GentleKiller EDR – ESET says the Gentlemen ransomware-as-a-service is actively maintaining an EDR-killing toolkit—led by a tool dubbed GentleKiller with at least eight variants impersonating legitimate security products. The goal is consistent: disable security protections early
On the wrong side of a compromise, the moment security defenses go quiet can feel like the countdown has already started. ESET’s latest findings point to how the Gentlemen ransomware-as-a-service is engineering that silence.
The gang is actively developing and maintaining endpoint detection and response (EDR) killers designed to help affiliates evade detection during attacks. At the center is a tool researchers dubbed GentleKiller, which ESET says has at least eight variants. Those variants impersonate legitimate security products, including Kaspersky, Valorant, Javelin, and WatchDog.
Researchers describe the EDR killer as something used early in an incident—an operation typically meant to disable defenses so ransomware activities can run unencumbered. In practice, EDR killers are commonly used to clear the path for data theft or encryption without interference.
What makes GentleKiller especially adaptable is how ESET says the variants are built. The tools rely on the bring your own vulnerable driver (BYOVD) technique to elevate privileges and disable security engines. ESET reports that each GentleKiller variant uses different vulnerable drivers to achieve kernel-level privileges. Yet across the variants. ESET says there are shared telltales: common strings. identical code obfuscation techniques. and similar process-killing logic and targeting scope.
That combination—swappable drivers with consistent underlying behavior—gives the framework a practical advantage. ESET’s analysis indicates the design is intended to make it easier to replace drivers or weaponize newly disclosed flaws without requiring major code changes.
The targeting details are just as specific. ESET says GentleKiller targets more than 400 processes tied to approximately 48 security vendors or products. The list includes Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky.
ESET also reports how the attackers protect the tool itself. The binaries are protected using the commercial Enigma and Themida packing and code-protection tools. The threat actor also uses stolen digital signatures from legitimate software, even though ESET notes the signatures are invalid.
GentleKiller isn’t the only option in the toolkit. ESET says Gentlemen ransomware incorporates at least three external EDR-killing tools: HexKiller. previously used by the Warlock gang; ThrottleBlood. linked to MesudaLocker and DragonForce attacks; and HavocKiller. also seen in ransomware operations. ESET adds that the ransomware program may have added these tools for redundancy. for increasing attribution complexity. or for situations where GentleKiller’s effectiveness might be limited.
Beyond the defense-evasion layer, ESET documented the use of OxideHarvest, a Rust-based credential-stealer tool that researchers believe was developed externally, based on the programming language choice.
The pressure point for defenders, though, may be where the attackers aim their time and attention. ESET says Gentlemen ransomware selects targets based on the configuration of their FortiGate endpoints. That detail lands awkwardly alongside the recent discovery of “FortiBleed,” a collection of nearly 74,000 FortiGate VPN credentials.
ESET’s report also ties the activity to real-world campaigns. Gentlemen ransomware-as-a-service previously compromised the Romanian energy provider Oltenia. It has also been linked to a SystemBC proxy malware botnet with over 1,570 hosts, believed to be corporate victims.
In other words: the defense-killing tools aren’t a side project. They’re engineered for speed, adaptability, and broad security product coverage—built to keep ransomware operations moving while security teams are left trying to understand what just went missing.
Gentlemen ransomware GentleKiller EDR killer BYOVD Enigma Themida FortiGate FortiBleed OxideHarvest HexKiller ThrottleBlood HavocKiller SystemBC Oltenia
So they can just turn off antivirus? That’s wild.
I don’t get it… it says it “impersonates” security products like Kaspersky and WatchDog?? Isn’t WatchDog not even real? Sounds like they’re spoofing everything and laughing.
Wait, GentleKiller is for “EDR-killing” so basically it deletes the protections first right? But then how is it “gentlemen” if it’s destroying stuff lol. Also the BYOVD driver thing sounds like using a car model you already have? Idk I’m just confused.
This reads like ransomware gangs are getting smarter with every update. Eight variants impersonating other security companies is scary, but I’m also side-eyeing the whole “targets 400 processes” part—like do they really name all that stuff? Also, why is it always Microsoft and CrowdStrike mentioned… makes me think it’s some insider thing.