A highly sophisticated EDR-killing framework, dubbed GentleKiller, was used by the Gentlemen ransomware-as-a-service (RaaS) gang to systematically disable endpoint security tools before deploying its ransomware payload.
The findings by ESET, published on June 17, 2026, detail how Gentlemen, one of the most active ransomware gangs in Q1 2026, provides affiliates with a centralized, operator-maintained suite of EDR killers, a model rare even among top-tier ransomware operations.
GentleKiller is an in-house EDR-killing framework with at least eight distinct variants, each impersonating a different legitimate security product and abusing a unique vulnerable or malicious kernel-level driver.
The technique used is Bring Your Own Vulnerable Driver (BYOVD), loading a legitimately signed but exploitable driver to terminate security processes at the kernel level, bypassing user-mode protections.
In total, GentleKiller targets more than 400 processes mapped to 48 security products, including industry leaders such as Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, and McAfee/Trellix.
The framework operates on a loop, periodically scanning and terminating targeted processes every two seconds, as evidenced by the output shown below.
The eight GentleKiller variants abuse drivers from Kaspersky (eb.sys), FACEIT Anti-Cheat (nseckrnl.sys), Valorant (GameDriverX64.sys), Javelin/Safetica (stpm_old.sys/stpm_new.sys), Zemana WatchDog (dmx.sys), Qihoo 360 (360netmon_wfp.sys), IObit (IMFForceDelete), and the PoisonX rootkit.
A defining capability of Gentlemen is its ability to operationalize newly published BYOVD proof-of-concept (PoC) exploits within days of public release.
Tools such as UnknownKiller and PoisonKiller were incorporated into GentleKiller’s arsenal within days of their public GitHub disclosure, demonstrating a well-resourced and agile development pipeline, according to ESET research.
This rapid adoption distinguishes Gentlemen from most other RaaS operators, who typically wait weeks or months before adapting publicly released exploits into production-ready tooling.
Third-Party EDR Killers Integrated Into the Suite
Beyond GentleKiller, Gentlemen also integrates three externally sourced EDR killers into its affiliate-facing suite:
- HexKiller — Previously attributed exclusively to the Warlock gang; abuses a Baidu Antivirus BdApi driver (
googleApiUtil64.sys) - ThrottleBlood — Previously observed in MedusaLocker and DragonForce intrusions; abuses a TechPowerUp LLC driver (
ThrottleBlood.sys) - HavocKiller — First publicly disclosed by Huntress on March 19, 2026, but observed in real-world intrusions as early as January 23, 2026; abuses a Huawei Audio driver (
havoc.sys)
All three tools are standardized through a shared defense-evasion layer that applies Enigma or Themida binary protectors, impersonates security vendors with fabricated version information, copied digital signatures, and matching icons.
Gentlemen applies its evasion strategy at the compiled binary level, allowing it to protect even EDR killers for which it does not own the source code. This creates significant attribution challenges, as tools from different ransomware groups appear near-identical once processed through Gentlemen’s standardization pipeline.
The gang also uses OxideHarvest, a Rust-written credential stealer maintained by a Gentlemen affiliate, which harvests credentials from Chromium-based and Gecko-based browsers across compromised hosts.
Gentlemen emerged in late 2025 as a RaaS operation founded by hastalamuerte, a former Qilin affiliate, and rapidly became one of the five most active ransomware gangs in Q1 2026.
Unlike most major ransomware groups that focus heavily on US-based targets, Gentlemen deliberately targets victims in Southeast Asia, South America, and Western Europe, selecting targets primarily based on FortiGate misconfigurations rather than geographic criteria.
The gang was further exposed by an internal data leak in May 2026, which confirmed that its operators actively develop, maintain, and distribute GentleKiller and the broader EDR-killer suite to vetted affiliates.
Gentlemen offers affiliates an unusually generous 90% revenue share, lowering the barrier to entry and accelerating its affiliate recruitment.
Security teams should prioritize driver allowlisting and enforce Microsoft’s Vulnerable Driver Blocklist to prevent BYOVD-style attacks. Defenders should also monitor for the GentlemenCollection staging directory and anomalous kernel driver loading events.
Correlating process-termination patterns, especially targeting security software with driver installation events, remains the most reliable behavioral detection signal against GentleKiller and its variants.
