Killing me gently: Inside Gentlemen’s EDR killer framework

ESET Research has unveiled a sophisticated, in-house 'EDR killer framework' developed by the prolific Ransomware-as-a-Service (RaaS) gang Gentlemen, marking a critical escalation in the ongoing arms race between cybercriminals and endpoint security. Dubbed 'GentleKiller,' this suite of tools is maintained directly by Gentlemen operators and distributed to their affiliates, enabling them to systematically dismantle Endpoint Detection and Response (EDR) defenses before launching devastating ransomware attacks. The discovery highlights Gentlemen technical agility and its centralized approach to defense evasion, distinguishing it from most RaaS groups that leave EDR circumvention to individual actors. This development arrives amidst a surge in EDR evasion tactics, with 'Bring Your Own Vulnerable Driver' (BYOVD) techniques becoming a standard weapon in ransomware operations. Gentlemen, which emerged in mid-2025 and rapidly became one of the most active RaaS gang in Q1 2026 with hundreds of reported victims globally, is leveraging GentleKiller eight-plus variants to exploit vulnerable drivers and achieve kernel-level privileges. The framework integrates both proprietary code and third-party tools like HexKiller and HavocKiller, all standardized with advanced binary protection and fake vendor impersonation to complicate detection. Further insights into Gentlemen internal workings, including initial access vectors via Fortinet and Cisco edge appliances, were recently exposed by a May 2026 database leak, offering an unprecedented view into the operational maturity of this double-extortion group. For organizations, this signifies that traditional reliance on EDR as a standalone defense is increasingly untenable. Cybersecurity professionals must urgently re-evaluate their layered security strategies, integrating robust network detection and response (NDR) and identity threat detection and response (ITDR) to maintain visibility even when endpoint agents are blinded. The commoditization of EDR evasion, now fueled by highly structured RaaS operations like Gentlemen, means defenders face a persistent and evolving threat that demands proactive cyber threat intelligence-led approaches and continuous validation of security controls. The coming months will likely see further refinements in both offensive evasion techniques and defensive counter-measures as AI continues to accelerate this high-stakes game.