Overview
- ESET’s mid-June 2026 analysis, corroborated by a May internal leak, shows Gentlemen builds and distributes a standardized EDR-killer portfolio called GentleKiller for its affiliates.
- GentleKiller comprises at least eight variants that swap different vulnerable or malicious kernel drivers to gain kernel privileges and terminate more than 400 processes tied to roughly 48 security products.
- The operators package binaries with commercial protectors, fake vendor version info, copied icons and invalid signatures, and they have standardized externally sourced tools such as HexKiller, ThrottleBlood, and HavocKiller.
- ESET found the group rapidly adopts public BYOVD proofs of concept, folding new driver-exploit examples into GentleKiller within days, and the toolkit is used alongside a Rust credential stealer called OxideHarvest.
- Because operators centrally pick victims based on FortiGate configurations and hand affiliates ready-to-use EDR killers, defenders face faster, harder-to-detect intrusions and greater attribution challenges.