HavocKiller
HavocKiller is an EDR-killing tool used in real-world ransomware intrusions and associated with the Gentlemen ransomware-as-a-service ecosystem. According to the provided reporting, it is not assessed as an in-house Gentlemen development but rather as a third-party or leaked tool that the group operationally integrates alongside HexKiller and ThrottleBlood. Huntress publicly disclosed HavocKiller on March 19, 2026, while ESET telemetry indicates it had already been used in intrusions since at least January 23, 2026. Within the Gentlemen toolchain, HavocKiller is part of a broader standardized defense-evasion portfolio used to disable or interfere with endpoint detection and response products. ESET reported that Gentlemen wraps such tools in a shared evasion layer using vendor-like filenames, fabricated version information, copied invalid digital signatures, legitimate-looking icons, and sometimes Enigma or Themida packing to hinder detection and analysis. HavocKiller is therefore best characterized as an externally sourced EDR-killer employed by Gentlemen affiliates during ransomware operations. The broader campaign context indicates targeting across Southeast Asia, South America, and Western Europe, with victim selection reportedly driven primarily by FortiGate misconfigurations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
HavocKiller is the final addition to Gentlemen’s EDR-killer arsenal. While the tool was publicly disclosed by Huntress on March 19th, 2026, ESET telemetry confirms its use in real-world intrusions dating back to at least January 23rd, 2026.
The group also incorporates third-party or leaked tools named HexKiller, ThrottleBlood and HavocKiller.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
5 techniques
Stealth
MITRE ATT&CK techniques ... T1027 Obfuscated Files or Information Some executables are protected with packers (e.g., Enigma, Themida) and custom control-flow obfuscation.
Many samples also receive commercial packing through Enigma or Themida, recorded in a filename suffix.
MITRE ATT&CK techniques ... T1036 Masquerading Gentlemen’s EDR killers are protected by impersonating legitimate vendors through filenames, version information, icons, and copied digital certificates.
Defense Impairment
1 technique
Defense Impairment
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An externally sourced EDR-killer tool later standardized by Gentlemen to match its own toolset. It was publicly disclosed in March 2026 but had been used in real intrusions since at least January 23, 2026.
A third-party or leaked EDR-killing tool incorporated into The Gentlemen ransomware group's standardized defense-evasion toolkit.
A third-party or leaked EDR-killing tool standardized into The Gentlemen ransomware group's broader defense-evasion layer.
A third-party EDR killer used as part of ransomware-related activity. Gentlemen adapted it operationally with its standard evasion techniques, but the implementation differs from GentleKiller and is assessed as externally obtained.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.