Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

GentleKiller

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
The Gentlemen

The most prevalent EDR killer in the group's ecosystem is GentleKiller, a self-developed tool with at least eight variants targeting more than 400 processes.

via bank info securitybankinfosecurity.com
Gentlemen

The core of the suite is GentleKiller, first observed in a staging directory called GentlemenCollection. It is the most common EDR killer in Gentlemen intrusions and appears in at least eight variants, each one impersonating a different legitimate product and abusing a different vulnerable or malicious kernel driver.

via help net securityhelpnetsecurity.com
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence1

they all share the same underlying characteristics, including terminating processes periodically and employing identical code obfuscation.

T1027.002Software PackingEvidence1

Many samples also receive commercial packing through Enigma or Themida, recorded in a filename suffix.

T1036MasqueradingEvidence2

These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information... The overarching defense-evasion strategy includes ... spoofing trusted vendors' identities

T1070.004File DeletionEvidence1

The core of the suite is GentleKiller... each one impersonating a different legitimate product and abusing a different vulnerable or malicious kernel driver. ... The general target set spans more than 400 process names linked to 48 security products.

T1211Exploitation for Defense EvasionEvidence2

Although each variant impersonates a different legitimate product and abuses a different vulnerable or malicious driver... It allows the operators to incorporate newly abused drivers into their toolset within days of a proof of concept being disclosed.

Other

2 techniques
T1562Impair DefensesEvidence2

The Gentlemen Ransomware Gang Standardizes EDR Killing ... researchers who found that the extortionists have turned EDR killing into a tactical advantage.

T1562.001Disable or Modify ToolsEvidence1

The most prevalent EDR killer in the group's ecosystem is GentleKiller, a self-developed tool with at least eight variants targeting more than 400 processes... they all share the same underlying characteristics, including terminating processes periodically.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
help net securityNews
Jun 18, 2026
GentleKiller targets more than 400 security processes across 48 products - Help Net Security

An in-house EDR-killer framework used by the Gentlemen ransomware operation to disable endpoint detection and response products. It has at least eight variants, impersonates legitimate security products, abuses vulnerable or malicious kernel drivers, and targets more than 400 process names associated with 48 security products.

Read more
bank info securityNews
Jun 18, 2026
The Gentlemen Ransomware Gang Standardizes EDR Killing

A self-developed endpoint detection and response killing tool used in The Gentlemen ransomware ecosystem. It has at least eight variants, targets more than 400 processes, periodically terminates processes, uses identical code obfuscation across variants, impersonates legitimate products, and abuses different vulnerable or malicious drivers.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.