The Gentlemen Built EDR-Killer-as-a-Service. We Have Been Blocking Their Infrastructure Since April 20.

ESET published the autopsy this week and it is worth your time. The crew is called The Gentlemen, the tool is called GentleKiller, and the business model is the part that should keep you up at night. They are not selling ransomware. They are selling the thing that turns your endpoint protection off before the ransomware ever runs.

I want to be precise about who did the work here, because credit matters. Jakub Souček and the ESET research team wrote "Killing me gently: Inside Gentlemen's EDR killer framework." Check Point Research published "Thus Spoke The Gentlemen" off a partial leak of the group's own internal chat database, a leak the group's administrator admitted on May 4. Group-IB corroborated. That is three independent vendors converging on the same crew in the same quarter. We did not discover GentleKiller. ESET did. What we did was quieter, and it started two months earlier.

On April 20 we pulled Check Point's Gentlemen infrastructure indicators into our feed under the source tag checkpoint-gentlemen-2026-04-20. Thirty indicators. Since that morning, every customer pulling our STIX feed and every site running the DugganUSA edge-shield Worker has been dropping that infrastructure at the door. Not because we predicted the EDR-killer framework, but because the infrastructure was already dirty and we had already seen it. The ESET report this week is the headline. The two months of silent blocking underneath it is the product.

Here is what The Gentlemen actually built, and why "EDR-killer-as-a-service" is the right name for it.

GentleKiller is an in-house framework, not a one-off tool. ESET counted at least eight variants. Each one abuses a vulnerable or outright malicious driver to drop into the kernel, and from the kernel it does the one thing no user-mode security product can survive: it reaches down and terminates the processes that are supposed to be watching. The technique is BYOVD, Bring Your Own Vulnerable Driver, and it is old. What is new is the catalog. GentleKiller targets more than 400 processes mapped to 48 separate security products. Microsoft Defender. CrowdStrike Falcon. SentinelOne. Sophos. Palo Alto Networks Cortex. ESET itself. Bitdefender. Kaspersky. McAfee and Trellix. If your EDR is on the leaderboard, it is on their list.

And they did not stop at their own code. The Gentlemen operationally integrated three third-party EDR killers, the ones the underground calls HexKiller, ThrottleBlood, and HavocKiller. When a new EDR-killer proof of concept drops on GitHub, the crew folds it in. ESET's phrase for this is that the group can rapidly adapt newly released PoCs. That is the entire thesis of this blog in five words. The capability is acquired, not refined. You do not need a kernel exploit team if you can shop for one every week.

The numbers around the crew make the framework matter. The Gentlemen emerged around the middle of 2025. In the first five months of 2026 they posted roughly 332 victims on their data leak site, which puts them at number two among all ransomware-as-a-service operations on earth by published-victim volume. That is not a boutique. That is an assembly line, and the EDR killer is the station on the line that everything else depends on. Encrypt-and-extort only works if the alarm never rings. GentleKiller is how they cut the wire. Their victims cluster across Southeast Asia, South America, and Western Europe, which tells you this is volume-driven and geography-agnostic. They are not hunting a flag. They are hunting unpatched drivers and switched-off telemetry, wherever those live.

I have written some version of this pattern enough times this year that it has stopped feeling like a coincidence and started feeling like the shape of the market. In April it was the supply-chain crews shopping for install-time execution. In June it was Qilin burning a Check Point VPN zero-day two days after I said the edge appliance was the initial-access surface of the era. Now it is The Gentlemen turning defense evasion into a product their affiliates subscribe to. The adversary economy specializes the same way the defender economy does. Somebody builds the door-kicker. Somebody builds the alarm-killer. Somebody builds the encryptor. They rent the parts to each other. The lone genius in a hoodie was always a myth, and GentleKiller is the receipt.

So what do you actually do, given that a competent crew can turn off your specific EDR by name?

First, BYOVD dies at the driver allowlist. Microsoft's vulnerable driver blocklist exists, it is shippable, and it is off or stale on most of the machines I look at. Turn it on. Keep it current. The eight GentleKiller variants all depend on a driver getting loaded that should never have been allowed to load.

Second, watch for the kill, not just the malware. When an endpoint's protection service dies and does not come back, that is not a glitch, that is stage one of a ransomware detonation. Your SIEM should scream when Defender or Falcon or SentinelOne stops reporting. Tamper protection and a watchdog that alerts on its own silence are worth more this quarter than another signature feed.

Third, take the infrastructure off the board before it reaches the kernel. This is the part we can hand you today. The thirty Gentlemen indicators we ingested on April 20 are live in our feed right now, confidence-scored, attributed to Check Point's original research, flowing into ips.csv and out to the edge. If you consume the DugganUSA STIX feed, you already have them. If you do not, that is a free registered key and about five minutes of TAXII configuration away.

I will give you the honest 95 percent on this. Blocking known infrastructure does not stop a crew that rotates hosts, and a driver allowlist does not stop a zero-day driver nobody has catalogued yet. There is no clean win here. But the gap between "ESET published it this week" and "your feed has been dropping it since April" is exactly the gap we exist to close. The headline is theirs. The two-month head start is ours, and now it is yours.

Read the primary research. ESET's "Killing me gently" and Check Point's "Thus Spoke The Gentlemen" are the source of truth on the framework. Then go check whether your vulnerable driver blocklist is actually on.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register