GentleKiller
GentleKiller is a self-developed endpoint detection and response (EDR) killer used by the Gentlemen ransomware-as-a-service group and described as the most prevalent EDR-killing tool in that ecosystem. It was first observed in a staging directory named GentlemenCollection and is assessed as the only EDR killer in the suite developed in-house by Gentlemen operators, who centrally maintain and distribute EDR-killer packages to affiliates.
ESET reported at least eight GentleKiller variants. Each variant impersonates a different legitimate product and abuses a different vulnerable or malicious kernel driver. Observed variants include Kaspersky, FACEIT Anti-Cheat, Valorant, Javelin, WatchDog, Network Blocker, Cleaner, and G11. The associated abused drivers mentioned in the reporting include eb.sys, nseckrnl.sys, GameDriverX64.sys, stpm_old.sys, stpm_new.sys, dmx.sys, 360netmon_wfp.sys, IObit’s IMF ForceDelete filter driver, and PoisonX. The malware targets more than 400 process names mapped to 48 security products, including products from Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Trend Micro, ESET, and Palo Alto Networks.
Across variants, GentleKiller reportedly shares the same underlying characteristics, including a timer-based or periodic process-termination loop, shared strings, and identical code obfuscation, indicating a reused development template. The broader Gentlemen evasion model also uses vendor-like filenames, fabricated version information, copied invalid digital signatures, matching legitimate-looking icons, and sometimes Enigma or Themida packing to hinder detection and analysis.
GentleKiller is associated with the Gentlemen ransomware group, which emerged in late 2025 and became highly active in 2026. Gentlemen uses double extortion and targets organizations globally, with reported victim concentrations in Southeast Asia, South America, and Western Europe, including Thailand, Brazil, and France. Reporting states victim selection is driven primarily by FortiGate misconfigurations rather than geography. High-confidence indicators in the content are primarily the malware name, its observed variant names, and the abused driver filenames listed above.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GentleKiller is by far the most prevalent EDR killer observed in the Gentlemen ecosystem. At the time of writing, we are aware of at least eight distinct variants, each impersonating a different legitimate product and abusing a different vulnerable or malicious driver.
The most prevalent EDR killer in the group's ecosystem is GentleKiller, a self-developed tool with at least eight variants targeting more than 400 processes.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
6 techniques
Stealth
MITRE ATT&CK techniques ... T1027 Obfuscated Files or Information Some executables are protected with packers (e.g., Enigma, Themida) and custom control-flow obfuscation.
Many samples also receive commercial packing through Enigma or Themida, recorded in a filename suffix.
MITRE ATT&CK techniques ... T1036 Masquerading Gentlemen’s EDR killers are protected by impersonating legitimate vendors through filenames, version information, icons, and copied digital certificates.
MITRE ATT&CK techniques ... T1036.001 Masquerading: Invalid Code Signature The protection applied to Gentlemen’s EDR killers adds an invalid code signature as part of the impersonation strategy.
Defense Impairment
1 technique
Defense Impairment
Impact
1 technique
Impact
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An in-house EDR-killer framework used by the Gentlemen ransomware operation to disable endpoint detection and response products. It has at least eight variants, impersonates legitimate security products, abuses vulnerable or malicious kernel drivers, and targets more than 400 process names associated with 48 security products.
A self-developed endpoint detection and response killing tool used in The Gentlemen ransomware ecosystem. It has at least eight variants, targets more than 400 processes, periodically terminates processes, uses identical code obfuscation across variants, impersonates legitimate products, and abuses different vulnerable or malicious drivers.
A self-developed endpoint security disabling tool used by The Gentlemen ransomware ecosystem. It has at least eight variants, impersonates legitimate products, abuses different vulnerable or malicious drivers, periodically terminates processes, and uses code obfuscation to evade detection.
An in-house EDR-killing framework used by the Gentlemen ransomware operation to disable or terminate security products by abusing vulnerable or malicious drivers. It is offered to affiliates and has multiple variants impersonating legitimate software vendors.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.