The Gentlemen’s secret weapon: a centralized EDR-killer suite
In late 2025 a new ransomware crew began quietly arming affiliates with a ready-to-use toolkit that disables endpoint detection and response systems before the main payload even launches. Security researchers now describe how The Gentlemen centralized the process by distributing a standardized “EDR-killer suite,” making it far easier for attackers to bypass defenses and encrypt victim files.
A one-stop shop for disabling defenses
Most ransomware gangs still expect affiliates to hunt down their own utilities for silencing security software. The Gentlemen decided to handle the problem for them. Internal chats leaked in May 2026 show the group’s leader, known as zeta88, supplying affiliates with pre-packaged tools that combine legitimate-looking installers with malicious kernel drivers. ESET’s six-month investigation, published June 18, confirms that this centralized approach lowers the entry barrier for attackers and shortens the time between compromise and encryption.
GentleKiller: eight variants, one shared template
At the core of the suite sits GentleKiller, an in-house framework that already exists in at least eight distinct variants. Each variant masquerades as a different legitimate product while abusing vulnerable or malicious drivers via the Bring Your Own Vulnerable Driver technique. The variants target drivers from vendors such as Kaspersky, FACEIT Anti-Cheat, Valorant, Javelin, Safetica, Zemana, Qihoo 360, IObit and the PoisonX rootkit. Once installed, GentleKiller searches for more than 400 processes belonging to 48 security products—including CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Carbon Black and ESET itself—before disabling them.
Speed over stealth
Researchers note that the suite’s real strength is its rapid adaptation cycle. When a new proof-of-concept for an EDR killer appears, The Gentlemen operators can integrate it into GentleKiller within days, as they did with UnknownKiller and PoisonKiller. The shared development template lets them reuse code with only minimal changes, balancing quick deployment against minimal operator effort. For affiliates, the result is a plug-and-play solution that removes much of the technical friction once required to pull off a ransomware attack.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.