Malik Haidar has built a distinguished career at the intersection of high-level business strategy and the gritty, technical front lines of threat intelligence. Having defended some of the world’s largest multinational corporations, he views the current cybersecurity landscape not just as a series of technical hurdles, but as a sophisticated marketplace where efficiency and “ease of use” drive the most dangerous innovations. Today, we sit down with Malik to deconstruct the rise of The Gentlemen RaaS, a group that has rapidly ascended the ranks of the cybercriminal underground by centralizing the most difficult part of a ransomware attack: the neutralization of modern security defenses.
Our conversation dives into the operational mechanics of the GentleKiller framework and how its developers leverage vulnerable drivers to bypass the industry’s most robust Endpoint Detection and Response tools. Malik explains the strategic shift from delegating tasks to affiliates to providing them with a “turnkey” evasion suite, the technical agility required to operationalize exploits within days, and the broader implications of vulnerabilities found in the UEFI Secure Boot process. We also touch upon the emergence of specialized tools like the OxideHarvest credential stealer and what the future holds for organizations caught in the crosshairs of such professionalized threat actors.
How does the decision by The Gentlemen to centralize a pre-configured EDR-killer suite fundamentally change the power dynamic between ransomware operators and their affiliates?
The shift we are seeing with The Gentlemen is a masterclass in lowering the barrier to entry for cybercrime, essentially turning complex intrusions into a “plug-and-play” operation. By providing a standardized, ready-to-use suite like GentleKiller, the operators are removing the most significant technical hurdle for their affiliates: the need to bypass sophisticated security software manually. This centralization has allowed the group to claim a staggering 504 victims since its emergence in March 2025, spreading its reach across Southeast Asia, South America, and Western Europe. From a business perspective, it makes them an incredibly attractive partner for less-skilled hackers who want the high payouts of ransomware without the deep technical research required to kill 400 different security processes. We see a clear intent to prioritize ease of deployment, which allows the 36-year-old Russian leader, Alexander Andreevich Yapaev, to manage a much larger and more effective network of affiliates than his competitors.
The GentleKiller framework is described as being “unusually agile” in how it operationalizes new vulnerabilities. Could you elaborate on the technical sophistication required to turn a proof-of-concept into a functional attack tool within just a few days?
The technical agility displayed here is nothing short of relentless, as they often weaponize newly disclosed exploits within days of their public release. They utilize a technique called “Bring Your Own Vulnerable Driver” or BYOVD, which essentially tricks a system into using a legitimate but flawed driver to gain kernel-level access and terminate security tools. To keep these tools from being flagged, they use advanced binary protection like Enigma or Themida and go to great lengths to impersonate legitimate vendors. They don’t just use a random file name; they copy digital signatures, icons, and version information from actual security products to blend into the system noise. This level of attention to detail, combined with a shared development template, allows them to iterate on their code with a speed that many corporate patch management teams simply cannot match.
When we look at the specific drivers being abused, such as those from Kaspersky, Valorant, or Faceit, what does this tell us about the current state of trust in signed digital certificates?
It highlights a massive “trust gap” in our current security architecture where “signed” no longer automatically means “safe.” The Gentlemen have identified that drivers like “eb.sys” from Kaspersky or “GameDriverX64.sys” from Valorant carry an inherent level of trust within the Windows environment, which they then exploit to execute their malicious payloads. This isn’t just a theoretical threat; we’ve seen these variants successfully terminate major tools like CrowdStrike Falcon EDR using the “PoisonX.sys” driver. By hiding behind the mask of 48 distinct security programs, they create a sensory overload for defenders who might see a legitimate-looking process and look the other way. It is a cynical but effective use of the software ecosystem’s complexity against itself, turning the very tools meant to protect us into the keys that unlock the front door.
Beyond the immediate threat of ransomware, the group has also deployed a Rust-based tool called OxideHarvest. What does the introduction of this credential stealer reveal about their broader operational goals?
The introduction of OxideHarvest, or buildx641, signals that The Gentlemen are looking to maximize the “yield” from every single intrusion by harvesting as much data as possible before the encryption begins. Because it is written in Rust, it is inherently faster and more difficult to reverse-engineer than traditional malware, and it targets an exhaustive list of browsers including Chrome, Edge, Brave, and even niche options like Epic Privacy Browser or Waterfox. This isn’t just about locking files; it’s about stealing the keys to the kingdom—passwords, session cookies, and autofill data—that can be sold or used for secondary attacks. It shows a move toward a more holistic form of cyber espionage within the ransomware workflow, ensuring that even if a victim refuses to pay the ransom, the group still walks away with a treasure trove of valuable corporate intelligence.
With the recent warnings regarding UEFI Secure Boot vulnerabilities and the ability for attackers to execute code in the pre-boot phase, how should security leaders be recalibrating their defense-in-depth strategies?
Security leaders need to realize that the battleground has moved “south” of the operating system into the pre-boot environment, where traditional EDR tools often have zero visibility. The discovery by researchers that vendor-signed UEFI applications from giants like ASUS, GIGABYTE, and Acer are vulnerable to BYOVD attacks means that an attacker with administrative privileges can compromise a machine before the OS even starts. This is a nightmare scenario because it bypasses the very “Secure Boot” mechanisms designed to ensure system integrity. My advice to administrators is to immediately move beyond just patching software and start managing their UEFI Forbidden Signature Database (DBX) to revoke trust in these compromised binaries. We are entering an era where you must verify the integrity of the hardware and firmware layers with the same rigor we previously reserved for our most sensitive network databases.
What is your forecast for the evolution of EDR-evasion techniques in the RaaS ecosystem?
I expect we will see a rapid “industrialization” of kernel-level exploits where EDR-killing becomes a standard, modular feature of every major ransomware kit. The success of The Gentlemen and their GentleKiller framework has proven that there is a massive market for tools that can systematically blindfold security teams, and I predict other groups will soon follow suit by creating their own “defense-evasion-as-a-service” layers. We will likely see a move toward even more obscure, non-security-related drivers being exploited—such as those for specialized medical equipment or industrial controllers—because these are less likely to be monitored by standard security heuristics. Ultimately, the cat-and-mouse game will shift toward a “Zero Trust” model for drivers, where even a valid digital signature from a reputable vendor is not enough to grant a process the permission to interact with the system kernel.
