A highly sophisticated EDR-killing framework, dubbed GentleKiller, was used by the Gentlemen ransomware-as-a-service (RaaS)<\/a> gang to systematically disable endpoint security tools before deploying its ransomware payload.<\/p>\n The findings by ESET, published on June 17, 2026, detail how Gentlemen, one of the most active ransomware gangs in Q1 2026, provides affiliates with a centralized, operator-maintained suite of EDR killers, a model rare even among top-tier ransomware operations.<\/p>\n GentleKiller is an in-house EDR-killing framework with at least eight distinct variants, each impersonating a different legitimate security product and abusing a unique vulnerable or malicious kernel-level driver.<\/p>\n The technique used is Bring Your Own Vulnerable Driver (BYOVD)<\/a>, loading a legitimately signed but exploitable driver to terminate security processes at the kernel level, bypassing user-mode protections.<\/p>\n In total, GentleKiller targets more than 400 processes mapped to 48 security products, including industry leaders such as Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, and McAfee\/Trellix.<\/p>\n The framework operates on a loop, periodically scanning and terminating targeted processes every two seconds, as evidenced by the output shown below.<\/p>\n The eight GentleKiller variants abuse drivers from Kaspersky ( A defining capability of Gentlemen is its ability to operationalize newly published BYOVD proof-of-concept (PoC) exploits within days of public release.<\/p>\n Tools such as UnknownKiller and PoisonKiller were incorporated into GentleKiller\u2019s arsenal within days of their public GitHub disclosure, demonstrating a well-resourced and agile development pipeline, according to ESET research<\/a>.<\/p>\n This rapid adoption distinguishes Gentlemen from most other RaaS operators, who typically wait weeks or months before adapting publicly released exploits into production-ready tooling.<\/p>\n Beyond GentleKiller, Gentlemen also integrates three externally sourced EDR killers into its affiliate-facing suite:<\/p>\n All three tools are standardized through a shared defense-evasion layer that applies Enigma or Themida binary protectors, impersonates security vendors with fabricated version information, copied digital signatures, and matching icons.<\/p>\n Gentlemen applies its evasion strategy at the compiled binary level, allowing it to protect even EDR killers for which it does not own the source code. This creates significant attribution challenges, as tools from different ransomware groups appear near-identical once processed through Gentlemen\u2019s standardization pipeline.<\/p>\n The gang also uses OxideHarvest, a Rust-written credential stealer maintained by a Gentlemen affiliate, which harvests credentials from Chromium-based and Gecko-based browsers across compromised hosts.<\/p>\n Gentlemen emerged in late 2025 as a RaaS operation founded by Unlike most major ransomware groups that focus heavily on US-based targets, Gentlemen deliberately targets victims in Southeast Asia, South America, and Western Europe, selecting targets primarily based on FortiGate misconfigurations rather than geographic criteria.<\/p>\n The gang was further exposed by an internal data leak in May 2026, which confirmed that its operators actively develop, maintain, and distribute GentleKiller and the broader EDR-killer suite<\/a> to vetted affiliates.<\/p>\n Gentlemen offers affiliates an unusually generous 90% revenue share, lowering the barrier to entry and accelerating its affiliate recruitment.<\/p>\n Security teams should prioritize driver allowlisting and enforce Microsoft\u2019s Vulnerable Driver Blocklist to prevent BYOVD-style attacks. Defenders should also monitor for the GentlemenCollection staging directory and anomalous kernel driver loading events.<\/p>\n Correlating process-termination patterns, especially targeting security software with driver installation events, remains the most reliable behavioral detection signal against GentleKiller and its variants.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh7MpREDbf7bra3sU2J3A5UFdL5uW5ExUlvGwsGANvmJERqk9Iyd-2Gx-1eKzrM47UVIcLkdbqdMniVLx-iwYqwXyHNZmoNkHWdf0879sMHHxKnhyphenhyphentHOfAOb4nLJEuwMgj60or4aY8f2fuk7u35DN_mZRXUVg7dZiLcvwpuN2CdkxfYS8jq9zrsfdFgFu2P\/w640-h582\/GentleKiller%2520Ransomware%2520Abuses%2520Vulnerable%2520Drivers.webp?ssl=1\")
eb.sys<\/code>), FACEIT Anti-Cheat (nseckrnl.sys<\/code>), Valorant (GameDriverX64.sys<\/code>), Javelin\/Safetica (stpm_old.sys<\/code>\/stpm_new.sys<\/code>), Zemana WatchDog (dmx.sys<\/code>), Qihoo 360 (360netmon_wfp.sys<\/code>), IObit (IMFForceDelete<\/code>), and the PoisonX rootkit.<\/p>\nThird-Party EDR Killers Integrated Into the Suite<\/strong><\/h2>\n
\n
googleApiUtil64.sys<\/code>)<\/li>\nThrottleBlood.sys<\/code>)<\/li>\nhavoc.sys<\/code>)<\/li>\n<\/ul>\nhastalamuerte<\/code>, a former Qilin affiliate<\/a>, and rapidly became one of the five most active ransomware gangs in Q1 2026.<\/p>\n