GentleKiller is a sophisticated EDR killing framework used by the Gentlemen ransomware as a service gang that abuses vulnerable signed kernel drivers through BYOVD attacks to disable more than 400 security processes across 48 leading endpoint protection products.
Imagine your company most trusted security tool, which constantly flashes a green symbol in the corner of your screen suddenly shuts down on its own accord, and you’re not even aware of it. This is not a crash or a bug. Its a well-planned war waged by a ransomware gang. Its called GentleKiller and its so dangerous that its able to silence even the world’s most renowned security brands in one fell swoop.
GentleKiller BYOVD EDR Killer Framework Explained
ESET researchers published a detailed report on June 17, 2026 in which they stated that a ransomware-as-a-service gang named Gentlemen was one of the most active groups in Q1 2026. But the most unusual thing was that Gentlemen was not only providing encryption tools to its affiliates, but also a centralized and operator-maintained EDR killer suite. This model is not so common and is rarely seen even in top-tier ransomware operations.
GentleKiller is actually an in-house framework that currently has at least eight different variants. Each variant masquerades as a different legitimate security product and each one exploits a different vulnerable or malicious kernel level driver.
This entire approach is called BYOVD or Bring Your Own Vulnerable Driver. This means that the attacker does not create a new malicious driver but loads a driver that is legitimately signed but has a hidden vulnerability. This method allows the attacker to bypass all user mode protections and destroy security processes at the kernel level.
The true scope of GentleKiller is breathtaking. This framework targets over 400 processes that are integrated with 48 security products, including some of the industrys most renowned names like Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, and McAfee Trellix. This framework does not perform a one-time attack but rather operates in a continuous loop re-scanning every two seconds to terminate targeted processes.
The eight variants that are part of this framework exploit drivers like Kasperskys eb.sys FACEIT Anti Cheats nseckrnl.sys Valorants GameDriverX64.sys Javelin Safeticas stpm old and stpm new.sys Zemana WatchDog dmx.sys Qihoo 360’s 360netmon wfp.sys IObits IMFForceDelete and the PoisonX rootkit. Whats most surprising is that the Gentlemen gang has managed to make newly published BYOVD proof-of-concept exploits a part of their arsenal in just a few days.
Tools like UnknownKiller and PoisonKiller were incorporated into GentleKiller within days of being made public on GitHub a clear testament to the speed and resources of the gangs development pipeline.
Gentlemen Ransomware Gang Tactics and Defense Mitigation
In addition to GentleKiller Gentlemen also provides its affiliates with three other EDR killers that are sourced from outside. These include HexKiller which was previously attributed solely to the Warlock gang and exploits Baidu Antivirus BdAPI driver googleApiUtil64.sys.
Another is ThrottleBlood which was seen in intrusions like MedusaLocker and DragonForce and uses TechPowerUps driver ThrottleBlood.sys. The third one is HavocKiller which was first made public by Huntress on 19 March 2026 but was actually present in real world attacks since 23 January 2026 and takes advantage of Huawei Audio driver havoc.sys.
Gentlemen has standardized these three tools through a common defense evasion layer that employs binary protectors like Enigma or Themida. These tools masquerade as security vendors and use fake version information, forged digital signatures and matching icons.
Gentlemen applies its evasion strategy at the compiled binary level and allowing it to protect even EDR killers whose source code it doesn’t possess. This makes attribution extremely difficult because tools from different ransomware groups can look very similar after going through this standardization pipeline. The gang also uses a Rust-based credential stealer called OxideHarvest that steals credentials from Chromium and Gecko-based browsers on compromised machines.
(source: SET Research)
The story of Gentlemen began in late 2025 when a man named Hastalamuerte formerly an affiliate of the Qilin ransomware gang, founded this RaaS operation. In a very short time Gentlemen became one of the five most active ransomware gangs as of Q1 2026.
While most other ransomware groups focus on US-based targets, Gentlemen targeted Southeast Asia, South America and Western Europe. Their selection process is not based on geography but on FortiGate misconfigurations meaning they attack where they find vulnerable FortiGate setups.
In May 2026, the gang internal data was leaked, which revealed that Gentlemen operators themselves develop maintain and distribute GentleKiller and the entire EDR killer suite to their vetted affiliates. The gang offers its affiliates a 90 percent revenue share, which is a very generous offer for the industry, and this is why new affiliates are rapidly joining the gang.
Driver allowlisting is a crucial step for security teams. Organizations should always enforce Microsoft Vulnerable Driver Blocklist to prevent outdated or vulnerable signed drivers from being loaded into the system. Defenders should also monitor the staging directory named GentlemenCollection and immediately investigate any anomalous kernel driver loading events.
The most reliable behavioral detection signal is when a new driver is installed and security software processes begin terminating at the same time this correlation is the earliest warning sign.
This entire story once again reminds us that modern ransomware gangs are no longer limited to just encryption. They have become organized like entire industries where each gang provides its affiliates with a complete toolkit that includes defense-defeating weapons. Until organizations take the security of their drivers with the same seriousness as updating their antivirus software, this threat will remain alive.
