The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
Summary
Hide ▲
Show ▼
The Gentlemen ransomware-as-a-service operation is using an operator-maintained EDR-killer portfolio, led by GentleKiller, to disable security software before encryption. ESET says the framework uses BYOVD methods, targets more than 400 processes across roughly 48 security products, and includes at least eight variants that impersonate legitimate vendors and reuse shared evasion code. The group also distributes HexKiller, ThrottleBlood, and HavocKiller, and it has been linked to OxideHarvest credential theft and rapid adaptation of newly disclosed driver exploits.
Related Happenings
Avalon modular malware framework with CrownX ransomware
Malware Activity
H score33
First: 03.07.2026 21:55
Last: 03.07.2026 21:55
Sources 1
About this happening:
The **Avalon** malware framework was uncovered after a **multi-stage phishing chain** that can bypass traditional security controls and deliver **credential theft** plus **ransomw...
Avalon modular malware framework with CrownX ransomware
Malware ActivityAbout this happening: The **Avalon** malware framework was uncovered after a **multi-stage phishing chain** that can bypass traditional security controls and deliver **credential theft** plus **ransomw...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
How related:
New analysis from ESET detailed the endpoint detection and response (EDR) killer suite of The Gentlemen, a ransomware-as-a-service operation (RaaS), built around an in-house framework the researchers named GentleKiller.
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityHow related: New analysis from ESET detailed the endpoint detection and response (EDR) killer suite of The Gentlemen, a ransomware-as-a-service operation (RaaS), built around an in-house framework the researchers named GentleKiller.
About this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor Meta
H score26
First: 18.06.2026 16:30
Last: 18.06.2026 16:30
Sources 1
About this happening:
**Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor MetaAbout this happening: **Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
**Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor Meta
H score26
First: 10.06.2026 17:03
Last: 10.06.2026 17:03
Sources 1
About this happening:
**The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
Timeline
-
21.04.2026 17:00 2 articles · 2mo ago
The Gentlemen RaaS expands into enterprise environments
Initial DisclosureThe Gentlemen ransomware-as-a-service operation was described as a rapidly expanding affiliate program that first emerged in mid-2025, recruited technically skilled partners on underground forums, and moved into enterprise environments by early 2026. Check Point researchers said the group had claimed more than 320 victims, distributed Go-based ransomware for Windows, Linux, NAS and BSD plus a separate C-based ESXi encryptor, and was linked during incident response to SystemBC and a related command-and-control server showing more than 1570 infected systems globally, concentrated in the US, UK and Germany.
Show sources
- The Gentlemen Ransomware Expands With Rapid Affiliate Growth — www.infosecurity-magazine.com — 21.04.2026 17:00
- The Gentlemen Ransomware Expands With Rapid Affiliate Growth — www.infosecurity-magazine.com — 21.04.2026 17:00
-
11.09.2025 23:42 4 articles · 10mo ago
The Gentlemen weaponizes ThrottleStop.sys to evade enterprise defenses
Technical Analysis UpdateTrend Micro described The Gentlemen ransomware gang's evolving evasion toolkit against enterprise defenses, saying the group weaponizes ThrottleStop.sys as ThrottleBlood.sys to exploit CVE-2025-7771 for kernel-level termination of AV and EDR processes, uses All.exe, PowerRun.exe, and Allpatch2.exe to bypass security controls, and has shifted toward targeted, vendor-specific bypasses; Kaspersky Lab linked the flaw to a recent ransomware incident in Brazil.
Show sources
- 'Gentlemen' Ransomware Abuses Vulnerable Driver to Kill Security Gear — www.darkreading.com — 11.09.2025 23:42
- Gentlemen ransomware uses multiple EDR killers to disable defenses — www.bleepingcomputer.com — 19.06.2026 01:31
- The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes — thehackernews.com — 19.06.2026 21:33
- GentleKiller Framework Disables Victims' Security Software — www.infosecurity-magazine.com — 22.06.2026 18:00