~/f4n6 $ grep -r "GentleKiller targets more than 400 security processes across 48 products" ./investigations/ --include="*.md"

GentleKiller targets more than 400 security processes across 48 products

Jeff Davies 18 Jun 2026 6 min read

1. Executive summary

ESET has disclosed a portfolio of EDR-killer tools used by the ransomware-as-a-service (RaaS) operation "Gentlemen," internally branded GentleKiller, that disables endpoint security before encryption. The suite targets more than 400 process names across 48 security products and ships in at least eight variants, each abusing a different vulnerable or malicious kernel driver (BYOVD). Gentlemen emerged in late 2025, became one of the five most active RaaS operations in Q1 2026, and offers affiliates a 90% revenue share. The group uses Go-based encryptors for Windows/Linux and a C-based variant for ESXi, with victim selection partly driven by FortiGate firewall configuration. EMEA financial services entities are exposed: the group's victim geography includes Western Europe (France cited), and the EDR-killer approach materially degrades the detection layer defenders rely on during a ransomware incident.

2. Regulatory framing

Article Trigger (fact in this item) Practical impact
DORA Art. 17 EDR-killer tooling is designed to defeat the ICT security controls that feed an entity's incident management process. Affected financial entities must invoke their documented ICT-related incident management process from the moment EDR tampering is suspected; the process must cover evidence preservation despite degraded endpoint telemetry.
DORA Art. 18 The toolset constitutes a credible cyber threat requiring classification against the entity's ICT-related incident taxonomy. Affected entities must classify any incident involving GentleKiller against their severity schema (e.g., EDR-evasion + encryption staging = major).
DORA Art. 19 A successful Gentlemen intrusion can escalate to a major ICT-related incident (encryption + double-extortion data theft). If the incident crosses the entity's "major" threshold, the reporting workflow to the competent authority must be initiated within the prescribed timeline.
NIS2 Art. 21(2)(d) GentleKiller variants abuse third-party kernel drivers (BYOVD) — a supply-chain attack vector against security software dependencies. In-scope entities must treat driver-vendor exposure as a supply-chain risk: inventory signed-driver dependencies, monitor for unsigned/known-vulnerable driver loads, and include driver vendors in supplier due diligence.
NIS2 Art. 23 A successful intrusion with encryption and data-theat constitutes a reportable incident. The incident-handling and reporting obligations under NIS2 Art. 23 apply; CSIRT notification timelines must be observed.
UK NIS 2018 OES/RDSP entities (including relevant financial services operators) face ransomware impact from this actor. OES/RDSP duties apply: incident reporting to the NCSC and competent authority under the UK NIS Regulations 2018.

3. Technical analysis & attack chain

The Gentlemen RaaS operation distinguishes itself by centrally developing and maintaining its own EDR-killer portfolio and shipping it to affiliates, rather than leaving EDR evasion to each affiliate. The following chain reflects confirmed observations from ESET incident-response visibility and the May 2026 internal data leak.

  1. Initial access (not detailed in source). Source material does not specify the Gentlemen initial-access vector; ESET's disclosure focuses on post-compromise tooling.
  2. Reconnaissance and victim selection. Operators centrally triage candidate organisations and assign them to affiliates. Victim selection is driven in part by the configuration of the target's FortiGate firewall (per leaked internal data).
  3. Deployment of EDR-killer tooling. The core tool, GentleKiller, is staged from a directory named GentlemenCollection and is the most common EDR-killer observed in Gentlemen intrusions. It exists in at least eight variants, each impersonating a different legitimate product and abusing a different vulnerable or malicious kernel driver.
  4. BYOVD driver abuse. Each variant loads a kernel driver to gain the privileges needed to terminate protected security processes. Gentlemen adapts newly published BYOVD proofs-of-concept rapidly; two recent examples, tracked as UnknownKiller and PoisonKiller, were folded into the toolkit within days of public release.
  5. EDR process termination. The variants share a process-killing loop that runs on a timer, common strings, and the same obfuscation — pointing to a reused development template. The target set spans more than 400 process names across 48 security products.
  6. Outside-tool integration. Three additional EDR-killers were acquired from external sources and standardised to match the in-house toolset: - HexKiller — previously attributed to the Warlock gang. - ThrottleBlood — observed in MedusaLocker and DragonForce intrusions; Trend Micro linked it to Gentlemen in September 2025. - HavocKiller — first publicly surfaced by Huntress on 19 March 2026; ESET telemetry places its use in real intrusions back to at least 23 January 2026.
  7. Shared evasion layer. A common evasion wrapper is applied to compiled binaries, allowing the operators to protect tools whose source code they do not possess. Filenames mimic well-known security products.
  8. Encryption and extortion. Once EDR is neutralised, encryption proceeds using a Go-based encryptor for Windows, Linux, and other platforms, plus a C-based variant for ESXi. Gentlemen practices double extortion: encryption plus threatened publication of stolen data. Affiliates receive a 90% share of ransom payments.

Caveats. The source does not name specific kernel drivers, vulnerable driver CVE IDs, or the exact list of 48 targeted products. The FortiGate configuration is described as a selection criterion, not as an exploited vulnerability. Attribution to "Gentlemen" rests on ESET incident telemetry and the May 2026 internal leak; Group-IB's tracing of the group's founding to a former Qilin affiliate is consistent but does not constitute a confirmed technical link. The actor has no MITRE ATT&CK profile in our reference data; treat the Gentlemen attribution as unconfirmed outside ESET's direct observations.

4. Mitigation & containment

P1 — within 24 hours

  • Block known tool names and staging artefacts. Add the strings GentleKiller, GentlemenCollection, HexKiller, ThrottleBlood, HavocKiller, UnknownKiller, and PoisonKiller to EDR/AV custom-indicator lists and filename deny rules. Hunt for any binary or directory matching these names on endpoints and servers.
  • Hunt for BYOVD driver loads. Enable and review kernel-driver load auditing (e.g., Sysmon Event 6 / Windows Code Integrity logs). Flag any driver not signed by an approved vendor or matching known-vulnerable-driver hashes. Block known-vulnerable driver SHA-256s once vendor advisories publish them.
  • Restrict kernel-driver loading. Enforce HVCI / Windows Defender Credential Guard where supported; require driver signature verification via WDAC / Smart App Control policies that reject unsigned or non-Microsoft drivers.
  • EDR tamper detection. Enable EDR tamper-protection and anti-tamper features on all 48 product families in scope; alert on service stop / process kill events targeting security software.

P2 — within 72 hours

  • Validate EDR coverage. Confirm EDR agents are reporting on all Windows, Linux, and ESXi hosts; restore any agent that has been stopped or whose service is missing.
  • FortiGate configuration review. Audit FortiGate management-plane exposure and configuration; remove public management access, rotate admin credentials, and review VPN/firewall-rule changes for indicators of tampering.
  • ESXi hardening. Restrict ESXi host access, audit for the C-based Gentlemen encryptor, and validate snapshots/backup immutability.
  • Backup integrity. Verify backups are offline, immutable, and have not been touched during the suspected intrusion window.

P3 — within 7 days

  • Threat hunt. Conduct a hunt across the environment for the shared indicators (process-killing loop on a timer, shared obfuscation strings, filenames mimicking security products).
  • Driver allow-list refresh. Update WDAC / AppLocker policies to permit only known-good drivers; remove any driver that cannot be justified.
  • Tabletop exercise. Run a ransomware + EDR-evasion tabletop using Gentlemen TTPs as the scenario; validate DORA/NIS2 reporting workflows.

5. Indicators of compromise

Type Value Confidence Source
directory GentlemenCollection High ESET (Help Net Security, 2026-06-18)
tool-name GentleKiller High ESET (Help Net Security, 2026-06-18)
tool-name HexKiller High ESET (Help Net Security, 2026-06-18)
tool-name ThrottleBlood High ESET (Help Net Security, 2026-06-18)
tool-name HavocKiller High ESET (Help Net Security, 2026-06-18)
tool-name UnknownKiller High ESET (Help Net Security, 2026-06-18)
tool-name PoisonKiller High ESET (Help Net Security, 2026-06-18)
behaviour Process-killing loop running on a timer targeting security processes Medium ESET (Help Net Security, 2026-06-18) 
directory  GentlemenCollection
tool-name  GentleKiller
tool-name  HexKiller
tool-name  ThrottleBlood
tool-name  HavocKiller
tool-name  UnknownKiller
tool-name  PoisonKiller

6. Detection

rule AT_GentleKiller_Strings_2026
{
    meta
        author = "Adverse Trace"
        date = "2026-06-18"
        description = "Strings associated with the Gentlemen RaaS EDR-killer portfolio (GentleKiller and integrated tools)"
        reference = "https://www.helpnetsecurity.com/2026/06/18/eset-gentlemen-edr-killers/"

    strings
        $d1 = "GentlemenCollection" ascii wide
        $t1 = "GentleKiller" ascii wide
        $t2 = "HexKiller" ascii wide
        $t3 = "ThrottleBlood" ascii wide
        $t4 = "HavocKiller" ascii wide
        $t5 = "UnknownKiller" ascii wide
        $t6 = "PoisonKiller" ascii wide

    condition
        2 of ($t*) or $d1
}

title: Possible GentleKiller EDR-Killer Activity
id: 8c2f1a4e-1b6e-4f3a-9c2d-7e5b4a1d2c3f
status: experimental
description: >
    Detects staging artefacts or tool names associated with the Gentlemen
    RaaS EDR-killer portfolio (GentleKiller and integrated tools).
author: Adverse Trace
date: 2026-06-18
reference: https://www.helpnetsecurity.com/2026/06/18/eset-gentlemen-edr-killers/
logsource:
    category: process_creation
    product: windows
detection:
    selection_directory:
        Image|contains:

            - "\GentlemenCollection\"
    selection_tool_names:
        CommandLine|contains:

            - "GentleKiller"
            - "HexKiller"
            - "ThrottleBlood"
            - "HavocKiller"
            - "UnknownKiller"
            - "PoisonKiller"
    condition: selection_directory or selection_tool_names
falsepositives:

    - Unknown; legitimate software is not expected to use these strings.
level: high

7. Sources

  • Help Net Security — "GentleKiller targets more than 400 security processes across 48 products" — https://www.helpnetsecurity.com/2026/06/18/eset-gentlemen-edr-killers/ — 2026-06-18

8. Adverse Trace position

GentleKiller represents a meaningful escalation in ransomware tradecraft: a centrally maintained, BYOVD-enabled EDR-killer portfolio that materially degrades the detection layer defenders rely on during the most time-sensitive phase of an incident. For EMEA financial services, the combination of Western European victim concentration, ESXi-capable encryption, and FortiGate-driven victim selection places this actor in the high-priority threat bucket. Severity is assessed as High for entities running any of the 48 affected security products without HVCI/WDAC enforcement, and Medium otherwise. We will continue to monitor for named driver CVEs, additional variant names, and any public IOCs (hashes, C2 infrastructure) that emerge from the Gentlemen leak or ESET follow-on reporting, and will update this advisory accordingly.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies