Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

HexKiller

HexKiller is an externally sourced or leaked EDR-killing tool used in ransomware intrusions. ESET reported it as part of the Gentlemen ransomware-as-a-service group’s standardized EDR-killer suite provided to affiliates, alongside ThrottleBlood and HavocKiller. Gentlemen wraps these third-party tools in a shared defense-evasion layer that impersonates trusted, predominantly security, vendors using fake version information, copied or invalid signatures, legitimate-looking certificates and icons, and in many cases commercial packers such as Enigma or Themida to hinder detection and analysis. HexKiller had previously been tied to the Warlock gang. The content also notes that HexKiller is one of several independent projects using the Baidu Antivirus driver BdApiUtil.sys, indicating BYOVD-style defensive evasion. High-confidence details in the provided content do not further specify HexKiller’s standalone infection vector, target industries, or distinct process-killing scope beyond its role as an EDR killer used by ransomware operators.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
The Gentlemen

The group also incorporates third-party or leaked tools named HexKiller, ThrottleBlood and HavocKiller.

via govinfosecuritygovinfosecurity.com
Warlock

The suite also carries three tools that Gentlemen obtained from outside sources. HexKiller had been tied to the Warlock gang.

via help net securityhelpnetsecurity.com
Gentlemen

The suite also carries three tools that Gentlemen obtained from outside sources. HexKiller had been tied to the Warlock gang.

via help net securityhelpnetsecurity.com
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique
T1068Exploitation for Privilege EscalationEvidence1

BYOVD-based EDR killers exploit vulnerable drivers to escalate kernel-level privileges.

Stealth

3 techniques
T1027.002Software PackingEvidence1

Many samples also receive commercial packing through Enigma or Themida, recorded in a filename suffix.

T1036MasqueradingEvidence3

The most prevalent EDR killer in the group's ecosystem is GentleKiller, a self-developed tool with at least eight variants targeting more than 400 processes. Although each variant impersonates a different legitimate product ...

T1070.004File DeletionEvidence2

The overarching defense-evasion strategy includes applying advanced protection to executable files, spoofing trusted vendors' identities and manipulating file attributes to make the EDR-killing tools harder to detect and analyze.

Defense Impairment

1 technique
T1553.002Code SigningEvidence2

These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied through legitimate certificates and icons.

Other

2 techniques
T1562Impair DefensesEvidence3

The Gentlemen Ransomware Gang Standardizes EDR Killing ... researchers who found that the extortionists have turned EDR killing into a tactical advantage.

T1562.001Disable or Modify ToolsEvidence1

EDR killers terminate or suspend EDR/AV processes and services to bypass detection.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
help net securityNews
Jun 18, 2026
GentleKiller targets more than 400 security processes across 48 products - Help Net Security

An externally sourced EDR-killer tool used within Gentlemen’s tooling suite; previously associated with the Warlock gang.

Read more
bank info securityNews
Jun 18, 2026
The Gentlemen Ransomware Gang Standardizes EDR Killing

A third-party or leaked EDR-killing tool incorporated into The Gentlemen ransomware group's standardized defense-evasion toolkit.

Read more
govinfosecurityNews
Jun 18, 2026
The Gentlemen Ransomware Gang Standardizes EDR Killing

A third-party or leaked EDR-killing tool incorporated into The Gentlemen ransomware group's standardized defense-evasion toolkit.

Read more
eset welivesecurity blogNews
Mar 19, 2026
EDR killers explained: Beyond the drivers

Independent EDR killer codebase that abuses the Baidu Antivirus driver BdApiUtil.sys.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.