GentleKiller Framework Bypasses Security Software

One of the most aggressive ransomware operations active in 2026 is equipping its affiliates with a purpose-built arsenal designed to neutralize security defenses before any encryption takes place. Researchers at ESET have released a detailed breakdown of the EDR killer suite used by The Gentlemen, a ransomware-as-a-service (RaaS) group, centered on a proprietary framework they have dubbed GentleKiller.

The primary function of GentleKiller is to dismantle endpoint protection systems. ESET’s analysis reveals it targets over 400 processes spanning roughly 48 different security products, including major names like Microsoft Defender, CrowdStrike, Sophos, and even ESET’s own solutions. The tool operates at the kernel level, effectively killing these processes so the ransomware can execute without interference.

The Power of Borrowed Drivers

The technique employed is known as bring your own vulnerable driver (BYOVD). Each variant of GentleKiller loads a kernel driver that is legitimately signed but contains a known flaw. This driver is then abused to terminate security processes from within the kernel, placing the attack beyond the reach of standard user-mode defenses.

ESET has identified at least eight distinct GentleKiller variants, each masquerading as a different legitimate product. These variants borrow names from popular games and security brands such as Valorant, FACEIT, and Kaspersky, and each exploits a different vulnerable driver. To evade initial inspection, the binaries are crafted with fake version details, copied yet invalid digital signatures, and the icons of the vendors they are mimicking, often wrapped in commercial packers.

A Portfolio, Not a Single Tool

What sets The Gentlemen apart is that its operators, not its affiliates, are responsible for developing and maintaining these EDR killers. ESET notes that most ransomware groups leave their affiliates to source their own tools; only a few, such as RansomHub, supply one. The Gentlemen, however, offers a full portfolio:

• GentleKiller, the in-house framework, available in at least eight variants.These three borrowed tools have each been re-skinned with The Gentlemen’s shared evasion layer. GentleKiller itself evolves at an even faster pace, with operators converting newly disclosed driver exploits into working variants within days of their public release.Understanding the Gentlemen OperationThe Gentlemen emerged in late 2025, founded by a former affiliate of the Qilin ransomware group. To attract affiliates, it offers an unusually generous 90% cut of the ransom payments.ESET confirmed this operator-run model partly through a data leak from May, where the gang’s leader openly discussed maintaining the EDR-killer packages. Unlike many ransomware operations, The Gentlemen does not focus heavily on US victims. Instead, it selects targets across Southeast Asia, South America, and Western Europe, often by exploiting exposed FortiGate configurations.ESET’s research suggests that understanding how GentleKiller operates allows defenders to prepare, even for variants that have not yet been built. In practice, defenses against such BYOVD attacks center on blocking known-vulnerable drivers and triggering alerts whenever a protected security process is abruptly terminated.