CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 22, 2026

GentleKiller Framework Disables Victims' Security Software

Infosecurity Magazine Archived Jun 22, 2026 ✓ Full text saved

ESET details GentleKiller, the EDR-killer framework the Gentlemen ransomware gang gives affiliates

Full text archived locally
✦ AI Summary · Claude Sonnet


    One of the most active ransomware gangs of 2026 has been handing its affiliates a ready-made toolkit for switching off victims' security software before the encryption begins. New analysis from ESET detailed the endpoint detection and response (EDR) killer suite of The Gentlemen, a ransomware-as-a-service operation (RaaS), built around an in-house framework the researchers named GentleKiller. GentleKiller's job is to disable endpoint protection. ESET found it targeting more than 400 processes across roughly 48 security products, from Microsoft Defender and CrowdStrike to Sophos and ESET's own tools, killing them at the kernel level so the ransomware could run unchecked. Borrowed Drivers, Kernel Power The method is called bring your own vulnerable driver (BYOVD). Each build loads a legitimately signed but flawed kernel driver, then abuses it to kill security processes from inside the kernel, beyond the reach of user-mode protections. ESET counted at least eight GentleKiller variants, each impersonating a different legitimate product, with names lifted from games and security brands such as Valorant, FACEIT and Kaspersky, and each abusing a different driver. To bypass inspection, the binaries carry fake version details, copied but invalid digital signatures and the icons of the vendors they mimic, often wrapped in commercial packers. Read more: Just Three Ransomware Gangs Accounted for 40% of Attacks Last Month A Suite, Not a Single Tool What makes Gentlemen unusual is that its operators, not its affiliates, build and maintain the EDR killers. ESET said most ransomware crews leave affiliates to find their own; only a handful, such as RansomHub, supply one. Gentlemen offers a whole portfolio: GentleKiller, the in-house framework, in at least eight variants HexKiller, previously tied to the Warlock gang ThrottleBlood, seen in MedusaLocker and DragonForce intrusions HavocKiller, which abuses a Huawei audio driver The three borrowed tools were each re-skinned with Gentlemen's shared evasion layer. GentleKiller itself moved faster still, with the operators turning newly disclosed driver exploits into working variants within days of release. Inside the Gentlemen Operation Gentlemen surfaced in late 2025, founded by a former Qilin affiliate, and lures affiliates with an unusually large 90% cut. ESET confirmed the operator-run model partly through a May data leak, in which the gang's leader openly discussed maintaining the EDR-killer packages. Unusually, it does not concentrate on US victims, picking targets across Southeast Asia, South America and Western Europe by their exposed FortiGate configurations. ESET said understanding how GentleKiller works helps defenders prepare even for variants not yet built. In practice, defenses against such BYOVD attacks center on blocking known-vulnerable drivers and alerting whenever a protected security process is suddenly shut down.
    💬 Team Notes
    Article Info
    Source
    Infosecurity Magazine
    Category
    ◇ Industry News & Leadership
    Published
    Jun 22, 2026
    Archived
    Jun 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗