Not very gentlemanly: Analyzing a zero-day exploit used to disable targets' EDRs
Essential information
- Published
- 30/06/2026 18:35
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- byovd edr killer endpoint protection bypass kernel exploit kontron driver ktapi.sys ransomware the gentlemen zero-day
- Related entities
- 3 indicators, 1 intrusion sets (apt), 18 techniques (mitre)
Description
The Gentlemen ransomware group, which emerged in July 2025, employed a zero-day vulnerability in a bring-your-own-vulnerable-driver (BYOVD) attack to disable endpoint detection and response systems. During an incident investigated in early April, the group leveraged an obscure third-party driver named ktapi.sys from Kontron to bypass security protections. The sophisticated exploit chains multiple advanced techniques to navigate Windows exploit mitigations, including bypassing Supervisor Mode Access Prevention and Supervisor Mode Execution Prevention. The toolkit enables the attackers to call privileged kernel mode functions from user mode processes, ultimately terminating EDR processes including Windows Defender, ESET, Palo Alto Cortex XDR, and SentinelOne. The vulnerability had no prior public documentation and was previously absent from vulnerable driver blocklists.