SURIQ
EDR evasion used to mark a capable ransomware affiliate. Knocking out endpoint detection before the encryptor ran took a working kernel exploit and the skill to deploy it without crashing the host. That barrier is gone. A ransomware-as-a-service operation called the Gentlemen has turned blinding your security agent into a packaged, versioned product and hands it to every affiliate as a standard part of the kit. The real story is not another EDR killer. It is that EDR killing is now a managed feature, which means you can no longer assume only the sophisticated intruder can go dark on your sensors.
ESET documented the toolset in research published on June 18, 2026. The Gentlemen surfaced in late 2025 and grew into one of the most active gangs of early 2026, running a 90% affiliate revenue split. BleepingComputer reported the crew claims more than 470 victims across over 70 countries, an unusually global spread rather than the United States-heavy targeting most ransomware shows.
What actually changed: EDR killing became a product line
Most ransomware operations leave defense evasion to the affiliate. Gentlemen centralized it. ESET found a tool it named GentleKiller in at least eight distinct variants, each impersonating a piece of legitimate software and each paired with a different vulnerable kernel driver. The variants pose as Kaspersky antivirus, the game Valorant, the anti-cheat service FACEIT, and enterprise tools like WatchDog, among others. Once running with kernel privileges, GentleKiller loops over the process list and terminates more than 400 processes mapped to roughly 48 security products, including Microsoft Defender, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, and ESET's own.
The suite does not stop at the gang's own code. It folds in third-party killers seen with other crews, HexKiller, ThrottleBlood (previously observed alongside DragonForce), and HavocKiller, plus a Rust credential stealer ESET calls OxideHarvest. Affiliates get a defense-evasion menu they never had to build. That is the shift in the threat model: the question is no longer whether an affiliate is skilled enough to blind your EDR, but whether they bothered to run the tool they were handed. Assume they did.
Why hunting for the driver name will fail you
All eight variants use the same underlying trick, bring your own vulnerable driver (BYOVD): the attacker installs a legitimately signed driver that contains a known flaw, then abuses that flaw to run code in the kernel, where it outranks your security agent. Because the drivers are real and signed, antivirus has no reason to flag them on their own. ESET also noted Gentlemen can operationalize a newly disclosed driver proof-of-concept within days, so any blocklist that only covers last quarter's drivers will lag the gang.
This breaks filename-based hunting. The variants rotate through drivers like eb.sys, GameDriverX64.sys, nseckrnl.sys, and dmx.sys, and the next campaign will use one you have not seen. Writing a detection for the specific filenames in this report is fighting the last war. The constant is the behavior, not the binary: a rarely-seen signed driver loading on a server, followed by security processes dying.
The signal you can actually rely on is silence
Here is the uncomfortable part. When GentleKiller succeeds, your EDR agent does not throw an error. It stops reporting. A blinded agent and a healthy agent on a quiet host look identical from the console: no alerts either way. Most monitoring reacts to events, so the absence of events sails straight through. We have made a version of this point before, about Microsoft Defender being turned against itself, and about the detection window that closes the moment a malicious driver loads.
So the highest-value detection you can add this week is not a new indicator. It is an alarm on the gap. Alert when an endpoint that normally streams telemetry goes quiet, when a security service or driver is stopped, or when tamper-protection events fire. Treat a silent agent as an incident to investigate, not a monitoring outage to mute.
What to do this week
Three moves, in order of payoff:
-
Block the drivers by hash, not by name. Turn on Microsoft's vulnerable driver blocklist, which ships on by default on Windows 11 with memory integrity (HVCI) and can be enforced with Windows Defender Application Control. Cross-reference the abused drivers against the community LOLDrivers project and add any your blocklist misses.
-
Make your agent harder to silence. Enable tamper protection and self-protection on every EDR you run, and confirm that uninstalling it or stopping its service needs a code an attacker already on the box does not have.
-
Alert on absence. Build the telemetry-gap detection above. Your detection stack should page on a silent agent, not wait for the next event that will never come.
Where this goes next
The economics make the model contagious. A 90% cut plus a free, maintained EDR-killer toolkit is a strong pitch to affiliates, and other operators will copy it rather than ask each affiliate to roll their own. Ransomware crews rarely need a zero-day; they need your defenses quiet, and they usually get in through ordinary gaps. Productized evasion is the next commodity, the same way delivery infrastructure became shared. Plan for a near future where blinding the agent is table stakes for every intrusion, and build the one detection that survives it: watch the silence.