GentleKiller BYOVD EDR-Killing Framework Operated by The Gentlemen RaaS (hastalamuerte / Qilin lineage) — Threadlinqs Intelligence
Threat ID: TL-2026-0893 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
Attribution: The Gentlemen · Russia · FINANCIAL
GentleKiller is a centralized EDR-killing framework given to affiliates of The Gentlemen ransomware-as-a-service operation. Using Bring Your Own Vulnerable Driver (BYOVD), it loads legitimately signed
GentleKiller is a purpose-built endpoint-detection-and-response (EDR) killing suite developed and centrally maintained by The Gentlemen, a ransomware-as-a-service (RaaS) operation that emerged in 2025 and ranked among the most active ransomware gangs since the beginning of 2026 (ESET research, June 2026). Rather than delegating defense evasion to affiliates as most gangs do, The Gentlemen distributes a ready-to-use, standardized EDR-killer suite — materially lowering the entry barrier for affiliates and centralizing kernel-level tampering.
The framework is built around the Bring Your Own Vulnerable Driver (BYOVD) technique. Because Windows validates a driver's signature rather than the safety of its code, GentleKiller drops and loads legitimately signed but exploitable kernel-mode drivers, obtaining Ring 0 (kernel) privileges from which it issues DeviceIoControl requests to terminate protected security processes that user-mode malware cannot touch. Once a driver is loaded, GentleKiller runs a loop that periodically scans the running process list and terminates targeted processes every two seconds, defeating watchdog/respawn behavior of EDR agents. ESET reports the suite targets more than 400 processes mapped to 48 security products, including Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks (Cortex), ESET, Bitdefender, Kaspersky, Trend Micro, VMware Carbon Black, Elastic, and McAfee/Trellix.
GentleKiller exists in at least eight variants, each impersonating a legitimate product and abusing a different vulnerable or malicious driver: a Kaspersky-themed variant abusing the eb.sys rootkit; a FACEIT Anti-Cheat variant abusing nseckrnl.sys (NSecsoft); a Valorant variant abusing GameDriverX64.sys; a Javelin variant abusing Safetica's stpm_old.sys / stpm_new.sys; a WatchDog/Bitdefender-themed variant abusing Zemana's dmx.sys (CVE-2022-42045); a Network Blocker variant abusing Qihoo 360's 360netmon_wfp.sys; a Cleaner variant (Deletor.exe) abusing IObit's IMFForceDelete (CVE-2025-26125) to delete EDR files; and a G11/Symantec variant abusing the PoisonX rootkit. Variants are distributed under naming-convention suffixes that denote packing and signature state: suffix '1' uses Enigma protection with a fake signature and version info, suffix '2' uses Themida protection with a fake signature, 'Light' has no binary protection but a fake signature, and 'Clear' has neither protection nor a fake signature.
Beyond its in-house variants, The Gentlemen integrates at least three external EDR killers: HexKiller (Avast-themed; abuses googleApiUtil64.sys, the Baidu Antivirus BdApi driver; previously attributed to the Warlock gang), ThrottleBlood (Sent-themed; abuses ThrottleBlood.sys, a TechPowerUp driver; observed in MedusaLocker and DragonForce intrusions), and HavocKiller / HwAudKiller (Sophos-themed; abuses havoc.sys, a Huawei Audio driver; operational since January 23, 2026 and publicly disclosed March 19, 2026). The operation also fields OxideHarvest (aka buildx641), a Rust-written credential stealer maintained by affiliate 'quant' that harvests credentials from 19 Chromium-based and 8 Gecko-based browsers, and uses the SystemBC proxy botnet (1,570+ hosts believed to be corporate victims) for C2 and pivoting.
The Gentlemen was founded by 'hastalamuerte' — identified by reporting as Alexander Andreevich Yapaev, a 36-year-old Russian national from Izhevsk and a former Qilin affiliate — and offers affiliates an unusually high 90% revenue share. Victimology skews away from the United States, concentrating on Southeast Asia, South America, and Western Europe (including unusual targets such as Thailand, Brazil, and France); victim selection is driven primarily by exposed/misconfigured FortiGate appliances rather than geography. Per Ransomware.live the group has claimed roughly 504 victims. This record is defensive threat intelligence to drive detection of BYOVD driver loads, EDR-tampering process terminations, and the name
Weaknesses (CWE)
CWE-822, CWE-269, CWE-749
Target sectors: multiple, corporate enterprises, managed service providers
Target regions: Southeast Asia, South America, Western Europe
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 28 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, CVE-2022-42045, CVE-2025-26125, T1587.001, T1588.002, T1059.003, T1106, T1543.003, T1068, T1562.001, T1036, T1036.001, T1027