GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes Malware

This rapid adoption distinguishes Gentlemen from most other RaaS operators, who typically wait weeks or months before adapting publicly released exploits into production-ready tooling. Third-Party EDR Killers Integrated Into the Suite Beyond GentleKiller, Gentlemen also integrates three externally sourced EDR killers into its affiliate-facing suite: HexKiller, Previously attributed exclusively to the Warlock gang; abuses a Baidu Antivirus BdApi driver (googleApiUtil64.sys) ThrottleBlood, Previously observed in MedusaLocker and DragonForce intrusions; abuses a TechPowerUp LLC driver (ThrottleBlood.sys) HavocKiller, First publicly disclosed by Huntress on March 19, 2026, but observed in real-world intrusions as early as January 23, 2026; abuses a Huawei Audio driver (havoc.sys) All three tools are standardized through a shared defense-evasion layer that applies Enigma or Themida binary protectors, impersonates security vendors with fabricated version information, copied digital signatures, and matching icons.

The Campaign

Window spawned by GentleKiller [ESET Research] The eight GentleKiller variants abuse drivers from Kaspersky (eb.sys), FACEIT Anti-Cheat (nseckrnl.sys), Valorant (GameDriverX64.sys), Javelin/Safetica (stpm_old.sys/stpm_new.sys), Zemana WatchDog (dmx.sys), Qihoo 360 (360netmon_wfp.sys), IObit (IMFForceDelete), and the PoisonX rootkit.

Further details indicate that tools such as UnknownKiller and PoisonKiller were incorporated into GentleKiller’s arsenal within days of their public GitHub disclosure, demonstrating a well-resourced and agile development pipeline, according to ESET research.

Security teams should prioritize driver allowlisting and enforce Microsoft’s Vulnerable Driver Blocklist to prevent BYOVD-style attacks.

A defining capability of Gentlemen is its ability to operationalize newly published BYOVD proof-of-concept (PoC) exploits within days of public release.

Impact

& Targeting

GentleKiller is an in-house EDR-killing framework with at least eight distinct variants, each impersonating a different legitimate security product and abusing a unique vulnerable or malicious kernel-level driver. The technique used is Bring Your Own Vulnerable Driver (BYOVD), loading a legitimately signed but exploitable driver to terminate security processes at the kernel level, bypassing user-mode protections. In total, GentleKiller targets more than 400 processes mapped to 48 security products, including industry leaders such as Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, and McAfee/Trellix.

The gang was further exposed by an internal data leak in May 2026, which confirmed that its operators actively develop, maintain, and distribute GentleKiller and the broader EDR-killer suite to vetted affiliates.

Detection & Response

1. A highly sophisticated EDR-killing framework, dubbed GentleKiller, was used by the Gentlemen ransomware-as-a-service (RaaS) gang to systematically disable endpoint security tools before deploying its ransomware payload.

2. Security teams should prioritize driver allowlisting and enforce Microsoft’s Vulnerable Driver Blocklist to prevent BYOVD-style attacks.

3. Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

4. The post GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes

Analysis

The incident highlights the continued pressure ransomware operators are placing on organizations worldwide.

Defenders should immediately review endpoint detection and response telemetry for any signs of the described malware family or associated behaviors. Network traffic analysis can reveal command-and-control communications, data exfiltration patterns, or lateral movement that might otherwise go unnoticed. Organizations are advised to update their threat intelligence feeds and ensure that endpoint protection platforms, email gateways, and intrusion prevention systems have the latest detection signatures. Incident response playbooks should be reviewed to confirm they cover malware of this type, including isolation procedures, forensic collection steps, and communication protocols. Security awareness training may also need refreshes if the malware leverages social engineering as an initial access vector.