GentleKiller Ransomware Exploits Vulnerable Drivers to Disable EDR Security

Key Takeaways

• The Gentlemen ransomware-as-a-service (RaaS) group is deploying a sophisticated EDR-killing framework, GentleKiller, to neutralize endpoint security tools.
• GentleKiller leverages the Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting legitimate but vulnerable kernel-level drivers to disable over 400 processes across 48 security products.
• The Gentlemen RaaS operation, known for its rapid adoption of new exploits, also integrates several third-party EDR killers and a credential stealer, OxideHarvest, into its arsenal.
• The gang, active since late 2025 and founded by a former Qilin affiliate, targets organizations primarily in Southeast Asia, South America, and Western Europe, often exploiting FortiGate misconfigurations.

GentleKiller Ransomware Disables EDR Through Vulnerable Drivers

The Gentlemen ransomware-as-a-service (RaaS) collective has been observed deploying a highly advanced framework, dubbed GentleKiller, specifically designed to incapacitate endpoint detection and response (EDR) solutions before initiating its ransomware attacks. This aggressive pre-infection strategy aims to ensure the successful deployment of their malicious payloads by eliminating defensive measures.

According to findings published by ESET on June 17, 2026, Gentlemen, identified as one of the most active ransomware groups in the first quarter of 2026, provides its affiliates with a centrally managed suite of EDR-killing tools. This operational model, where the core group maintains and updates such a specialized toolkit for its affiliates, is a rare sophistication even among leading ransomware operations.

The Mechanics of GentleKiller

GentleKiller is an internally developed framework comprising at least eight distinct variants. Each variant masquerades as a legitimate security product and exploits a unique, vulnerable, or malicious kernel-level driver. The primary attack vector is the “Bring Your Own Vulnerable Driver” (BYOVD) technique. This involves loading a legitimately signed, yet exploitable, driver to terminate security processes at the kernel level, effectively circumventing user-mode protections that EDRs typically rely upon.

The framework boasts an extensive targeting capability, aiming at more than 400 processes associated with 48 different security products. This comprehensive list includes prominent industry solutions such as Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, and McAfee/Trellix. GentleKiller operates on a continuous loop, scanning for and terminating targeted processes approximately every two seconds to maintain persistence in disabling security measures.

The eight identified GentleKiller variants exploit drivers from various vendors and products, including Kaspersky (eb.sys), FACEIT Anti-Cheat (nseckrnl.sys), Valorant (GameDriverX64.sys), Javelin/Safetica (stpm_old.sys/stpm_new.sys), Zemana WatchDog (dmx.sys), Qihoo 360 (360netmon_wfp.sys), IObit (IMFForceDelete), and the PoisonX rootkit.

Rapid Exploitation and Integration

A notable characteristic of the Gentlemen RaaS operation is its exceptional agility in operationalizing newly disclosed BYOVD proof-of-concept (PoC) exploits. The group has demonstrated the capability to integrate tools like UnknownKiller and PoisonKiller into GentleKiller’s arsenal within days of their public disclosure on platforms such as GitHub. This rapid adoption highlights a well-resourced and highly agile development pipeline, distinguishing Gentlemen from many other RaaS operators who typically take weeks or months to adapt public exploits into production-ready tools.

Third-Party EDR Killers and Evasion Techniques

Beyond its proprietary GentleKiller framework, Gentlemen also incorporates three externally sourced EDR killers into its affiliate-facing toolkit:

• HexKiller: Previously linked exclusively to the Warlock gang, this tool abuses a Baidu Antivirus driver (googleApiUtil64.sys).
• ThrottleBlood: Observed in intrusions involving MedusaLocker and DragonForce, it exploits a TechPowerUp LLC driver (ThrottleBlood.sys).
• HavocKiller: First publicly reported by Huntress on March 19, 2026, though seen in real-world attacks as early as January 23, 2026, this killer abuses a Huawei Audio driver (havoc.sys).

All these tools are standardized through a shared defense-evasion layer. This layer applies binary protectors like Enigma or Themida, creates fabricated version information, copies digital signatures, and uses matching icons to impersonate legitimate security vendors. This strategy allows Gentlemen to protect even EDR killers for which it does not possess the source code, creating significant attribution challenges as different tools appear nearly identical after passing through Gentlemen’s standardization pipeline.

The group also utilizes OxideHarvest, a credential stealer written in Rust and maintained by one of Gentlemen’s affiliates. OxideHarvest is designed to harvest credentials from Chromium-based and Gecko-based browsers on compromised systems.

Gentlemen’s Origins and Targets

The Gentlemen RaaS operation emerged in late 2025, founded by an individual known as hastalamuerte, a former affiliate of the Qilin ransomware group. It quickly ascended to become one of the top five most active ransomware gangs in Q1 2026. Unlike many major ransomware groups that predominantly target US-based organizations, Gentlemen deliberately focuses its attacks on victims in Southeast Asia, South America, and Western Europe. Their targeting criteria are primarily based on identifying FortiGate misconfigurations rather than specific geographic locations.

Further insights into the group’s operations were revealed by an internal data leak in May 2026, which confirmed that Gentlemen’s operators actively develop, maintain, and distribute GentleKiller and its broader EDR-killer suite to vetted affiliates. The group offers an unusually high 90% revenue share to its affiliates, a tactic that lowers the barrier to entry and has likely accelerated its recruitment efforts.

What You Should Do

• Implement Driver Allowlisting: Prioritize and enforce driver allowlisting policies to prevent the execution of unauthorized or vulnerable drivers.
• Enforce Microsoft’s Vulnerable Driver Blocklist: Ensure that Microsoft’s Vulnerable Driver Blocklist is actively enforced to mitigate BYOVD-style attacks.
• Monitor for Anomalous Kernel Driver Loading: Continuously monitor systems for unusual kernel driver loading events, which can indicate an attempted BYOVD attack.
• Detect GentlemenCollection Staging: Be vigilant for the presence of the GentlemenCollection staging directory on your network.
• Correlate Process Termination with Driver Installation: Implement detection rules that correlate patterns of security software process termination with kernel driver installation events. This remains the most reliable behavioral detection signal against GentleKiller and its variants.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.