GentleKiller: The EDR-Killer Framework Built Into the Gentlemen RaaS

The Gentlemen ransomware-as-a-service group has integrated a homegrown EDR-killer framework, dubbed GentleKiller, into its commercial offering. The finding comes from a technical analysis published June 18, 2026 by ESET researchers, based on direct incident visibility and confirmed internal leaks. The novelty is not the BYOVD technique itself, but its industrialization: eight tool variants, rapid driver updates, and direct distribution to affiliates as a standard service component.

Modular Architecture: BYOVD as a Pipeline

GentleKiller variants share common strings, identical obfuscation techniques, and standardized process-termination logic, according to ESET analysis. The structure is designed to allow driver swaps or the weaponization of new vulnerabilities without substantial code changes. This modular design transforms BYOVD from an occasional exploit into a continuous pipeline: every newly disclosed vulnerable driver quickly becomes a swappable component.

Researchers detected this adaptation speed repeatedly. "Gentlemen also demonstrates an ability to unusually quickly operationalize newly disclosed Bring Your Own Vulnerable Driver (BYOVD) proofs-of-concept, often within days of public release," ESET writes. The result is a permanent race condition: defenders must block known drivers, but the framework bypasses the block before detection rules are deployed.

Target: Over 400 Processes Across 48 Vendors

The targeting scope is precisely quantified: over 400 processes from approximately 48 security vendors or products. The list covers major enterprise players, from CrowdStrike and SentinelOne to Palo Alto and ESET itself. Such broad coverage suggests systematic intelligence gathering on rival products, not random selection.

Binaries are protected with commercial Enigma and Themida packers and masked with stolen digital signatures from legitimate software — though invalid. The impersonation extends to metadata: false version info mimicking legitimate vendors. The goal is to delay static detection and increase execution odds in environments with superficial restrictions.

The Full Suite: Internal and External Toolkits

The Gentlemen EDR-killer offering extends beyond GentleKiller. The suite includes operationally integrated third-party tools: HexKiller (formerly Warlock), ThrottleBlood (associated with MesudaLocker/DragonForce), and HavocKiller. ESET assesses "with high confidence" that only GentleKiller is developed in-house; the other components come from external sources, though the exact acquisition mechanism is undocumented.

Added to this arsenal is OxideHarvest, a credential stealer written in Rust likely developed externally. The dossier does not clarify whether OxideHarvest is distributed as part of the standard package or reserved for specific operations.

"Gentlemen operators actively develop and maintain a portfolio of EDR killers that they offer to affiliates, centered around their in-house framework we have named GentleKiller" — ESET

Victimology: Selection by FortiGate, Not Geography

A distinctive element in The Gentlemen's strategy is victim selection criteria. Intrusions do not follow geographic logic — victimology spans Southeast Asia, South America, and Western Europe — but cluster around FortiGate configurations. Researchers detected this correlation consistently, though they do not assert the group is responsible for the FortiBleed leak (roughly 74,000 FortiGate credentials surfaced in that period).

The finding carries operational relevance: organizations with exposed FortiGate appliances, especially in inadequately hardened VPN configurations, constitute a high-risk profile regardless of geographic location.

The Business Model: 90% to Affiliates

The Gentlemen has operated as a RaaS since late 2025, with acceleration in Q1 2026. The revenue-share model is aggressive: 90% of the ransom to affiliates, versus the industry-standard 80/20 split. Per Check Point data cited by KrebsOnSecurity, the group has posted 332 victims since inception, over 240 in 2026 alone. That tally adds a linked SystemBC botnet with more than 1,570 identified corporate hosts.

The May 2026 leak provided direct confirmation of centralized tool management. "In the leaks, zeta88 (another alias used by hastalamuerte), the leader of the gang, openly talks about maintaining and providing EDR-killer packages," ESET reports. The operator's real identity is unconfirmed by judicial sources; attribution rests on OSINT analysis.

RansomHub and the Model Comparison

ESET places Gentlemen in a broader trend: the shift from the traditional RaaS model, where affiliates procure their own defense-disabling tools, to a "full-service" model with pre-integrated EDR-killers. A documented parallel is RansomHub with EDRKillShifter, but Gentlemen differs in the maturity of its internal framework and the speed of new driver weaponization. Where other groups adopt generic tools, Gentlemen built a proprietary pipeline.

Immediate Actions

• Scan endpoint systems for unpatched vulnerable drivers, with particular attention to those that are signed but revoked or no longer maintained by the vendor.
• Review FortiGate appliance exposure configurations, especially VPN access and management interfaces, given the documented selection criterion.
• Integrate behavioral analysis of processes loading unknown drivers or drivers absent from the organizational baseline into monitoring, regardless of digital signature reputation.
• Assess EDR resilience in a blind-test scenario where known BYOVD tools are executed in a controlled environment to verify anti-tampering effectiveness.

Why This Changes the Perimeter

EDR neutralization is no longer an advanced capability reserved for a few actors. The systematic distribution of frameworks like GentleKiller turns it into a standard capability of the mass ransomware market. For defensive teams, the consequence is a priority inversion: the presence of an EDR agent no longer guarantees automatic visibility during intrusion, and defense based solely on blocking known drivers is structurally behind Gentlemen's weaponization pipeline.

The May 2026 leak made visible what incident data already suggested: behind the execution speed sits an organization that treats defense evasion as a product, with a roadmap and updates. The gap between vulnerable driver disclosure and operational use has shrunk to days. For organizations, the remediation window now measures in hours, not ordinary patch cycles.

Sources

• https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/
• https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
• https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/amp/
• http://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
• https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/
• https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
• https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
• https://www.eset.com/int/business/services/threat-intelligence/?utm_source=welivesecurity.com&utm_medium=referral&utm_campaign=wls-research&utm_content=killing-me-gently-inside-gentlemens-edr-killer-framework&sfdccampaignid=7011n0000017htTAAQ

Information verified against cited sources and current as of publication.

Sources

• https://www.eset.com/int/business/services/threat-intelligence/?utm\_source=welivesecurity.com&utm\_medium=referral&utm\_campaign=wls-research&utm\_content=killing-me-gently-inside-gentlemens-edr-killer-framework&sfdccampaignid=7011n0000017htTAAQ