A sophisticated framework known as GentleKiller has been identified, used by the Gentlemen ransomware-as-a-service (RaaS) group to disrupt endpoint security measures before deploying ransomware. This development was reported by ESET on June 17, 2026, highlighting the gang’s advanced capabilities in targeting security solutions.
GentleKiller’s Unique Approach
The Gentlemen gang, notable for its high activity in early 2026, provides affiliates with a centralized suite of EDR (Endpoint Detection and Response) killers, a rarity among ransomware operations. GentleKiller, an in-house framework, boasts at least eight versions, each mimicking legitimate security products while exploiting different vulnerable drivers.
Utilizing a technique called Bring Your Own Vulnerable Driver (BYOVD), GentleKiller loads signed yet exploitable drivers to disable security functions at the kernel level, effectively bypassing user-mode defenses. This tactic targets over 400 processes linked to 48 security products, including those from leading companies like Microsoft, CrowdStrike, and McAfee.
Operational Capabilities and Variants
GentleKiller operates on a constant loop, scanning for and terminating targeted processes every two seconds. Its variants exploit drivers from well-known sources such as Kaspersky, FACEIT Anti-Cheat, and others. The framework’s ability to quickly integrate new BYOVD exploits distinguishes it in the ransomware landscape.
This agility is further illustrated by the swift incorporation of tools like UnknownKiller and PoisonKiller into its arsenal shortly after their release on GitHub, showcasing a robust development pipeline. This rapid adoption sets Gentlemen apart from other RaaS groups that typically take longer to implement public exploits.
Integration of Third-Party EDR Killers
In addition to GentleKiller, the group incorporates three external EDR killers into its suite, namely HexKiller, ThrottleBlood, and HavocKiller. These tools are standardized with a unified defense-evasion strategy using Enigma or Themida protectors, complicating attribution efforts.
The Gentlemen gang also utilizes OxideHarvest, a Rust-based credential stealer targeting browsers on compromised systems. Established in late 2025 by a former Qilin affiliate, Gentlemen quickly rose to prominence, focusing on regions like Southeast Asia and South America rather than the usual US-based targets.
Future Implications and Recommendations
As the Gentlemen group continues to innovate, security teams must prioritize measures such as driver allowlisting and implementing Microsoft’s Vulnerable Driver Blocklist to counter BYOVD threats. Monitoring for unusual kernel driver loading and process-termination patterns linked to security software remains crucial for detection.
Gentlemen’s internal data leak in May 2026 confirmed its active role in developing and distributing these advanced tools to affiliates. Offering a 90% revenue share, the group effectively lowers entry barriers for new affiliates, expanding its reach and impact.
To stay updated on the latest cybersecurity developments, follow us on Google News, LinkedIn, and X.
