At the heart of the gang’s evasion strategy is a high-severity vulnerability (CVE-2025-7771) found in a legitimate tool used to monitor CPU performance
A newly emerged ransomware group, dubbed “The Gentlemen,” has quickly established itself as a significant threat to enterprises by leveraging a sophisticated tactic to disable security products and bypass detection, new research reveals.
In a blog post published this week, researchers from Trend Micro detailed the gang’s methods, which include the use of a “bring-your-own-vulnerable-driver” (BYOVD) attack. This allows the group to gain deep, system-level access to a targeted network, where it can terminate processes belonging to antivirus (AV) and other security platforms.
At the heart of the gang’s evasion strategy is a high-severity vulnerability (CVE-2025-7771) found in a legitimate tool used to monitor CPU performance. The attackers weaponise the tool’s driver, ThrottleStop.sys, renaming it ThrottleBlood.sys. Because the driver is a legitimate, digitally signed file, it is trusted by Windows, making it extremely difficult for traditional defenses to detect it as a threat.
According to the Trend Micro research, once the renamed driver is loaded, it provides the attackers with kernel-level access. This allows their malicious tools to terminate security software and services, clearing a path for the ransomware to encrypt files without interference.
Researchers noted that The Gentlemen have evolved from opportunistic attacks to a more targeted and tailored approach. After performing reconnaissance on a victim’s network, the gang now adapts its tools to specifically bypass the security solutions it encounters.
The attackers have used a variety of utilities, including a tool called All.exe and a customised variant called Allpatch2.exe, both designed to kill security agent processes. They also leverage legitimate tools like PowerRun.exe to escalate privileges. This ability to modify evasion strategies based on a victim’s specific environment highlights a high level of sophistication and adaptability.
The use of a legitimate driver presents a significant challenge for enterprise security. Since Windows’ own signature verification is ineffective against the attack, Trend Micro researchers say organisations should instead focus on detecting the malicious executables that load the driver. They recommend that network administrators monitor for unusual process combinations and suspicious activity, rather than relying on blocking files by name alone.
The research also underscores the need for more comprehensive defensive strategies, recommending that organisations implement zero-trust controls to defend against the kind of vulnerable, internet-facing infrastructure that the ransomware gang has so far exploited.
