HexKiller
HexKiller is a BYOVD-based EDR killer used to disable endpoint security products during ransomware intrusions. The provided content states that it abuses a Baidu Antivirus driver, identified as the BdApi driver and referenced with filenames including googleApiUtil64.sys and BdApiUtil.sys. ESET previously assessed HexKiller as exclusive to the Warlock ransomware gang, but later observed it in intrusions associated with the Gentlemen ransomware-as-a-service operation, where it appeared in the same GentlemenCollection staging directory as GentleKiller. The content describes HexKiller as one of several externally sourced or leaked EDR killers integrated into Gentlemen’s affiliate-facing suite alongside ThrottleBlood and HavocKiller. Gentlemen reportedly standardized such third-party tools through a shared defense-evasion layer, including vendor impersonation and optional Enigma or Themida protection, which complicates attribution. High-confidence indicators directly mentioned in the content include the malware name HexKiller and the associated abused driver filenames googleApiUtil64.sys / BdApiUtil.sys.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Beyond the in-house framework, Gentlemen folds three externally sourced tools into the affiliate-facing portfolio: ESET name Filename(s) Abused driver HexKiller Avast<suffix>.exe googleApiUtil64.sys – a Baidu Antivirus BdApi driver
Beyond the in-house framework, Gentlemen folds three externally sourced tools into the affiliate-facing portfolio: ESET name Filename(s) Abused driver HexKiller Avast<suffix>.exe googleApiUtil64.sys – a Baidu Antivirus BdApi driver
The group also incorporates third-party or leaked tools named HexKiller, ThrottleBlood and HavocKiller.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
ESET’s assessment is that all three were acquired externally by the operators and then standardized with the same defense evasion layer applied to GentleKiller: binary protection via Enigma or Themida, filenames mimicking security vendors, fabricated version information, copied digital signatures, and matching icons.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Stage 4 – Driver installation as a persistence/elevation step (T1543.003 – Create or Modify System Process: Windows Service). Each tool installs and starts its associated vulnerable or outright malicious kernel-mode driver as a Windows service before exploitation occurs.
Privilege Escalation
2 techniques
Privilege Escalation
The technique used is Bring Your Own Vulnerable Driver (BYOVD), loading a legitimately signed but exploitable driver to terminate security processes at the kernel level, bypassing user-mode protections.
Stage 4 – Driver installation as a persistence/elevation step (T1543.003 – Create or Modify System Process: Windows Service). Each tool installs and starts its associated vulnerable or outright malicious kernel-mode driver as a Windows service before exploitation occurs.
Stealth
5 techniques
Stealth
Defense Evasion T1027 Obfuscated Files or Information Some executables are protected with packers (Enigma, Themida) and custom control-flow obfuscation.
All three tools are standardized through a shared defense-evasion layer that applies Enigma or Themida binary protectors...
Stage 7 – Masquerading and obfuscation layered over the whole chain (T1036, T1036.001, T1027 – Masquerading, Masquerading: Invalid Code Signature, Obfuscated Files or Information). Every tool in the suite ... is run through the same standardization layer: commercial packers (Enigma/Themida), fabricated version information, icons copied from the impersonated vendor, and digital signatures copied from legitimate software.
Defense Impairment
1 technique
Defense Impairment
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An externally sourced EDR killer absorbed into Gentlemen’s tooling suite and fitted with Gentlemen’s evasion layer. It abuses the Baidu Antivirus BdApi driver to disable endpoint protections.
An externally sourced EDR killer integrated into Gentlemen’s affiliate suite. It abuses a Baidu Antivirus driver to disable defenses and was previously attributed exclusively to the Warlock gang.
A third-party EDR-killer tool that uses a Baidu Antivirus driver and was observed in Gentlemen intrusions.
A third-party BYOVD-based EDR killer used by The Gentlemen to disable endpoint defenses.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.