GentleKiller Deploys Eight BYOVD Variants to Kill 400 Processes Across 48 EDR Products

The Gentlemen operation, active since March 2025, supplies affiliates with GentleKiller alongside HexKiller, ThrottleBlood, and HavocKiller. Each GentleKiller variant mimics a different vendor binary using stolen certificates, icons, and version strings while loading one of eight vulnerable drivers including eb.sys, PoisonX.sys, and nseckrnl.sys. ESET telemetry shows the tools target processes tied to Kaspersky, CrowdStrike, SentinelOne, and 45 additional vendors.

Ransomware.live records 504 claims, concentrated in Southeast Asia and Western Europe. The operator, identified by PRODAFT and Krebs as Russian national Alexander Yapaev, previously affiliated with Qilin. Structural code reuse across samples indicates a single development template that reduces affiliate friction and accelerates integration of newly disclosed drivers.

The pattern mirrors earlier RaaS maturation cycles where defense-evasion tooling is centralized and versioned faster than detection signatures update. PoisonX.sys reuse in both CrowdStrike Falcon and BeyondTrust campaigns demonstrates how one leaked driver quickly propagates across multiple groups.

Next indicators to monitor are fresh driver sightings in public telemetry and any expansion of the target process list beyond 400 entries. Continued PoC-to-deployment latency under one week will confirm the template's ongoing advantage.