“GentleKiller's job is to disable endpoint protection.” ESET’s analysis puts a number on that mission: more than 400 processes across roughly 48 security products are targeted, and attackers are killing those protections at the kernel level so the ransomware can run unchecked.
GentleKiller and the BYOVD method: killing EDR from the kernel
ESET describes GentleKiller as an endpoint detection and response (EDR) killer suite built around an in-house framework used by the ransomware-as-a-service operation known as Gentlemen. The technique at the heart of GentleKiller is “bring your own vulnerable driver” (BYOVD): each build loads a legitimately signed but flawed kernel driver and then abuses that driver to terminate security processes from inside the kernel. That kernel-level removal places the attacks beyond the reach of user-mode protections, according to ESET.
The framework does not attack a single product. ESET counted at least eight GentleKiller variants, each impersonating a different legitimate product and each abusing a different driver. To evade inspection the binaries carry fake version details, copied but invalid digital signatures, and the icons of the vendors they mimic, and they are often wrapped in commercial packers.
A suite maintained by operators: HexKiller, ThrottleBlood, HavocKiller and GentleKiller
What separates Gentlemen from many RaaS operations is that the gang’s operators, not affiliates, build and maintain these EDR killers. ESET notes that most ransomware crews let affiliates source their own tooling; Gentlemen offers a portfolio. In addition to GentleKiller itself, ESET documents three borrowed tools—HexKiller (previously tied to the Warlock gang), ThrottleBlood (seen in MedusaLocker and DragonForce intrusions), and HavocKiller (which abuses a Huawei audio driver)—each re-skinned with Gentlemen’s shared evasion layer.
GentleKiller moved quickly in practice: ESET observed the operators converting newly disclosed driver exploits into working variants within days of their public release. That operational tempo means new driver flaws can rapidly become attack-capable code in the Gentlemen toolkit.
How Gentlemen recruit and choose victims
Gentlemen surfaced in late 2025 and, according to ESET, was founded by a former Qilin affiliate. The gang draws affiliates with an unusually large cut—ESET reports Gentlemen offers a 90% share to affiliates. ESET also tied the operator-run model to a May data leak in which the gang’s leader openly discussed maintaining the EDR-killer packages.
Target selection is not narrowly focused on the United States. Instead, ESET says Gentlemen picks victims across Southeast Asia, South America and Western Europe by searching for exposed FortiGate configurations—an outward-facing selection method that guides their choices of targets for intrusion and subsequent EDR-killer deployment.
What this means for technologists, procurement leaders, and affected enterprises
- Technologists and security teams: ESET’s findings stress the need to detect anomalous kernel-level activity and to alert when protected security processes are suddenly shut down; the kernel is the locus of the attack.
- Procurement leaders: binaries impersonate known products and carry copied icons and fake version details; procurement and vendor-assurance teams should be aware that appearance and a signature on a driver are not sufficient proof of safety when the driver itself is exploitable.
- Affected enterprises: the gang selects victims by exposed FortiGate configurations, so organizations with externally accessible network infrastructure should examine their exposure if they operate in the regions the gang targets.
Practical defenses ESET recommends and how they map to GentleKiller
ESET frames defensive work against BYOVD attacks in concrete terms: block known-vulnerable drivers and generate alerts whenever a protected security process is abruptly terminated. Understanding GentleKiller’s mechanics, ESET says, helps defenders anticipate variants that do not yet exist. That guidance ties directly to the threat’s practical features—kernel abuse of drivers, copied branding to evade inspection, and rapid re-use of newly disclosed driver exploits.
Gentlemen’s approach—operator-built EDR killers, speedy adaptation of driver exploits, and an affiliate model that offers an outsized revenue split—creates a compact but potent threat calculus. The detail that GentleKiller targets roughly 48 products and more than 400 processes is a reminder that defenders cannot assume a single vendor’s tools are safe by default; the attack surface of drivers and kernel-level code is the key exposure.
The record ESET provides is specific and actionable: block the drivers known to be vulnerable, watch for sudden terminations of protected processes, and pay attention to externally exposed FortiGate assets. How quickly defenders close those gaps will shape whether GentleKiller remains a niche tool for a single RaaS group—or a template other operators adopt.
