GentleKiller is an in-house EDR-killing framework with at least eight distinct variants, each
impersonating a different legitimate security product and abusing a unique vulnerable or malicious kernel-level driver.
In total, GentleKiller targets more than 400 processes mapped to 48 security products, including industry leaders such as
Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks,
ESET,
Bitdefender,
Kaspersky, and
McAfee/Trellix.
The eight GentleKiller variants abuse drivers from Kaspersky (eb.sys), FACEIT Anti-Cheat (nseckrnl.sys), Valorant (GameDriverX64.sys), Javelin/Safetica (stpm_old.sys/stpm_new.sys), Zemana WatchDog (dmx.sys), Qihoo 360 (360netmon_wfp.sys), IObit (IMFForceDelete), and the PoisonX rootkit.
A highly sophisticated EDR-killing framework, dubbed GentleKiller, was used by the Gentlemen ransomware-as-a-service (RaaS) gang to systematically disable endpoint security tools before deploying its ransomware payload.
cybersecuritynews.com
