Gentlemen Ransomware Gang's Proprietary EDR-Killing Framework GentleKiller Targets 400+ Processes Across 48 Security Vendors, ESET Finds

ESET researchers detailed the Gentlemen ransomware-as-a-service group's custom EDR-killing toolkit, GentleKiller, which uses a 'bring your own vulnerable driver' (BYOVD) technique to reach kernel-level privileges and terminate over 400 processes associated with 48 security vendors. Unlike most RaaS groups, Gentlemen supplies affiliates with its own standardized EDR killer suite — plus three third-party tools (HexKiller, ThrottleBlood, HavocKiller) — materially lowering the barrier to sophisticated endpoint-defense evasion. The gang impersonates legitimate security products via fake version metadata and copied certificates and has emerged as one of 2026's most active RaaS operators, with a non-US victimology spanning Southeast Asia, South America, and Western Europe.