What is GentleKiller and who developed it?

GentleKiller is an EDR-killing framework developed by the ransomware-as-a-service (RaaS) gang known as Gentlemen.

Why is the discovery of GentleKiller significant?

The discovery of GentleKiller highlights the need for organizations to be aware of the increasing use of EDR killers by ransomware gangs to evade detection and disable security tools.

Which ransomware gang is most active in Q1 2026?

Gentlemen, the developers of GentleKiller, are one of the most active ransomware gangs in Q1 2026.

GentleKiller: Sophisticated EDR-killing Framework Used by Ransomware Gang

Q: How does GentleKiller work?

GentleKiller impersonates various legitimate security products and abuses vulnerable or malicious kernel-level drivers to terminate targeted processes every two seconds. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), allows Gentlemen to elevate privileges and disable security engines.

Q: How quickly can Gentlemen adapt newly published BYOVD PoC exploits into production-ready tooling?

GentleKiller's variants suggest that Gentlemen has a well-resourced and agile development pipeline, allowing them to quickly operationalize newly published BYOVD proof-of-concept (PoC) exploits within days of public release.

ESET researchers discover GentleKiller, a framework used by the Gentlemen ransomware gang to systematically disable endpoint security tools. The framework uses vulnerable drivers and abuses kernel-level privileges.

The Gentlemen ransomware-as-a-service (RaaS) gang has been using a sophisticated EDR-killing framework called GentleKiller to systematically disable endpoint security tools before deploying its ransomware payload. The framework, which has at least eight distinct variants, impersonates various legitimate security products and abuses vulnerable or malicious kernel-level drivers to terminate targeted processes every two seconds. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), allows Gentlemen to elevate privileges and disable security engines, making it difficult for victims to detect the ransomware.

What Happened

The discovery of GentleKiller was made by ESET researchers, who analyzed the framework's code and behavior. According to their findings, each variant uses different vulnerable drivers to achieve kernel-level privileges, but all share common strings, identical code obfuscation techniques, and similar process-killing logic and targeting scope. The framework operates on a loop, periodically scanning and terminating targeted processes every two seconds, as evidenced by the output shown in the ESET research.

The analysis of GentleKiller's variants indicates that the framework is designed to allow easy driver swaps or weaponization of newly disclosed flaws without requiring major code changes. This suggests that Gentlemen has a well-resourced and agile development pipeline, allowing them to quickly operationalize newly published BYOVD proof-of-concept (PoC) exploits within days of public release.

Background and Context

GentleKiller is an in-house EDR-killing framework developed by Gentlemen, one of the most active ransomware gangs in Q1 2026. The gang's ability to operationalize newly published BYOVD PoC exploits within days of public release distinguishes them from most other RaaS operators, who typically wait weeks or months before adapting publicly released exploits into production-ready tooling.

Gentlemen's use of GentleKiller is part of a larger trend in the ransomware ecosystem, where gangs are increasingly using EDR killers to evade detection and disable security tools. This has significant implications for organizations that rely on endpoint security solutions to protect against ransomware attacks.

Why it Matters to the Industry

The use of GentleKiller by Gentlemen highlights the need for adult-industry platforms and operators to prioritize cybersecurity measures, particularly in the areas of endpoint detection and response (EDR). The framework's ability to target over 400 processes associated with approximately 48 security vendors/products, including industry leaders such as Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky, underscores the importance of staying up-to-date with the latest security patches and updates.

Furthermore, the use of BYOVD by Gentlemen demonstrates the need for organizations to implement robust security measures to prevent kernel-level attacks. This includes ensuring that all drivers are properly signed and validated, as well as implementing additional security controls such as application whitelisting and user behavior monitoring.

What Comes Next

The discovery of GentleKiller by ESET researchers has significant implications for the cybersecurity community, particularly in the areas of endpoint detection and response (EDR). As Gentlemen continues to develop and maintain its suite of EDR killers, it is likely that other ransomware gangs will follow suit, further emphasizing the need for organizations to prioritize cybersecurity measures.

Adult-industry platforms and operators would do well to take note of GentleKiller's capabilities and implement robust security measures to prevent kernel-level attacks. This includes staying up-to-date with the latest security patches and updates, as well as implementing additional security controls such as application whitelisting and user behavior monitoring.

Key Facts

GentleKiller is an in-house EDR-killing framework developed by Gentlemen ransomware-as-a-service (RaaS) gang.
The framework has at least eight distinct variants, each impersonating a different legitimate security product and abusing vulnerable or malicious kernel-level drivers.
GentleKiller targets over 400 processes associated with approximately 48 security vendors/products, including industry leaders such as Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky.
The framework operates on a loop, periodically scanning and terminating targeted processes every two seconds.
Gentlemen's use of GentleKiller demonstrates the need for organizations to prioritize cybersecurity measures, particularly in the areas of endpoint detection and response (EDR).