar in Australia and Romanian critical infrastructure entities, with the group claiming attacks affecting the national oil pipeline operator and a major coal-based power producer. The content also notes activity in the Middle East, Turkey, and Africa region. Known aliases in the provided content are limited to Gentlemen / The Gentlemen.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇹🇭 Thailand
  • 🇧🇷 Brazil
  • 🇫🇷 France
  • 🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

30 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics40 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1078×2
Valid Accounts
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.003×2
Windows Command Shell
T1106×2
Native API
TA0003
Persistence
2 techniques
T1078×2
Valid Accounts
T1543
Create or Modify System Process
T1543.003×2
Windows Service
TA0004
Privilege Escalation
4 techniques
T1068×2
Exploitation for Privilege Escalation
T1078×2
Valid Accounts
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1543
Create or Modify System Process
T1543.003×2
Windows Service
TA0005
Stealth
7 techniques
T1014
Rootkit
T1027×2
Obfuscated Files or Information
T1027.002×3
Software Packing
T1036×5
Masquerading
T1036.001×2
Invalid Code Signature
T1070
Indicator Removal
T1070.004×2
File Deletion
T1078×2
Valid Accounts
T1211
Exploitation for Stealth
T1218
System Binary Proxy Execution
TA0112
Defense Impairment
2 techniques
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1553
Subvert Trust Controls
T1553.002
Code Signing
TA0006
Credential Access
3 techniques
T1003×2
OS Credential Dumping
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
T1649×2
Steal or Forge Authentication Certificates
TA0008
Lateral Movement
1 technique
T1021
Remote Services
TA0011
Command and Control
2 techniques
T1090
Proxy
T1105
Ingress Tool Transfer
TA0010
Exfiltration
2 techniques
T1041
Exfiltration Over C2 Channel
T1537×2
Transfer Data to Cloud Account
TA0040
Impact
4 techniques
T1486×8
Data Encrypted for Impact
T1489×2
Service Stop
T1490
Inhibit System Recovery
T1657
Financial Theft
ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
GentleKillerGentlemen’s operators build, maintain, and centrally distribute a full portfolio of EDR killers, anchored by an in-house framework ESET has named GentleKiller.4Jun 21, 2026
HavocKillerHavocKiller / HwAudKiller The most recent addition to the suite. Huntress publicly disclosed HavocKiller on 19 March 2026 , but ESET’s own telemetry shows real-world use dating back to at least 23 January 2026.4Jun 21, 2026
HexKillerBeyond the in-house framework, Gentlemen folds three externally sourced tools into the affiliate-facing portfolio: ESET name Filename(s) Abused driver HexKiller Avast<suffix>.exe googleApiUtil64.sys – a Baidu Antivirus BdApi driver4Jun 21, 2026
ThrottleBloodThrottleBlood Repeatedly observed in MedusaLocker affiliate intrusions and, less frequently, DragonForce affiliate activity. Trend Micro linked it to Gentlemen as early as September 2025.4Jun 21, 2026
OxideHarvestOxideHarvest (also tracked under the alias buildx641 ) is a Rust-written credential stealer.3Jun 21, 2026

2 additional families tracked in Mallory.

IOCS

Observables

27 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

27 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
thecybersecguruNews
Jun 21, 2026
GentleKiller: Inside Gentlemen RaaS's EDR-Killer Suite | The CyberSec Guru

RaaS operation that centrally develops, maintains, and distributes a portfolio of EDR-killing tools to affiliates before ransomware deployment, using double extortion and targeting organizations selected largely by FortiGate firewall configuration.

Read more
cyber security newsNews
Jun 21, 2026
GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes

RaaS operation using the GentleKiller framework and other integrated EDR killers to disable endpoint defenses before ransomware deployment; also uses a credential stealer and rapidly operationalizes newly published BYOVD PoCs.

Read more
the hacker newsNews
Jun 19, 2026
The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes

Ransomware-as-a-service operation centralizing development of standardized EDR-killer tooling for affiliates, rapidly operationalizing BYOVD proof-of-concept exploits, and conducting ransomware attacks at scale.

Read more
gurucul threat researchNews
Jun 19, 2026
Killing Me Gently: Inside Gentlemen’s EDR Killer Framework | Community Portal | Gurucul

Prominent ransomware group active since early 2026, notable for maintaining sophisticated EDR-killing tools to disrupt security software and operating heavily against targets in Southeast Asia, South America, and Western Europe rather than the US.

Read more
+24 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping30

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables27

Domains, IPs, and hashes tied to this actor, refreshed continuously.