Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

ThrottleBlood

ThrottleBlood is a BYOVD-based EDR-killing tool observed in ransomware intrusions. It abuses a TechPowerUp LLC driver commonly referred to as ThrottleBlood.sys to disable or terminate security software. The tool has been repeatedly observed in MedusaLocker affiliate intrusions and less frequently in DragonForce affiliate activity. Multiple reports also link it to the Gentlemen ransomware-as-a-service ecosystem, where ESET assessed with high confidence that it was not developed in-house by Gentlemen but instead incorporated as an externally sourced or leaked third-party tool alongside HexKiller and HavocKiller. In Gentlemen-related use, ThrottleBlood was standardized through the group’s shared defense-evasion layer used across its EDR-killer suite. High-confidence associations in the content are therefore MedusaLocker, DragonForce, and Gentlemen. The content does not provide specific infection vectors or standalone indicators of compromise beyond the driver/tool name ThrottleBlood.sys.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gentlemen

ThrottleBlood Repeatedly observed in MedusaLocker affiliate intrusions and, less frequently, DragonForce affiliate activity. Trend Micro linked it to Gentlemen as early as September 2025.

via thecybersecguruthecybersecguru.com
DragonForce

Apart from the internally developed GentleKiller, Gentlemen has incorporated multiple third-party solutions into its suite... HexKiller, ThrottleBlood, and HavocKiller.

via eset welivesecurity blogwelivesecurity.com
The Gentlemen

The group also incorporates third-party or leaked tools named HexKiller, ThrottleBlood and HavocKiller.

via govinfosecuritygovinfosecurity.com
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.003Code Signing CertificatesEvidence1

ESET’s assessment is that all three were acquired externally by the operators and then standardized with the same defense evasion layer applied to GentleKiller: binary protection via Enigma or Themida, filenames mimicking security vendors, fabricated version information, copied digital signatures, and matching icons.

Execution

2 techniques
T1059.003Windows Command ShellEvidence2

Stage 3 – Execution (T1059.003 – Command and Scripting Interpreter: Windows Command Shell). GentleKiller and the absorbed third-party tools are console-based executables that run visibly and emit debug strings during execution.

T1106Native APIEvidence2

Stage 5 – Privileged kernel interaction (T1106 – Native API). User-mode components communicate with the now-loaded kernel driver via DeviceIoControl and other native Windows APIs to issue privileged commands.

Persistence

1 technique
T1543.003Windows ServiceEvidence2

Stage 4 – Driver installation as a persistence/elevation step (T1543.003 – Create or Modify System Process: Windows Service). Each tool installs and starts its associated vulnerable or outright malicious kernel-mode driver as a Windows service before exploitation occurs.

Privilege Escalation

2 techniques
T1068Exploitation for Privilege EscalationEvidence4

The technique used is Bring Your Own Vulnerable Driver (BYOVD), loading a legitimately signed but exploitable driver to terminate security processes at the kernel level, bypassing user-mode protections.

T1543.003Windows ServiceEvidence2

Stage 4 – Driver installation as a persistence/elevation step (T1543.003 – Create or Modify System Process: Windows Service). Each tool installs and starts its associated vulnerable or outright malicious kernel-mode driver as a Windows service before exploitation occurs.

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence2

Defense Evasion T1027 Obfuscated Files or Information Some executables are protected with packers (Enigma, Themida) and custom control-flow obfuscation.

T1027.002Software PackingEvidence2

All three tools are standardized through a shared defense-evasion layer that applies Enigma or Themida binary protectors...

T1036MasqueradingEvidence8

Stage 7 – Masquerading and obfuscation layered over the whole chain (T1036, T1036.001, T1027 – Masquerading, Masquerading: Invalid Code Signature, Obfuscated Files or Information). Every tool in the suite ... is run through the same standardization layer: commercial packers (Enigma/Themida), fabricated version information, icons copied from the impersonated vendor, and digital signatures copied from legitimate software.

T1036.001Invalid Code SignatureEvidence2

Defense Evasion T1036.001 Masquerading: Invalid Code Signature The protection layer adds an invalid code signature as part of the impersonation strategy.

T1070.004File DeletionEvidence2

The overarching defense-evasion strategy includes applying advanced protection to executable files, spoofing trusted vendors' identities and manipulating file attributes to make the EDR-killing tools harder to detect and analyze.

Defense Impairment

1 technique
T1553.002Code SigningEvidence2

These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied through legitimate certificates and icons.

Other

2 techniques
T1562Impair DefensesEvidence6

A highly sophisticated EDR-killing framework, dubbed GentleKiller, was used by the Gentlemen ransomware-as-a-service (RaaS) gang to systematically disable endpoint security tools before deploying its ransomware payload.

T1562.001Disable or Modify ToolsEvidence1

The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha1●●●●●●●●●●●●View more in app6 days ago
hash.sha1●●●●●●●●●●●●View more in app6 days ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
thecybersecguruNews
Jun 21, 2026
GentleKiller: Inside Gentlemen RaaS's EDR-Killer Suite | The CyberSec Guru

A third-party EDR killer used in ransomware-related intrusions and incorporated into Gentlemen’s suite. It abuses ThrottleBlood.sys, a driver by TechPowerUp LLC, to impair security tools.

Read more
cyber security newsNews
Jun 21, 2026
GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes

An EDR killer integrated into Gentlemen’s suite that abuses a TechPowerUp LLC driver. It was previously observed in MedusaLocker and DragonForce intrusions.

Read more
security affairsNews
Jun 20, 2026
Inside GentleKiller: The EDR-Killer Powering The Gentlemen

A third-party EDR-killer tool using a TechPowerUp driver, observed in ransomware affiliate attacks and incorporated into The Gentlemen's broader tooling.

Read more
the hacker newsNews
Jun 19, 2026
The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes

A BYOVD-based EDR killer observed in ransomware-related attacks and used by The Gentlemen as a third-party defense-evasion tool.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.