Bottom line: The Gentlemen has developed GentleKiller, an EDR killer framework that provides less experienced affiliate partners with ready-to-use tools for bypassing enterprise security systems.
The ransomware group The Gentlemen has granted affiliate partners access to EDR killer tools capable of disabling established endpoint detection and response systems. ESET researchers analyzed this following a server breach in May.
The ransomware group The Gentlemen has developed a proprietary EDR killer infrastructure called GentleKiller and made it available to its affiliate partners. According to findings by security company ESET, which analyzed data about The Gentlemen from a server breach in May, the framework includes routines for bypassing products from 48 different vendors. The Gentlemen also integrates external tools such as HexKiller, ThrottleBlood, and HavocKiller. The group operates as a ransomware-as-a-service platform with an unusually generous commission model of 90:10 for its affiliate partners.
The GentleKiller framework significantly lowers the technical entry barrier for less experienced affiliate partners. Instead of having to develop or procure EDR killers themselves, they receive ready-to-use tools. The central mechanism consists of so-called Bring-Your-Own-Vulnerable-Driver exploits (BYOVD): Following account compromise, attackers load legitimate but outdated and vulnerable vendor drivers to escalate from admin to kernel-level privileges. This enables them to directly access EDR drivers. The framework contains bypass routines for 400 EDR processes from 48 different vendors.
ESET researcher Jakub Souček emphasizes that this provision of EDR killer capabilities multiplies the attack capabilities of the entire affiliate network and increases the number of consistent ransomware deployments. The vulnerability of EDR tools to BYOVD techniques is well-documented: A 2024 Trellix study and a case at Huntress earlier this year documented comparable attack patterns.
For protection, Souček recommends enabling Hypervisor-Protected Code Integrity (HVCI) and Kernel-mode Code Integrity (KMCI) to make loading outdated or unsafe drivers more difficult. Additionally, organizations should enforce strict allow and block policies for drivers, continuously audit them, and remove unnecessary drivers. Souček warns that the greatest defensive challenge lies in the fact that EDR killers are based on legitimate, non-malicious drivers that are often still in production use.
Source: www.csoonline.com · Published June 19, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.