“`html
An exceptionally advanced EDR-disabling framework, named GentleKiller, was utilized by the Gentlemen ransomware-as-a-service (RaaS) group to methodically deactivate endpoint security solutions before launching its ransomware payload.
The insights provided by ESET, released on June 17, 2026, outline how Gentlemen, recognized as one of the most proactive ransomware groups in Q1 2026, offers its affiliates a centralized, operator-managed collection of EDR killers, a model that is uncommon even among elite ransomware organizations.
GentleKiller is an internally developed EDR-disabling framework with a minimum of eight distinct variations, each mimicking a different legitimate security product while exploiting unique vulnerable or malicious kernel-level drivers.
The method applied is Bring Your Own Vulnerable Driver (BYOVD), which loads a legitimately signed but vulnerable driver to terminate security processes at the kernel level, circumventing user-mode defenses.
In total, GentleKiller targets over 400 processes corresponding to 48 security products, including top industry names such as Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, and McAfee/Trellix.
The framework functions on a continuous loop, routinely scanning and terminating targeted processes every two seconds, as shown by the output displayed below.
The eight variants of GentleKiller exploit drivers from Kaspersky (eb.sys), FACEIT Anti-Cheat (nseckrnl.sys), Valorant (GameDriverX64.sys), Javelin/Safetica (stpm_old.sys/stpm_new.sys), Zemana WatchDog (dmx.sys), Qihoo 360 (360netmon_wfp.sys), IObit (IMFForceDelete), and the PoisonX rootkit.
A key feature of Gentlemen is its capability to operationalize newly released BYOVD proof-of-concept (PoC) exploits within a matter of days following public dissemination.
Tools like UnknownKiller and PoisonKiller were integrated into GentleKiller’s arsenal shortly after their public GitHub announcement, showcasing a well-funded and adaptable development pipeline, as per ESET research.
This swift adoption sets Gentlemen apart from the majority of other RaaS operators, who often take weeks or months to incorporate publicly released exploits into effective tools.
Third-Party EDR Disablers Included in the Suite
In addition to GentleKiller, Gentlemen also incorporates three externally sourced EDR disablers into its affiliate-facing suite:
- HexKiller — Previously linked solely to the Warlock group; exploits a Baidu Antivirus BdApi driver (
googleApiUtil64.sys) - ThrottleBlood — Previously identified in MedusaLocker and DragonForce breaches; exploits a TechPowerUp LLC driver (
ThrottleBlood.sys) - HavocKiller — First made public by Huntress on March 19, 2026, but noted in actual breaches as early as January 23, 2026; exploits a Huawei Audio driver (
havoc.sys)
All three tools are standardized through a common defense-evasion layer that utilizes Enigma or Themida binary protectors, impersonates security vendors with forged version details, replicated digital signatures, and corresponding icons.
Gentlemen implements its evasion techniques at the compiled binary level, enabling it to safeguard even EDR disablers for which it doesn’t possess the source code. This creates significant challenges in attribution, as tools from different ransomware factions appear nearly identical once processed through Gentlemen’s standardization pipeline.
The group also operates OxideHarvest, a Rust-developed credential stealer maintained by a Gentlemen affiliate, which gathers credentials from Chromium-based and Gecko-based browsers on compromised systems.
Gentlemen emerged in late 2025 as a RaaS venture established by hastalamuerte, a former Qilin affiliate, and swiftly became one of the top five most active ransomware gangs in Q1 2026.
In contrast to most significant ransomware organizations that predominantly target US-based victims, Gentlemen intentionally targets individuals in Southeast Asia, South America, and Western Europe, choosing targets primarily based on FortiGate misconfigurations rather than geographic factors.
The gang was further unveiled by an internal data breach in May 2026, which validated that its operators actively develop, maintain, and distribute GentleKiller and the wider EDR-disabling suite to selected affiliates.
Gentlemen offers affiliates an unusually generous 90% revenue cut, lowering the entry barrier and speeding up its affiliate recruitment.
Security teams should emphasize driver allowlisting and implement Microsoft’s Vulnerable Driver Blocklist to avert BYOVD-style attacks. Defenders should also keep an eye on the GentlemenCollection staging directory and unusual kernel driver loading events.
Linking process-termination patterns, particularly those targeting security software alongside driver installation events, remains the most dependable behavioral detection signal against GentleKiller and its variations.
“`