Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

The Gentlemen ransomware vendor-specific AV/EDR bypass activity

Malware Activity
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

The Gentlemen ransomware gang is now abusing ThrottleStop.sys and related tools to kill AV and EDR defenses, increasing the chance that encrypted attacks reach targeted enterprises undetected. The activity uses a bring-your-own-vulnerable-driver technique and has shifted toward vendor-specific bypasses rather than generic evasion. Researchers first observed the operation this summer, and the underlying flaw is CVE-2025-7771.

Related Happenings

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

How related: Trend Micro researchers detailed the tactics, techniques, and procedures (TTPs) of The Gentlemen ransomware gang, which was first observed this summer.

About this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...

Open Happening

Medusa ransomware post-compromise deployment

Malware Activity
First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

Open Happening

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
First: 17.03.2026 17:36 Last: 17.03.2026 17:36 Sources 1

About this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...

Open Happening

Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data

Malware Activity
First: 22.01.2026 20:00 Last: 22.01.2026 20:00 Sources 1

About this happening: Researchers disclosed **Osiris**, a **new ransomware family** that hit a **major food service franchisee operator in Southeast Asia** in **November 2025**, showing an active intru...

Open Happening

Timeline

  1. 11.09.2025 23:42 2 articles · 8mo ago

    Trend Micro details The Gentlemen ransomware's ThrottleStop.sys BYOVD evasion

    Initial Disclosure

    Trend Micro published analysis of The Gentlemen ransomware gang's use of a legitimate vulnerable driver, ThrottleStop.sys, renamed ThrottleBlood.sys, to kill antivirus and EDR processes through a bring-your-own-vulnerable-driver technique. The same reporting also described All.exe as an AV killer, PowerRun.exe for privilege-related abuse, and Allpatch2.exe as a customized AV killer used to terminate security agent components, showing the group shifting toward targeted, vendor-specific bypasses against enterprise defenses.

    Show sources
    Open in new tab