Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Gentlemen ransomware EDR-killer tooling

Malware Activity
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

The Gentlemen ransomware-as-a-service operation is actively maintaining EDR killers to blunt endpoint defenses and let affiliate attacks proceed with less detection. Its main utility, GentleKiller, has at least eight variants and impersonates legitimate products such as Kaspersky and WatchDog. The tooling uses BYOVD to gain kernel-level privileges and disable security engines, and it targets more than 400 processes across about 48 vendors/products. The suite also includes external tools such as HexKiller, ThrottleBlood, HavocKiller, and OxideHarvest.

Related Happenings

AI-built ransomware toolkit with AD discovery and EDR evasion

Malware Activity
H score36 First: 02.06.2026 23:01 Last: 02.06.2026 23:01 Sources 1

About this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...

Open Happening

Vidar infostealer market rise and distribution expansion

Malware Activity
H score30 First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
H score57 First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

How related: The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks.

About this happening: **The Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a defensive-evasion toolkit built around **EDR killers**. ESET identified a custom utility dubbed **Gentle...

Open Happening

EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers

Technical Analysis
H score24 First: 19.03.2026 20:52 Last: 19.03.2026 20:52 Sources 1

About this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...

Open Happening

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
H score20 First: 11.03.2026 00:57 Last: 11.03.2026 00:57 Sources 1

About this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...

Open Happening

Timeline

  1. 19.06.2026 01:31 2 articles · 12h ago

    Gentlemen ransomware maintains EDR killers to evade endpoint detection

    Initial Disclosure

    ESET reports that Gentlemen ransomware-as-a-service is actively maintaining a suite of endpoint detection and response killers led by GentleKiller, a tool with at least eight variants that impersonate legitimate security products such as Kaspersky, Valorant, Javelin, and WatchDog. The tooling uses vulnerable drivers and BYOVD to obtain kernel-level privileges, disable defenses, and target more than 400 processes across roughly 48 security vendors and products, while the broader collection also includes HexKiller, ThrottleBlood, HavocKiller, and OxideHarvest; ESET also says Gentlemen appears to select victims based on FortiGate endpoint configuration.

    Show sources
    Open in new tab