StrikeShark Campaign Uses SharkLoader to Deploy Cobalt Strike Globally

Summary:

Researchers have identified StrikeShark, a previously undocumented global campaign that leverages a newly discovered malware loader, SharkLoader, to deploy Cobalt Strike Beacon on compromised systems. The campaign targets internet-facing applications and relies on malicious software installers for initial access.

SharkLoader uses advanced evasion techniques, including DLL sideloading, in-memory execution, and API hooking, to bypass security controls. Once deployed, it enables a persistent foothold, system reconnaissance, credential harvesting, and lateral movement. The campaign primarily targets government entities and software development organisations worldwide, posing significant risks to enterprises in the UAE and the broader MENA region that expose critical applications to the internet.

Technical Description:

GentleKiller is Gentlemen's in-house EDR-killer framework and the most prevalent tool within the group's ecosystem, with at least eight distinct variants identified to date. Each variant impersonates a different legitimate security product, using names and themes drawn from games and security vendors, and abuses a different vulnerable or malicious kernel-level driver through the Bring Your Own Vulnerable Driver (BYOVD) technique.

Despite the surface-level differences between variants, ESET classifies all samples under the GentleKiller umbrella due to their shared internal characteristics, including a process-killing loop that runs on a timer, identical code obfuscation, a common development template, and a unified evasion strategy applied at the compiled binary level. This includes Enigma or Themida commercial packing, fabricated version metadata, copied (invalid) digital signatures, and icons taken from the impersonated legitimate products. Applying evasion techniques to compiled binaries rather than source code allows Gentlemen to protect tools whose source code it does not own.

Additionally, ESET documented OxideHarvest (also known as buildx641), a Rust-based credential stealer believed to have been developed by an affiliate rather than the core operators. This separate tool can harvest credentials from Chrome, Edge, Firefox, Brave, Opera, Vivaldi, Waterfox, and several other browsers.

Delivery and Infection Chain:

Gentlemen's distribution model differs fundamentally from how most Ransomware-as-a-Service (RaaS) operations handle defence evasion. Key confirmed characteristics of the operator-managed EDR-killer ecosystem include:

  • While most ransomware gangs delegate EDR-killer sourcing to affiliates, Gentlemen operators develop and maintain a centralised, ready-to-use toolkit and distribute it directly to vetted affiliates, lowering the technical barrier to entry and accelerating affiliate recruitment with an unusually generous 90% revenue share.
  • Gentlemen demonstrate an unusual ability to rapidly operationalise newly disclosed BYOVD proof-of-concept exploits. Tools tracked as UnknownKiller and PoisonKiller were incorporated into the GentleKiller arsenal within days of their public GitHub disclosure, a turnaround considerably faster than the weeks or months typically observed among other RaaS operators.
  • Victim selection is driven by FortiGate endpoint misconfiguration rather than geography or sector, representing a structured, centrally managed targeting process rather than affiliates independently selecting victims.
  • This targeted deployment approach has been linked to the group's use of a SystemBC proxy malware botnet comprising more than 1,570 hosts believed to be pre-compromised corporate environments.
  • Gentlemen operators supply affiliates with both a Go-based ransomware encryptor for Windows and Linux and a C-written variant for VMware ESXi, alongside the EDR-killer suite, providing a complete end-to-end intrusion-to-encryption toolkit.

Technical Capabilities:

GentleKiller and its integrated third-party tools rely on the Bring Your Own Vulnerable Driver (BYOVD) technique, whereby a legitimately signed but vulnerable kernel driver is loaded onto the host, granting the attacker kernel-level privileges that bypass user-mode security controls. Once loaded, the malicious process runs a timer-based termination loop that continuously enumerates and terminates targeted EDR and antivirus processes, ensuring that even if a security product is restarted, it is repeatedly disabled.

Each tool within the suite is protected using commercial binary packers (Enigma or Themida) and disguised with fabricated version information, invalid copied digital signatures, and icons taken from the impersonated legitimate security vendor, making static identification considerably more difficult for defenders. Because the evasion layer is applied to compiled binaries rather than source code, Gentlemen can standardise and protect third-party or leaked tools (HexKiller, ThrottleBlood, and HavocKiller) to the same extent as its own GentleKiller framework, despite not owning their source code.

Attribution and Evolution:

Gentlemen emerged in late 2025 and quickly became one of the five most active ransomware groups during Q1 2026. The operation was reportedly founded by a former Qilin affiliate and includes members from several established ransomware gangs. Gentlemen employ double-extortion tactics, encrypting data while threatening to leak stolen information if ransom demands are not met, and offers affiliates a lucrative 90% revenue share.

The group has been linked to the compromise of Romanian energy provider Oltenia and to a SystemBC botnet comprising more than 1,570 compromised hosts used to maintain persistent access to victim networks.

Active Campaign and Geographic Spread:

Unlike most top-tier ransomware operations such as Qilin, DragonForce, and Akira, which derive nearly half of their publicly disclosed victims from the United States, Gentlemen's victimology is notably less US-focused. The group's targets are concentrated in Southeast Asia, South America, and Western Europe, including documented victims in Thailand, Brazil, and France.

Leaked internal data indicates that this is not coincidental. The group selects targets primarily based on FortiGate endpoint misconfiguration rather than geography or sector, pointing to a centrally managed, technically driven targeting strategy rather than opportunistic affiliate selection.

Organisations in the UAE and MENA region operating FortiGate VPN infrastructure alongside Windows endpoints protected by Microsoft Defender or third-party EDR/AV solutions should treat this as directly relevant targeting criteria, irrespective of sector.

Conclusion:

Gentlemen's centralised EDR-killer ecosystem represents a significant evolution in ransomware operations by providing affiliates with ready-to-use defence-evasion capabilities. By maintaining GentleKiller and supporting tools within a unified framework, the group reduces the level of technical expertise required by affiliates while rapidly weaponising newly disclosed BYOVD vulnerabilities.

Organisations should prioritise driver-level, behaviour-based, and signature-agnostic detection rather than relying solely on tool-specific signatures. UAE and MENA organisations using FortiGate infrastructure and Windows EDR solutions should prioritise driver allowlisting, vulnerable driver monitoring, and BYOVD-focused detection as immediate defensive measures.

Impact:

Successful deployment of GentleKiller or other tools in the Gentlemen EDR-killer suite can disable security software from more than 48 vendors, including Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, and Bitdefender. By abusing legitimately signed but vulnerable drivers, the toolkit operates at the kernel level, allowing attackers to bypass many traditional security controls. Once defences are disabled, affiliates can exfiltrate sensitive data and deploy ransomware across Windows, Linux, and ESXi environments with a significantly lower likelihood of detection.

For UAE and MENA organisations, a successful compromise could result in widespread network encryption, large-scale data theft, operational disruption, and the public release of stolen information if ransom demands are not met. Effective mitigation requires driver-level blocklisting, application allowlisting, continuous monitoring for BYOVD activity, and hardening of internet-facing infrastructure, such as FortiGate devices, that may be targeted for initial access.

IOC and Context Details:

Topics Details
Tactic Name Defense Evasion, Privilege Escalation, Impact
Technique Name Bring Your Own Vulnerable Driver (BYOVD), Kernel-Level EDR/AV Process Termination, Commercial Binary Packing (Enigma/Themida), Security Vendor Impersonation, Operator-Managed EDR-Killer-as-a-Service
Sub Technique Name Affiliate obtains GentleKiller or third-party EDR killer (HexKiller, ThrottleBlood, HavocKiller) from Gentlemen operators → Vulnerable or malicious driver loaded onto victim host (BYOVD) → Kernel-level privileges obtained → Timer-based loop enumerates and terminates 400+ EDR/AV processes across 48 security vendors → Security defenses disabled → Affiliate proceeds to data exfiltration and ransomware deployment (Go-based Windows/Linux or C-based ESXi encryptor) → Double extortion through a dedicated leak site.
Attack Type Malware
Targeted Applications Microsoft Defender and EDR/AV products from 48 security vendors including CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, McAfee/Trellix; Microsoft Windows (kernel driver loading target); FortiGate VPN infrastructure (initial access target).
Region Impacted Global. Confirmed targeting in Spain, Portugal, Mexico, and Brazil. MENA also in scope via regional campaigns and European banking relationships.
Industry Impacted Cross-industry; organizations running Windows endpoints protected by EDR/AV solutions, particularly those using FortiGate VPN infrastructure. Notable victim concentration in Southeast Asia, South America, Western Europe, and the Energy sector.
IOC's VBS Script Samples:

c7f38cbb99c8b74fa0465293feeba700 - Financial Reports.vbs
b7cd06c71465038b658a6dc1f273a507 - Debt confirmation.vbs
9f13c7b8ba391b2f597874e54d310648 - Electronic statement(A).vbs
993f4c0cadbc769a4b0ed62a918db58d - Financial Reports(s).vbs
7f81c1bc8cfd588e8998968e2621456e - Outstanding Payment List.vbs
7403cbcc5a9c32384d431856dc48fcc9 - Statement of debt (4).vbs
68c16c46f8afb9e00bbaba0207fb0a46 - Debt Note (2).vbs
66442f2457eca8f47385b1fb2c6fcab8 - Statement of Debt(30K).vbs
6359e6236471cbe434d0ef4c42b7f879 - Applicationform1.vbs
5b6bbcc06cf08cc99e1afeda486d42fb - Extrato de Conciliação.vbs
5002eca748205d544618e3bd2dedc223 - Statement of Debt(29K).vbs
4f0593e8e0e8fac49429e9b45ebf7fa1 - Outstanding Payment List.vbs
4044e4b6471c9de7b0a4ba37d9d9df9a - billing statement (2).vbs
20209b3a32769afc6a75694b8d8839dd - Statement of Debt(A).vbs
0ba93109757776a44de9d8c88baa4963 - Financial Reports(C1).vbs
02bb20455cc592a69c080abac770ce90 - Le formulaire de demande le plus récent.vbs
6c39900d77dcba158e1d27c7619cb06d - Outstanding Balance Sheet(A).vbs
dad708e050632a4280cabf98ac1376b7 - Outstanding Balance Sheet.vbs
05d188f071d097f5b6bd8138749b4b14 - Penyata bank.vbs
2c6f05f1f309d89b2236e6c8b59c88f9 - Account Statement (13K).vbs
3b1aba44dd3d9b6339b6f56e2f42034b - Statement of Account.txt
d43fdaa1f0ee09d7e5f0f94ee9df7b6c - Bitte füllen Sie das Formular für Umsatzsteuer-Nullsatz-Verkäufe aus.vbs
df4fa0369eaca5cec348be293890d4af - Account Statement.vbs
63ac85195b73753333316a889cf5880f - Statement of Account(O).vbs
74fd9f91fc93b6288b4fc253ea5b3e20 - Sila semak bil anda.vbs
d06333c360b51456f427e616c3c5f8bd - Sila semak bil anda.vbs
993f4c0cadbc769a4b0ed62a918db58d - FinancialReportsS.vbs
1d94fbe9cab21278cc3f104bea334d08 - Promissory_Note(b).vbs
9d9ac85765e4a818a3ccabe2cf4fef82 - Debt Statement.vbs
6fb6a55424adfb61e31f06aef33273e5 - dfjieya.vbs
f90ed4b2d0b67114aa89ddfed658e5c0 - dfjieya.vbs
8c3322009b8982663c0cbecd9492e7eb - 0lf.vbs
66705384a7ad81d14c34fc6c054a0ecf - iowepv.vbs
8c6d9fc389ad3f20ccbc71d77eb39bfa - btksfmsi.vbs
1a3cc75466ffb1971482f7abf7aabc3f - home3.vbs
1c47c63e5ed25060d95359c57c77b107 - zipats.vbs
31037a42ca048e06e69a78f55bc2eff5 - 1122.vbs
7f16449cd0c4862d1eadf8a5742bf09a - payload_1.vbs
79ecd61b09b0f2d54b34586c916c4ec9 - sac8.vbs
7849061c536a3efb05a56d504694e7e7 - 6oy.vbs
ddaffe9849f7f3c79f8804adb9a6b3d5 - kof.vbs
d01cad98dd0d01b75e04e784953c5e2b - sleestak_payload_1.vbs

Domains:
temu.baskwms[.]top
invoice.msopsa[.]top
qse.shoppes[.]help
shaaslong[.]one
baoxis[.]cc
baolongwes.oss-ap-southeast-1.aliyuncs[.]com
sdcwww.oss-ap-southeast-1.aliyuncs[.]com
baoyuw2s.s3.ap-southeast-1.amazonaws[.]com
hksha3.s3.ap-southeast-1.amazonaws[.]com
sjdkjj23.s3.ap-southeast-1.amazonaws[.]com
xijkwm2.s3.ap-southeast-1.amazonaws[.]com
yifubafu.s3.ap-southeast-1.amazonaws[.]com
caiwuascw.s3.us-east-005.backblazeb2[.]com
facaia.s3.us-east-005.backblazeb2[.]com

IP Addresses:
202.61.160[.]202
202.61.160[.]201
202.61.160[.]137
202.61.160[.]160
202.61.160[.]208
38.55.151[.]63
CVE N/A

Recommended Actions:

  • Turn on HVCI/WDAC across all Windows endpoints. This blocklist effectively addresses BYOVD attacks by blocking known vulnerable drivers, including those used by GentleKiller, HexKiller, ThrottleBlood, and HavocKiller.
  • Use WDAC or AppLocker to restrict driver execution exclusively to an explicitly approved list. This prevents unlisted or newly generated GentleKiller variants from executing.
  • Configure SIEM rules to alert when unexpected or unrelated vendor drivers are loaded (for example, a Baidu Antivirus or Huawei Audio driver on a standard corporate endpoint). Correlate these events with sudden EDR or antivirus service termination.
  • Harden FortiGate deployments by thoroughly auditing internet-facing FortiGate firewalls and VPN appliances to eliminate configuration errors. Apply all vendor security patches promptly to reduce the risk of edge exploitation.
  • Treat any detection of SystemBC proxy traffic or binaries as a high-severity security incident. This is a strong indicator that the environment may be undergoing preparation for EDR-killer deployment and a subsequent ransomware attack.
  • Tune SIEM tools to generate immediate high-priority alerts if indicators associated with multiple EDR-killing tools (such as ThrottleBlood and GentleKiller components) are detected within the same environment.
  • Ensure tamper-protection controls are enabled across the entire endpoint security platform. Confirm that permissions prevent local administrators from disabling or bypassing these monitoring mechanisms.
  • Maintain active threat intelligence processes to monitor emerging vulnerability proof-of-concept releases. Since Gentlemen integrates newly disclosed public tools into its toolkit within days of publication, defensive engineering for vulnerable driver exploits should be highly proactive.

Reference:

https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/

https://thehackernews.com/2026/06/the-gentlemen-raas-uses-gentlekiller.html

https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/

https://www.helpnetsecurity.com/2026/06/18/eset-gentlemen-edr-killers/