Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

HavocKiller

HavocKiller, also referred to as HwAudKiller, is a BYOVD-based EDR-killing tool used in ransomware-related intrusions. Public disclosure was made by Huntress on 2026-03-19, while ESET telemetry placed real-world use as early as 2026-01-23. The tool abuses a Huawei Audio driver, identified as havoc.sys, to disable or terminate security tooling. ESET reported that the Gentlemen ransomware-as-a-service operation incorporated HavocKiller as part of its broader affiliate-facing EDR-killer arsenal alongside HexKiller and ThrottleBlood, and assessed these tools as externally sourced rather than developed in-house. Within Gentlemen intrusions, HavocKiller was standardized through the group’s shared defense-evasion layer, including masquerading as security-vendor software and use of protections such as Enigma or Themida. High-confidence context ties HavocKiller to ransomware operations and specifically to Gentlemen activity, but the provided content does not include a standalone process target list, infection vector, or additional HavocKiller-specific IOCs beyond the havoc.sys driver name and the HwAudKiller alias.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gentlemen

HavocKiller / HwAudKiller The most recent addition to the suite. Huntress publicly disclosed HavocKiller on 19 March 2026 , but ESET’s own telemetry shows real-world use dating back to at least 23 January 2026.

via thecybersecguruthecybersecguru.com
The Gentlemen

The group also incorporates third-party or leaked tools named HexKiller, ThrottleBlood and HavocKiller.

via govinfosecuritygovinfosecurity.com
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.003Code Signing CertificatesEvidence1

ESET’s assessment is that all three were acquired externally by the operators and then standardized with the same defense evasion layer applied to GentleKiller: binary protection via Enigma or Themida, filenames mimicking security vendors, fabricated version information, copied digital signatures, and matching icons.

Execution

2 techniques
T1059.003Windows Command ShellEvidence2

Stage 3 – Execution (T1059.003 – Command and Scripting Interpreter: Windows Command Shell). GentleKiller and the absorbed third-party tools are console-based executables that run visibly and emit debug strings during execution.

T1106Native APIEvidence2

Stage 5 – Privileged kernel interaction (T1106 – Native API). User-mode components communicate with the now-loaded kernel driver via DeviceIoControl and other native Windows APIs to issue privileged commands.

Persistence

1 technique
T1543.003Windows ServiceEvidence2

Stage 4 – Driver installation as a persistence/elevation step (T1543.003 – Create or Modify System Process: Windows Service). Each tool installs and starts its associated vulnerable or outright malicious kernel-mode driver as a Windows service before exploitation occurs.

Privilege Escalation

2 techniques
T1068Exploitation for Privilege EscalationEvidence4

The technique used is Bring Your Own Vulnerable Driver (BYOVD), loading a legitimately signed but exploitable driver to terminate security processes at the kernel level, bypassing user-mode protections.

T1543.003Windows ServiceEvidence2

Stage 4 – Driver installation as a persistence/elevation step (T1543.003 – Create or Modify System Process: Windows Service). Each tool installs and starts its associated vulnerable or outright malicious kernel-mode driver as a Windows service before exploitation occurs.

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence2

Defense Evasion T1027 Obfuscated Files or Information Some executables are protected with packers (Enigma, Themida) and custom control-flow obfuscation.

T1027.002Software PackingEvidence2

All three tools are standardized through a shared defense-evasion layer that applies Enigma or Themida binary protectors...

T1036MasqueradingEvidence8

Stage 7 – Masquerading and obfuscation layered over the whole chain (T1036, T1036.001, T1027 – Masquerading, Masquerading: Invalid Code Signature, Obfuscated Files or Information). Every tool in the suite ... is run through the same standardization layer: commercial packers (Enigma/Themida), fabricated version information, icons copied from the impersonated vendor, and digital signatures copied from legitimate software.

T1036.001Invalid Code SignatureEvidence2

Defense Evasion T1036.001 Masquerading: Invalid Code Signature The protection layer adds an invalid code signature as part of the impersonation strategy.

T1070.004File DeletionEvidence2

The overarching defense-evasion strategy includes applying advanced protection to executable files, spoofing trusted vendors' identities and manipulating file attributes to make the EDR-killing tools harder to detect and analyze.

Defense Impairment

1 technique
T1553.002Code SigningEvidence2

These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied through legitimate certificates and icons.

Other

2 techniques
T1562Impair DefensesEvidence6

A highly sophisticated EDR-killing framework, dubbed GentleKiller, was used by the Gentlemen ransomware-as-a-service (RaaS) gang to systematically disable endpoint security tools before deploying its ransomware payload.

T1562.001Disable or Modify ToolsEvidence1

The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha1●●●●●●●●●●●●View more in app6 days ago
hash.sha1●●●●●●●●●●●●View more in app6 days ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
thecybersecguruNews
Jun 21, 2026
GentleKiller: Inside Gentlemen RaaS's EDR-Killer Suite | The CyberSec Guru

A third-party EDR killer adapted into Gentlemen’s portfolio and wrapped with Gentlemen’s evasion layer. It abuses a vulnerable driver impersonating Huawei’s audio stack to disable endpoint defenses during ransomware activity.

Read more
cyber security newsNews
Jun 21, 2026
GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes

An EDR killer integrated into Gentlemen’s suite that abuses a Huawei Audio driver to evade or disable endpoint defenses.

Read more
security affairsNews
Jun 20, 2026
Inside GentleKiller: The EDR-Killer Powering The Gentlemen

A third-party EDR-killer tool later publicly disclosed by Huntress, but already in use during Gentlemen intrusions before disclosure.

Read more
the hacker newsNews
Jun 19, 2026
The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes

A BYOVD-based EDR killer incorporated by The Gentlemen as a third-party or leaked tool for terminating security products.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.