Gentlemen Ransomware Uses GentleKiller to Disable More Than 400 EDR Processes
7 min. read 
Published on
The Gentlemen ransomware operation is giving affiliates access to a powerful EDR-killing framework called GentleKiller, according to new research from ESET.
The tool is designed to disable endpoint detection and response products before ransomware deployment. In its ESET Research report, the security company said GentleKiller targets more than 400 processes mapped to 48 security products.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
GentleKiller uses a Bring Your Own Vulnerable Driver technique, often called BYOVD. This lets attackers load a signed but vulnerable kernel driver, then use it to interfere with security tools at a deeper level than normal user-mode malware can reach.
GentleKiller Gives Affiliates a Ready-Made Defense Evasion Tool
The Gentlemen gang has grown quickly since late 2025 and became one of the most active ransomware groups seen in early 2026. What makes the group stand out is that its operators appear to maintain EDR-killing tools centrally, instead of leaving affiliates to find their own.
BleepingComputer reported that the Gentlemen suite includes multiple tools for disabling defenses, with GentleKiller being the main in-house framework. The goal is simple: blind endpoint protection before data theft, lateral movement, and encryption begin.
This model lowers the technical barrier for ransomware affiliates. It also makes Gentlemen more attractive to criminals who want access to a packaged toolkit rather than building their own EDR bypass methods.
How the BYOVD Attack Works
BYOVD attacks abuse drivers that already carry a trusted digital signature but contain exploitable weaknesses. Once attackers get administrative access, they can try to load the driver and use its kernel-level capabilities to terminate or weaken security software.
Microsoft has warned that attackers increasingly target legitimate signed kernel drivers to run malware in the kernel. Its recommended driver block rules are designed to help harden Windows systems against vulnerable and malicious third-party drivers.
GentleKiller shows why that protection matters. ESET said the framework has at least eight variants, each impersonating a different legitimate product and abusing a different vulnerable or malicious driver.
| GentleKiller variant | Impersonated product or theme | Abused driver or driver family |
|---|---|---|
| Kaspersky | Kaspersky-themed executable | eb.sys rootkit component |
| FACEIT Anti-Cheat | FACEIT-themed executable | nseckrnl.sys |
| Valorant | Valorant-themed executable | GameDriverX64.sys or related anti-cheat driver abuse |
| Javelin | Javelin or anti-cheat-style executable | Safetica ProcessMonitor driver samples |
| WatchDog | WatchDog-themed executable | Zemana WatchDog driver |
| Network Blocker | Network security-themed executable | Qihoo 360 driver |
| Cleaner | Cleaner-style executable | IObit ForceDelete filter driver |
| G11 or Symantec | Security product-themed executable | PoisonX rootkit |
More Than 400 Security Processes Are Targeted
The list of targeted products includes major security vendors and enterprise tools. ESET found process names linked to Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, McAfee and Trellix, Fortinet, Huntress, and others.
The tool repeatedly looks for security processes and tries to terminate them. That pattern can leave an endpoint exposed at the exact moment attackers prepare for ransomware deployment.
The ESET analysis also says Gentlemen can adapt newly published BYOVD proof-of-concept tools within days. That speed gives defenders less time to react after public research becomes available.
Third-Party EDR Killers Are Also Part of the Suite
Gentlemen does not rely only on its own framework. Researchers also linked the group’s toolkit to third-party EDR killers, including HexKiller, ThrottleBlood, and HavocKiller.
The BleepingComputer report noted that these tools help affiliates evade detection in the early stages of an attack. ESET assessed that GentleKiller is the in-house component, while the other tools were likely sourced externally and adapted for use in Gentlemen intrusions.
HavocKiller is especially notable because it was publicly discussed earlier this year. In March, Huntress detailed a campaign that used a vulnerable Huawei audio driver to kill security processes after rogue remote access activity.
| Tool | Driver abuse | Why it matters |
|---|---|---|
| GentleKiller | Multiple vulnerable or malicious drivers | In-house Gentlemen framework with at least eight variants |
| HexKiller | Baidu Antivirus BdApi driver | Previously associated with Warlock-related activity |
| ThrottleBlood | TechPowerUp driver | Seen in other ransomware intrusions before appearing in the Gentlemen suite |
| HavocKiller | Huawei audio driver | Observed in ransomware-related activity and later folded into Gentlemen operations |
Gentlemen Uses a Standardized Evasion Layer
ESET said Gentlemen applies a shared evasion strategy across its EDR-killing tools. That includes binary protectors such as Enigma or Themida, fake version information, copied digital signatures, and icons that mimic legitimate security products.
This standardization can make analysis harder. Samples from different origins may look similar after Gentlemen processes them through the same defense-evasion layer.
The same ecosystem also includes OxideHarvest, a Rust-written credential stealer linked to a Gentlemen affiliate. The tool can harvest credentials from Chromium-based and Gecko-based browsers after attackers gain access to compromised systems.
Internal Leak Gave Researchers More Visibility
Gentlemen suffered an internal data leak in May 2026. Check Point Research reported that a backend database tied to the group was exposed, revealing accounts, infrastructure details, and operational evidence.
That leak helped support earlier conclusions that Gentlemen operators actively maintain and distribute EDR-killing packages to vetted affiliates. It also gave researchers more insight into the group’s development process and affiliate model.
According to ESET, the group offers affiliates a 90% share, which is unusually generous for ransomware-as-a-service operations. That revenue split may help explain why the group has been able to recruit affiliates quickly.
Security Teams Should Focus on Driver Controls
Organizations should treat GentleKiller as a warning that endpoint protection alone may not stop ransomware if attackers can load vulnerable drivers. Driver control, application control, and kernel protection policies are now essential parts of ransomware defense.
Microsoft says the vulnerable driver blocklist is enabled by default on Windows 11 version 22H2 and later, and can also be enforced through memory integrity, Smart App Control, S mode, or App Control for Business. The company’s driver blocklist guidance also recommends the Attack Surface Reduction rule that blocks abuse of exploited vulnerable signed drivers.
Security teams should test these policies carefully before full deployment, especially on servers and systems that rely on specialized hardware or legacy software. Blocking drivers can affect compatibility, but leaving vulnerable drivers exposed gives ransomware crews a path around EDR tools.
- Enable Microsoft’s vulnerable driver blocklist where possible.
- Use application control or driver allowlisting on high-risk systems.
- Monitor for unexpected kernel driver loads.
- Alert on rapid termination of multiple security processes.
- Investigate staging paths such as GentlemenCollection.
- Restrict local administrator rights across endpoints.
- Keep EDR, operating systems, and hardware drivers updated.
- Review remote access tools and remove unapproved RMM software.
Why GentleKiller Matters
GentleKiller shows how ransomware groups are turning defense evasion into a managed service for affiliates. Instead of only selling encryptors and leak-site access, Gentlemen gives trusted partners tools that can weaken security before the final ransomware stage.
The use of tools such as HavocKiller also shows how quickly BYOVD techniques can spread from public research or unrelated campaigns into ransomware operations. The earlier Huntress research showed how a vulnerable signed driver could let attackers terminate security tools from kernel mode after initial access.
The Check Point leak analysis and ESET’s later investigation point to the same broader trend. Ransomware groups are becoming more organized, more modular, and faster at operationalizing tools that can bypass enterprise defenses.
FAQ
GentleKiller is an EDR-killing framework used by the Gentlemen ransomware-as-a-service operation. It targets security processes so attackers can weaken endpoint defenses before deploying ransomware.
No. GentleKiller is not the ransomware payload itself. It is a defense-evasion framework that helps Gentlemen affiliates disable security tools before ransomware activity begins.
BYOVD stands for Bring Your Own Vulnerable Driver. In this technique, attackers load a signed but vulnerable driver and abuse it to gain kernel-level capabilities, often to disable security tools.
ESET said GentleKiller targets more than 400 processes mapped to 48 security products, including several major endpoint security and EDR vendors.
Organizations should enable vulnerable driver blocklists, use driver allowlisting, monitor for suspicious driver loads, restrict administrator rights, keep drivers updated, and investigate rapid termination of multiple security processes.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages