THE ransomware group known as the Gentlemen has begun using a custom toolkit called GentleKiller to shut down endpoint defences before launching encryption attacks, according to analysis from ESET published today.
The framework leverages a Bring Your Own Vulnerable Driver technique to abuse signed kernel modules, allowing it to terminate more than four hundred security processes across forty‑eight different products. Researchers note that the kit contains eight distinct variants that masquerade as legitimate utilities, a detail highlighted in a report by Infosecurity Magazine earlier this week.
Unlike many ransomware operations that rely on publicly disclosed vulnerabilities, the Gentlemen maintain their own driver exploits and have not linked any CVE identifiers to GentleKiller. The group also fields a Rust‑written credential stealer nicknamed OxideHarvest, which is distributed to affiliates alongside the killer framework.
Active since late 2025, the gang claimed over five hundred victims by the first quarter of 2026, with a focus on organisations in Southeast Asia, South America and Western Europe rather than the United States. This regional targeting pattern was outlined in a piece by Security Affairs last month.
Defenders should enforce strict kernel‑mode code signing policies, monitor for the loading of unknown or unsigned drivers, and enable hardware‑based memory integrity features where available. Additionally, security teams are advised to hunt for the known process names associated with GentleKiller variants and to keep behavioural‑based EDR signatures up to date to catch attempts at process termination.