GentleKiller
GentleKiller is an in-house EDR-killing framework used by the Gentlemen ransomware-as-a-service operation to disable endpoint security tools prior to ransomware deployment. ESET reported it as the most prevalent EDR killer in the Gentlemen ecosystem and observed it staged in a directory named GentlemenCollection. The framework uses Bring Your Own Vulnerable Driver (BYOVD) techniques: it installs and starts vulnerable or malicious kernel-mode drivers as Windows services, then communicates with them via DeviceIoControl and other native Windows APIs to perform privileged actions in kernel space and terminate protected processes. ESET documented at least eight distinct GentleKiller variants that share strings, obfuscation patterns, and a persistent process-termination loop running roughly every two seconds. Across variants, GentleKiller targets more than 400 process names mapped to 48 security products, including major EDR and antivirus vendors.
The observed variants impersonate different legitimate products and abuse different drivers, including Kaspersky (eb.sys), FACEIT Anti-Cheat (nseckrnl.sys), Valorant (GameDriverX64.sys), Javelin/Safetica (stpm_old.sys and stpm_new.sys), Zemana WatchDog (dmx.sys), Qihoo 360 Network Blocker (360netmon_wfp.sys), IObit Cleaner (IMFForceDelete), and the PoisonX rootkit (PoisonX.sys / G11 variant). ESET documented the GentleKiller Network Blocker variant abusing the signed Qihoo driver 360netmon_wfp.sys, and the Cleaner variant dropping IMFForceDelete without the .sys extension. The IMFForceDelete abuse is tied in the content to CVE-2019-6494, where IOCTL 0x8016E000 allows low-privileged users to delete files regardless of access controls, supporting defense impairment by deleting protected files.
The content associates GentleKiller directly with the Gentlemen RaaS gang, which centrally develops, maintains, and distributes EDR-killing tools to affiliates. Gentlemen was described as one of the most active ransomware groups in Q1 2026, using double extortion and targeting organizations across Southeast Asia, South America, and Western Europe, with victim selection reportedly driven primarily by FortiGate configuration or misconfiguration rather than geography. ESET also reported that Gentlemen rapidly integrated newly disclosed BYOVD proof-of-concept exploits such as UnknownKiller and PoisonKiller within days of public release, indicating an agile development pipeline. Detection-relevant artifacts directly mentioned in the content include the GentlemenCollection staging directory, anomalous kernel driver loading, Windows service creation for vulnerable drivers such as 360netmon_wfp and IMFForceDelete, and repeated termination of security-product processes.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ESET documents GentleKiller's Cleaner variant dropping this driver without the trailing .sys extension, and CVE-2019-6494 describes IOCTL 0x8016E000 allowing low-privileged users to delete files regardless of access controls.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Gentlemen’s operators build, maintain, and centrally distribute a full portfolio of EDR killers, anchored by an in-house framework ESET has named GentleKiller.
The most prevalent EDR killer in the group's ecosystem is GentleKiller, a self-developed tool with at least eight variants targeting more than 400 processes.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
ESET’s assessment is that all three were acquired externally by the operators and then standardized with the same defense evasion layer applied to GentleKiller: binary protection via Enigma or Themida, filenames mimicking security vendors, fabricated version information, copied digital signatures, and matching icons.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Stage 4 – Driver installation as a persistence/elevation step (T1543.003 – Create or Modify System Process: Windows Service). Each tool installs and starts its associated vulnerable or outright malicious kernel-mode driver as a Windows service before exploitation occurs.
Privilege Escalation
3 techniques
Privilege Escalation
CVE-2019-6494 describes IOCTL 0x8016E000 allowing low-privileged users to delete files regardless of access controls.
Stage 4 – Driver installation as a persistence/elevation step (T1543.003 – Create or Modify System Process: Windows Service). Each tool installs and starts its associated vulnerable or outright malicious kernel-mode driver as a Windows service before exploitation occurs.
Stealth
8 techniques
Stealth
Use Case Privileges Operating System Impair defenses through a signed kernel driver abused by an EDR killer.
Defense Evasion T1027 Obfuscated Files or Information Some executables are protected with packers (Enigma, Themida) and custom control-flow obfuscation.
This includes binary protection using Enigma or Themida and using file names that resemble well-known cybersecurity vendors, right down to their version information, digital signatures, and icons.
Stage 7 – Masquerading and obfuscation layered over the whole chain (T1036, T1036.001, T1027 – Masquerading, Masquerading: Invalid Code Signature, Obfuscated Files or Information). Every tool in the suite ... is run through the same standardization layer: commercial packers (Enigma/Themida), fabricated version information, icons copied from the impersonated vendor, and digital signatures copied from legitimate software.
Defense Evasion T1036.001 Masquerading: Invalid Code Signature The protection layer adds an invalid code signature as part of the impersonation strategy.
Delete protected files and impair defenses through a vulnerable kernel driver.
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Impact
1 technique
Impact
IOCs tracked for this family
41 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A tool/framework used to impair defenses by dropping and abusing the vulnerable IMFForceDelete driver to delete protected files and weaken endpoint protections.
An EDR-killer/network-blocking malware variant that abuses the signed vulnerable driver 360netmon_wfp.sys during intrusions to impair defenses.
An in-house EDR-killing framework used by the Gentlemen RaaS operation. It installs vulnerable or malicious kernel drivers as Windows services, communicates with them via native APIs, and repeatedly terminates security-product processes in a roughly two-second loop to disable defenses prior to ransomware deployment.
An in-house EDR-killing framework used to disable endpoint security products before ransomware deployment. It uses Bring Your Own Vulnerable Driver (BYOVD) techniques, has at least eight variants, targets more than 400 processes across 48 security products, and repeatedly scans for and terminates security processes at the kernel level.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.