defense · TheHackerNews
The Gentlemen ransomware-as-a-service operation has developed and distributed a suite of endpoint detection and response (EDR) killer tools to its affiliates, centered on a framework called GentleKiller. According to ESET research, GentleKiller exists in eight variants that target 400 processes associated with 48 security programs by abusing vulnerable or malicious drivers through bring-your-own-vulnerable-driver (BYOVD) attacks. The tools impersonate legitimate security vendors using fake version information, copied certificates, and icons. The Gentlemen has also incorporated third-party tools such as HexKiller, ThrottleBlood, and HavocKiller. Since emerging in March 2025, the group has claimed over 500 victims primarily in Southeast Asia, South America, and Western Europe.
For defense contractors handling controlled unclassified information (CUI), this threat reinforces the criticality of endpoint protection controls required under CMMC Level 2 and NIST 800-171. SaaS and healthcare organizations subject to SOC2 Type II audits should assess whether their EDR deployments include hardening against kernel-level attacks and BYOVD exploitation. Organizations relying on EDR as a primary security control should understand that administrative compromise remains a prerequisite for these attacks—meaning privileged access management (PAM) and multi-factor authentication for administrative accounts are foundational mitigations. An Omniware engagement can scope your organization's EDR architecture, driver trust model exposure, and compensating controls in detail.
Source: The Hacker News - https://thehackernews.com/2026/06/the-gentlemen-raas-uses-gentlekiller.html
Source: TheHackerNews
All briefings