Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

ThrottleBlood

ThrottleBlood is an externally sourced or leaked EDR-killing tool used within the Gentlemen ransomware-as-a-service ecosystem. ESET reported that Gentlemen incorporated ThrottleBlood alongside other third-party tools such as HexKiller and HavocKiller, and standardized these tools with a shared defense-evasion layer that impersonates trusted security vendors using fake version information, copied invalid digital signatures, legitimate-looking icons, and in some cases packers such as Enigma or Themida. ThrottleBlood was not assessed as developed in-house by Gentlemen. The tool has been repeatedly observed in MedusaLocker intrusions and less frequently in DragonForce activity; Trend Micro linked it to Gentlemen in September 2025. In context, ThrottleBlood is associated with ransomware intrusion workflows focused on disabling or evading endpoint security products as part of affiliate operations. The broader Gentlemen victimology described by ESET spans Southeast Asia, South America, and Western Europe, with victim selection reportedly driven mainly by FortiGate misconfigurations.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
DragonForce

Apart from the internally developed GentleKiller, Gentlemen has incorporated multiple third-party solutions into its suite... HexKiller, ThrottleBlood, and HavocKiller.

via eset welivesecurity blogwelivesecurity.com
Gentlemen

Apart from the internally developed GentleKiller, Gentlemen has incorporated multiple third-party solutions into its suite... HexKiller, ThrottleBlood, and HavocKiller.

via eset welivesecurity blogwelivesecurity.com
The Gentlemen

The group also incorporates third-party or leaked tools named HexKiller, ThrottleBlood and HavocKiller.

via govinfosecuritygovinfosecurity.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1059.003Windows Command ShellEvidence1

MITRE ATT&CK techniques ... T1059.003 Command and Scripting Interpreter: Windows Command Shell GentleKiller and related tools are console-based executables that run visibly and emit debug strings during execution.

T1106Native APIEvidence1

MITRE ATT&CK techniques ... T1106 Native API User-mode components interact directly with kernel drivers via DeviceIoControl and other native Windows APIs to perform privileged actions.

Persistence

1 technique
T1543.003Windows ServiceEvidence1

MITRE ATT&CK techniques ... T1543.003 Create or Modify System Process: Windows Service The EDR killers install and start vulnerable or malicious drivers as services prior to exploitation.

Privilege Escalation

1 technique
T1543.003Windows ServiceEvidence1

MITRE ATT&CK techniques ... T1543.003 Create or Modify System Process: Windows Service The EDR killers install and start vulnerable or malicious drivers as services prior to exploitation.

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence1

MITRE ATT&CK techniques ... T1027 Obfuscated Files or Information Some executables are protected with packers (e.g., Enigma, Themida) and custom control-flow obfuscation.

T1027.002Software PackingEvidence1

Many samples also receive commercial packing through Enigma or Themida, recorded in a filename suffix.

T1036MasqueradingEvidence4

MITRE ATT&CK techniques ... T1036 Masquerading Gentlemen’s EDR killers are protected by impersonating legitimate vendors through filenames, version information, icons, and copied digital certificates.

T1036.001Invalid Code SignatureEvidence1

MITRE ATT&CK techniques ... T1036.001 Masquerading: Invalid Code Signature The protection applied to Gentlemen’s EDR killers adds an invalid code signature as part of the impersonation strategy.

T1070.004File DeletionEvidence2

The overarching defense-evasion strategy includes applying advanced protection to executable files, spoofing trusted vendors' identities and manipulating file attributes to make the EDR-killing tools harder to detect and analyze.

Defense Impairment

1 technique
T1553.002Code SigningEvidence2

These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied through legitimate certificates and icons.

Other

1 technique
T1562Impair DefensesEvidence3

The Gentlemen Ransomware Gang Standardizes EDR Killing ... researchers who found that the extortionists have turned EDR killing into a tactical advantage.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
help net securityNews
Jun 18, 2026
GentleKiller targets more than 400 security processes across 48 products - Help Net Security

An externally sourced EDR-killer tool used by Gentlemen and previously seen in MedusaLocker and DragonForce intrusions.

Read more
bank info securityNews
Jun 18, 2026
The Gentlemen Ransomware Gang Standardizes EDR Killing

A third-party or leaked EDR-killing tool incorporated into The Gentlemen ransomware group's standardized defense-evasion toolkit.

Read more
govinfosecurityNews
Jun 18, 2026
The Gentlemen Ransomware Gang Standardizes EDR Killing

A third-party or leaked EDR-killing tool used within The Gentlemen ransomware workflow as part of its integrated endpoint-disabling suite.

Read more
eset welivesecurity blogNews
Jun 18, 2026
Killing me gently: Inside Gentlemen’s EDR killer framework

A third-party EDR killer used in ransomware intrusions and incorporated into Gentlemen’s toolkit with an added evasion layer. It abuses a TechPowerUp driver and has also been seen with MedusaLocker and DragonForce affiliates.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.