Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

HexKiller

HexKiller is an externally sourced or leaked EDR-killing tool used in ransomware intrusions. ESET reported that it is part of the EDR-killer suite operationally used by the Gentlemen ransomware-as-a-service group, but assessed with high confidence that it was not developed in-house by Gentlemen. The tool had previously been tied to the Warlock gang and was earlier assessed by ESET as exclusive to Warlock before later appearing in Gentlemen intrusions, indicating reuse across rival ransomware ecosystems.

Within the Gentlemen toolset, HexKiller is wrapped in a shared defense-evasion layer used across multiple EDR killers. Reported evasion features include vendor-like filenames, fabricated version information, copied invalid digital signatures, legitimate-looking icons, and in some cases Enigma or Themida packing, all intended to hinder detection and analysis while masquerading as trusted software. The broader context identifies HexKiller specifically as an EDR killer, meaning its role is to disable or terminate endpoint security products prior to ransomware deployment.

A concrete artifact associated with HexKiller is the Baidu Antivirus driver BdApiUtil.sys, which ESET noted appears across multiple independent EDR-killer projects including dead-av, BdApiUtil-Killer, DLKiller, HexKiller, a Warlock EDR killer, and SevexKiller. This supports ESET’s broader conclusion that driver reuse is common across unrelated tools and that attribution based solely on the abused driver can be misleading. High-confidence associations in the provided content link HexKiller to Warlock historically and to later operational use by Gentlemen affiliates.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Warlock

Besides GentleKiller, the suite also contains HexKiller, HavocKiller, and ThrottleBlood; all ESET names for EDR killers used by affiliates of rival gangs too and obtained by Gentlemen via unknown means.

via eset welivesecurity blogwelivesecurity.com
Gentlemen

Besides GentleKiller, the suite also contains HexKiller, HavocKiller, and ThrottleBlood; all ESET names for EDR killers used by affiliates of rival gangs too and obtained by Gentlemen via unknown means.

via eset welivesecurity blogwelivesecurity.com
The Gentlemen

The group also incorporates third-party or leaked tools named HexKiller, ThrottleBlood and HavocKiller.

via govinfosecuritygovinfosecurity.com
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1059.003Windows Command ShellEvidence1

MITRE ATT&CK techniques ... T1059.003 Command and Scripting Interpreter: Windows Command Shell GentleKiller and related tools are console-based executables that run visibly and emit debug strings during execution.

T1106Native APIEvidence1

MITRE ATT&CK techniques ... T1106 Native API User-mode components interact directly with kernel drivers via DeviceIoControl and other native Windows APIs to perform privileged actions.

Persistence

1 technique
T1543.003Windows ServiceEvidence1

MITRE ATT&CK techniques ... T1543.003 Create or Modify System Process: Windows Service The EDR killers install and start vulnerable or malicious drivers as services prior to exploitation.

Privilege Escalation

2 techniques
T1068Exploitation for Privilege EscalationEvidence1

BYOVD-based EDR killers exploit vulnerable drivers to escalate kernel-level privileges.

T1543.003Windows ServiceEvidence1

MITRE ATT&CK techniques ... T1543.003 Create or Modify System Process: Windows Service The EDR killers install and start vulnerable or malicious drivers as services prior to exploitation.

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence1

MITRE ATT&CK techniques ... T1027 Obfuscated Files or Information Some executables are protected with packers (e.g., Enigma, Themida) and custom control-flow obfuscation.

T1027.002Software PackingEvidence1

Many samples also receive commercial packing through Enigma or Themida, recorded in a filename suffix.

T1036MasqueradingEvidence4

MITRE ATT&CK techniques ... T1036 Masquerading Gentlemen’s EDR killers are protected by impersonating legitimate vendors through filenames, version information, icons, and copied digital certificates.

T1036.001Invalid Code SignatureEvidence1

MITRE ATT&CK techniques ... T1036.001 Masquerading: Invalid Code Signature The protection applied to Gentlemen’s EDR killers adds an invalid code signature as part of the impersonation strategy.

T1070.004File DeletionEvidence2

The overarching defense-evasion strategy includes applying advanced protection to executable files, spoofing trusted vendors' identities and manipulating file attributes to make the EDR-killing tools harder to detect and analyze.

Defense Impairment

1 technique
T1553.002Code SigningEvidence2

These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied through legitimate certificates and icons.

Other

2 techniques
T1562Impair DefensesEvidence3

The Gentlemen Ransomware Gang Standardizes EDR Killing ... researchers who found that the extortionists have turned EDR killing into a tactical advantage.

T1562.001Disable or Modify ToolsEvidence1

EDR killers terminate or suspend EDR/AV processes and services to bypass detection.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
help net securityNews
Jun 18, 2026
GentleKiller targets more than 400 security processes across 48 products - Help Net Security

An externally sourced EDR-killer tool used within Gentlemen’s tooling suite; previously associated with the Warlock gang.

Read more
bank info securityNews
Jun 18, 2026
The Gentlemen Ransomware Gang Standardizes EDR Killing

A third-party or leaked EDR-killing tool incorporated into The Gentlemen ransomware group's standardized defense-evasion toolkit.

Read more
govinfosecurityNews
Jun 18, 2026
The Gentlemen Ransomware Gang Standardizes EDR Killing

A third-party or leaked EDR-killing tool incorporated into The Gentlemen ransomware group's standardized defense-evasion toolkit.

Read more
eset welivesecurity blogNews
Jun 18, 2026
Killing me gently: Inside Gentlemen’s EDR killer framework

A third-party EDR killer incorporated into Gentlemen intrusions and adapted with Gentlemen’s evasion layer. It abuses the Baidu Antivirus BdApi driver to disable security tools.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.