A highly sophisticated endpoint detection and response (EDR) killing framework, dubbed GentleKiller, has been uncovered by ESET researchers as the core weapon of the Gentlemen ransomware-as-a-service (RaaS) gang. Published on June 17, 2026, the findings reveal how Gentlemen — one of the most active ransomware groups of Q1 2026 — hands affiliates a centralized, operator-maintained suite of EDR killers, a capability rarely seen even among elite ransomware operations.
What Is GentleKiller?
GentleKiller is an in-house EDR-killing framework with at least eight distinct variants, each impersonating a different legitimate security product and abusing a unique vulnerable or malicious kernel-level driver. The technique used is known as Bring Your Own Vulnerable Driver (BYOVD) — a method that loads a legitimately signed but exploitable driver to terminate security processes at the kernel level, effectively bypassing all user-mode protections.
In total, GentleKiller targets more than 400 processes mapped to 48 security products, including industry leaders such as Microsoft Defender, CrowdStrike Falcon, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, and McAfee/Trellix. The framework operates in a persistent loop, scanning and terminating targeted security processes every two seconds.
Eight Variants, Eight Vulnerable Drivers
The eight GentleKiller variants each abuse a different kernel driver:
- Kaspersky (eb.sys)
- FACEIT Anti-Cheat (nseckrnl.sys)
- Valorant Anti-Cheat (GameDriverX64.sys)
- Javelin/Safetica (stpm_old.sys / stpm_new.sys)
- Zemana WatchDog (dmx.sys)
- Qihoo 360 (360netmon_wfp.sys)
- IObit (IMFForceDelete)
- PoisonX rootkit
Third-Party EDR Killers Integrated Into the Suite
Beyond its in-house tools, Gentlemen integrates three externally sourced EDR killers into its affiliate-facing suite. HexKiller was previously attributed exclusively to the Warlock gang and abuses a Baidu Antivirus driver. ThrottleBlood was previously observed in MedusaLocker and DragonForce intrusions and abuses a TechPowerUp LLC driver. HavocKiller was first publicly disclosed by Huntress on March 19, 2026, but observed in real-world intrusions as early as January 23, 2026, and abuses a Huawei Audio driver.
All three tools are standardized through a shared defense-evasion layer that applies Enigma or Themida binary protectors, impersonates security vendors with fabricated version information, copied digital signatures, and matching icons. This creates significant attribution challenges, as tools from different ransomware groups appear near-identical once processed through Gentlemen’s standardization pipeline.
Rapid PoC Adoption Sets Gentlemen Apart
A defining capability of Gentlemen is its ability to operationalize newly published BYOVD proof-of-concept exploits within days of public release. Tools such as UnknownKiller and PoisonKiller were incorporated into GentleKiller’s arsenal within days of their GitHub disclosure, demonstrating a well-resourced and agile development pipeline. This rapid adoption distinguishes Gentlemen from most other RaaS operators, who typically wait weeks or months before adapting publicly released exploits into production-ready tooling.
Who Are the Gentlemen?
Gentlemen emerged in late 2025 as a RaaS operation founded by hastalamuerte, a former Qilin affiliate, and rapidly became one of the five most active ransomware gangs in Q1 2026. Unlike most major ransomware groups that focus heavily on US-based targets, Gentlemen deliberately targets victims in Southeast Asia, South America, and Western Europe, selecting targets primarily based on FortiGate misconfigurations.
The gang also uses OxideHarvest, a Rust-written credential stealer that harvests credentials from Chromium-based and Gecko-based browsers across compromised hosts. An internal data leak in May 2026 confirmed that operators actively develop, maintain, and distribute GentleKiller to vetted affiliates. Gentlemen offers affiliates an unusually generous 90% revenue share, lowering the barrier to entry and accelerating affiliate recruitment.
Defensive Recommendations
Security teams should prioritize the following actions to protect against GentleKiller-style attacks:
- Enforce driver allowlisting and apply Microsoft’s Vulnerable Driver Blocklist to prevent BYOVD attacks from succeeding at the kernel level.
- Monitor for the GentlemenCollection staging directory and flag any anomalous kernel driver loading events in your SIEM.
- Correlate process-termination patterns targeting security software with driver installation events — this remains the most reliable behavioral detection signal against GentleKiller.
- Alert on EDR process restart loops that may indicate repeated termination attempts by a running GentleKiller instance.
- Keep your security product drivers updated and consult vendor advisories for any components listed in the GentleKiller target manifest.
The GentleKiller disclosure underscores a chilling evolution in the ransomware ecosystem: the commoditization of kernel-level defenses evasion. When even a newly formed ransomware gang can deliver polished, centrally maintained BYOVD toolkits to affiliates within days of vulnerability disclosure, defenders must treat kernel-level driver monitoring as a first-class security control, not an afterthought.