Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

PoisonKiller

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gentlemen

Tools such as UnknownKiller and PoisonKiller were incorporated into GentleKiller’s arsenal within days of their public GitHub disclosure, demonstrating a well-resourced and agile development pipeline.

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique
T1068Exploitation for Privilege EscalationEvidence3

The technique used is Bring Your Own Vulnerable Driver (BYOVD), loading a legitimately signed but exploitable driver to terminate security processes at the kernel level, bypassing user-mode protections.

Stealth

1 technique
T1211Exploitation for Defense EvasionEvidence1

GentleKiller... appears in at least eight variants, each one impersonating a different legitimate product and abusing a different vulnerable or malicious kernel driver. ... Gentlemen adapts newly published Bring Your Own Vulnerable Driver proofs-of-concept quickly.

Impact

1 technique
T1489Service StopEvidence1

Specifically, the IOCTL code 0x22E010 triggers a dedicated process-killing routine... It uses the ZwOpenProcess and ZwTerminateProcess kernel functions to terminate active applications forcibly.

Other

1 technique
T1562Impair DefensesEvidence3

Its operators develop and maintain a set of tools for shutting down endpoint detection and response (EDR) products, then provide these tools directly to the affiliates who rent the gang’s encryptors.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 months ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
cyber security newsNews
Jun 21, 2026
GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes

A publicly disclosed EDR-killing/BYOVD tool whose techniques or components were rapidly incorporated into GentleKiller’s arsenal.

Read more
security affairsNews
Jun 20, 2026
Inside GentleKiller: The EDR-Killer Powering The Gentlemen

A publicly disclosed EDR-killer proof-of-concept that The Gentlemen rapidly adopted into their toolset.

Read more
help net securityNews
Jun 18, 2026
GentleKiller targets more than 400 security processes across 48 products - Help Net Security

A recently disclosed Bring Your Own Vulnerable Driver proof-of-concept that Gentlemen incorporated into its EDR-killer tooling.

Read more
huntress blogNews
Apr 17, 2026
Uptick in Bomgar RMM Exploitation | Huntress

A BYOVD tool designed to disable or terminate EDR agents, referenced through the related PoisonX.sys driver.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.