In recent times, EDR killers have grow to be one of the generally seen instruments in trendy ransomware intrusions: an attacker acquires excessive privileges, deploys such a device to disrupt safety, and solely then launches the encryptor. In addition to the dominating Deliver Your Personal Weak Driver (BYOVD) method, we additionally see attackers continuously abusing reliable anti-rootkit utilities or utilizing driverless approaches to dam the communication of endpoint detection and response (EDR) software program or droop it in place. These instruments aren’t simply plentiful, but in addition behave predictably and constantly, which is exactly why associates attain for them.<\/p>\n
On this blogpost, we current our <\/em>view of EDR killers, grounded in ESET telemetry and incident investigations. The analysis is predicated on the evaluation and monitoring of virtually 90 EDR killers actively used within the wild. Our focus goes past the susceptible drivers that dominate most discussions: we doc how associates choose, adapt, and function EDR killers throughout actual intrusions, and what which means for attribution and protection.<\/p>\n We clarify why driver-centric evaluation typically misleads group attribution, present concrete circumstances of driver reuse and switching throughout unrelated codebases, and spotlight the expansion of driverless disruption alongside commercialized, hardened kits. The result’s a transparent, evidence-based image of how EDR killers operate as a predictable stage in trendy ransomware operations.<\/p>\n Key factors of this blogpost:<\/strong><\/p>\n ESET researchers focus past the susceptible drivers so typically abused by these instruments. As we are going to display, drawing any connections solely based mostly on the misused drivers is inadequate and may result in incorrect assumptions.<\/p>\n The panorama this analysis unveils is huge, starting from countless forking of proofs of idea (PoCs) to complicated skilled implementations. Specializing in business EDR killers (marketed on the darkish web) permits us to achieve a greater understanding of their buyer base and spot in any other case hidden affiliations. In-house developed EDR killers supply insights into the interior workings of closed teams. Moreover, vibe coding is making issues much more sophisticated. We offer a technical overview of EDR killers, together with susceptible drivers, within the The know-how behind EDR killers<\/a> <\/em>part.<\/p>\n On the time of writing, our perception into the EDR killer panorama is predicated on the next:<\/p>\n \u25cb<\/span>\u00a0 54 of those are BYOVD-based, abusing a complete of 35 susceptible drivers,<\/p>\n \u25cb\u00a0<\/span> 7 of those are script-based, and<\/p>\n \u25cb\u00a0 <\/span>15 of those are anti-rootkits or different freely accessible software program.<\/p>\n<\/li>\n All through this blogpost, we confer with entities forming the ransomware-as-a-service mannequin as follows:<\/p>\n To efficiently encrypt knowledge, ransomware encryptors have to evade detection. These days, a variety of mature evasion methods is offered, starting from packing and code virtualization to classy injection. Nonetheless, we not often see any of those applied in encryptors. As a substitute, ransomware attackers go for EDR killers to disrupt safety options proper earlier than encryptor deployment. This completely different strategy naturally raises the query: why not somewhat make investments into making encryptors undetected?<\/p>\n Ransomware gangs, particularly these with ransomware-as-a-service (RaaS) packages, continuously produce new builds of their encryptors, and making certain that every new construct is reliably undetected could be time-consuming. Extra importantly, encryptors are inherently very noisy (as they inherently want to change a lot of recordsdata in a brief interval); making such malware undetected is somewhat difficult. EDR killers present a cleaner various. As a substitute of burying detection-evading logic inside each encryptor replace, attackers merely depend on an exterior device to disrupt or disable safety controls instantly earlier than execution, protecting encryptors easy, steady, and simple to rebuild.<\/p>\n As proven all through this blogpost, EDR killers are extraordinarily accessible. Not all intruders or associates have the ability set to develop their very own protection evasion methods. However due to giant collections of public PoCs, EDR killers have basically grow to be \u201cplug-and-play\u201d.<\/p>\n On the similar time, EDR killers typically depend on reliable but susceptible drivers, making protection considerably harder with out risking disruption of legacy or enterprise software program. The result’s a category of instruments that provides kernel-level impression with minimal improvement effort, making these instruments disproportionately highly effective given their simplicity.<\/p>\n Packing or injecting code could assist an implant slip previous detection, but it surely doesn\u2019t make sure the long-term stability of the ransomware payload throughout the remaining section of the intrusion. As a result of layered safety offered by safety merchandise, packed encryptors should still be detected in reminiscence or at different phases of execution. EDR killers, then again, present a predictable and repeatable step within the assault chain, giving attackers a extra deterministic workflow. Moreover, EDR killers intention to disrupt the safety answer as an entire, successfully eliminating all safety layers.<\/p>\n The best EDR killers don\u2019t depend on susceptible drivers or different superior methods. As a substitute, they abuse built-in administrative instruments and instructions corresponding to taskkill<\/span>, web cease<\/span>, or sc delete<\/span> to tamper with safety product processes and companies. These crude approaches nonetheless seem sometimes however at the moment are largely related to low-skill ransomware menace actors and commodity malware.<\/p>\n Barely extra subtle variants mix scripting with Home windows Protected Mode. Since Protected Mode masses solely a minimal subset of the working system, and safety options usually aren\u2019t included, malware has the next probability of disabling safety. On the similar time, such exercise may be very noisy, because it requires a reboot, which is dangerous and unreliable in unknown environments. Due to this fact, it’s seen solely not often within the wild.<\/p>\n Years in the past, earlier than Microsoft enforced<\/a> kernel-mode driver signing, rootkits flourished within the cybercrime ecosystem, hiding malicious exercise by manipulating kernel buildings. Their prevalence led to the event of specialised anti-rootkit instruments designed to detect and take away them. As a result of rootkits function in kernel mode, such instruments naturally require excessive privileges and their very own drivers to find, enumerate, and neutralize the rootkits.<\/p>\n At present, ransomware associates continuously abuse these similar anti-rootkit instruments: to not take away rootkits, however to cripple safety options. Many anti-rootkits supply a user-friendly GUI that enables customers (together with attackers with little technical functionality) to terminate protected processes or companies. In different phrases, reliable remediation instruments have grow to be handy EDR killers when misused. Such instruments embrace GMER<\/a> (see Determine\u00a01), HRSword<\/a>, and PC Hunter<\/a>.<\/p>\n Though rootkits are largely uncommon in trendy cybercrime, notable exceptions nonetheless floor. One instance from final 12 months is ABYSSWORKER<\/a>, a kernel-mode rootkit that drew consideration after its creators managed to signal it utilizing certificates stolen from Chinese language corporations. These certificates had additionally been used to signal different malware and are due to this fact not particular to ABYSSWORKER. For the reason that stolen certificates belong to a trusted certificates chain, such a driver continues to be allowed to run within the kernel. And, to make issues extra sophisticated, even certificates revocation will not be a bulletproof possibility, as not too long ago demonstrated<\/a> by Huntress.<\/p>\n The BYOVD method has grow to be the hallmark of recent EDR killers: dominant, dependable, and broadly used. In a typical situation, an attacker drops a reliable however susceptible driver onto the sufferer machine, installs the motive force, after which runs malware that abuses the motive force\u2019s vulnerability. The objective is to terminate protected processes or disable callbacks<\/a> that safety merchandise depend on.<\/p>\n Though there are literally thousands of reliable susceptible drivers, solely a relatively small subset is actively exploited in ransomware incidents. Nonetheless, the supply of public PoCs means that there’s successfully no restrict on the variety of menace actors that may undertake or adapt exploits for these vulnerabilities. Some attackers reuse present codebases with minimal or no adjustments, others change no logic however reimplement them of their most well-liked programming language, and a few even develop totally new EDR killers (protecting solely a small portion of the unique code answerable for driver exploitation) that they both use on their very own or supply as a service.<\/p>\n Lastly, a smaller however rising class of EDR killers achieves its targets with out touching the kernel in any respect. As a substitute of terminating EDR processes, these instruments intrude with different important options. Examples embrace instruments like EDRSilencer<\/a>, which blocks communication between an endpoint and its safety backend, and EDR-Freeze<\/a>, which causes EDR processes to \u201ccling\u201d or grow to be unresponsive. These driverless methods are common as a result of their unconventional strategy makes detection and mitigation more difficult, and they’re publicly accessible. Certainly, ESET researchers have seen fast adoption of those instruments in a matter of days by ransomware menace actors.<\/p>\n In 2025, ESET researchers printed<\/a> an evaluation of EDRKillShifter, an EDR killer developed by RansomHub operators and supplied on to their associates. On the time of writing, we aren’t conscious of another RaaS packages whose operators present their very own proprietary EDR killers. This makes the now-defunct RansomHub a notable exception within the ransomware panorama.<\/p>\n As a substitute, most menace actors fall into one of many following classes:<\/p>\n Let\u2019s break these conditions down in additional element.<\/p>\n Non-RaaS gangs normally function as absolutely closed ecosystems: no associates, no preliminary entry brokers, and no exterior companions. These teams keep tight management over their intrusion workflows and usually depend on a repeatable, internally constant set of TTPs. Given this stage of operational self-discipline, growing their very own EDR killers turns into a pure extension of their toolset.<\/p>\n ESET researchers highlighted<\/a> an early instance of this in-house improvement mannequin in 2024 with the Embargo gang. On the time, Embargo relied on two EDR killers:<\/p>\n Though MS4Killer was based mostly on an accessible PoC, its builders made vital adjustments: they added parallelism, modified the code movement, and encrypted strings and the embedded driver. For the reason that publication of that analysis, Embargo has shifted to one more public PoC, evil\u2011mhyprot\u2011cli<\/a>, this time with minimal code modifications.<\/p>\n A second, newer, instance is the DeadLock gang. DeadLock maintains a low profile by avoiding having a devoted leak website and conducting all negotiations via Session<\/a>, a\u00a0common various to the extra frequent Tox<\/a>. ESET researchers have noticed DeadLock utilizing two EDR killers, DLKiller (additionally talked about<\/a> as an unnamed loader by Cisco Talos) and Susanoo, and anti-rootkits corresponding to GMER and PC Hunter. ESET researchers consider with low confidence that DLKiller and the DeadLock encryptor are the work of the identical developer because of notable, however by itself inconclusive, code similarities. Apparently, Susanoo offers a loading display screen and a GUI, each offered in Determine\u00a02, permitting for guide interplay and anticipating the attacker to have interactive entry to the sufferer\u2019s machine.<\/p>\n Because the screenshot clearly demonstrates, Susanoo presents buttons to pre-load the listing of monitored processes \u2013 a devoted one concentrating on Sophos-related processes and a \u201cTNT\u201d one concentrating on all processes identified to Susanoo.<\/p>\n The third and remaining instance is Warlock. Though the Warlock leak website has been silent since November 6th<\/sup>, 2025, the group stays operational and retains increasing its technical arsenal. The gang is thought for its willingness to experiment: it tailored the VS Code abuse method for stealthy distant entry, beforehand documented<\/a> in September 2024 and used<\/a> by the Mustang Panda APT group, whereas additionally pioneering<\/a> the malicious use of Velociraptor. Ever since, Warlock has constantly relied on these methods. Its strategy to encryptors mirrors this sample as nicely \u2013 Warlock has employed a number of completely different encryptors over time, starting from customized ones to variants based mostly on Babyk or generated utilizing the leaked LockBit Black builder.<\/p>\n Given all that, Warlock\u2019s experimentation with EDR killers isn’t a surprise. For the reason that gang first appeared, it has routinely deployed a number of EDR killers per intrusion, typically even dozens throughout current operations, successfully brute-forcing its approach to a working answer. Warlock\u2019s tooling is numerous not solely in amount but in addition in technical depth: the gang doesn’t restrict itself to a single susceptible driver and has abused at the least 9 completely different drivers thus far, together with some with none publicly accessible PoC (at the least to our data); a element that underscores the group\u2019s technical proficiency and its means to adapt offensive instruments past what is quickly publicly accessible.<\/p>\n That is by far the most typical strategy noticed in ransomware intrusions. Risk actors continuously take an present, well-tested PoC, and alter solely the noncritical parts earlier than deploying it in actual assaults. These modifications usually embrace:<\/p>\n The essential level, nevertheless, is that the core exploitation logic, particularly the half that interacts with the susceptible driver, virtually by no means adjustments. This logic is usually so simple as calling the Home windows API DeviceIoControl<\/a> with a \u201cappropriate\u201d dwIoControlCode<\/span> worth and the title of the method to terminate in lpInBuffer<\/span>. Whereas renaming strings, restructuring the codebase, or reimplementing the device in one other language are operations that don\u2019t require deep technical data, modifying the exploitation logic actually is and due to this fact is often prevented.<\/p>\n Whereas there are numerous publicly accessible PoCs for EDR killers, one repository stands out: BlackSnufkin\u2019s BYOVD<\/a>. Repeatedly up to date, it accommodates (on the time of writing) PoCs for exploiting 10 susceptible drivers, every applied following the identical modular template. The implementation permits for simple modifications, extensions, and new driver help. Moreover, the code is nicely documented (see Determine\u00a03), making this repository essentially the most continuously used one in ransomware exercise within the wild.<\/p>\n We detected one in all BlackSnufkin\u2019s EDR killers, TfSysMon-Killer<\/a>, deployed throughout a Monti ransomware assault in February 2025; the deployed variant was an identical functionality-wise, however was reimplemented from Rust to C++, more likely to align with different instruments of the menace actor. One other instance of language switching is dead-av<\/a>, which its creator brazenly describes as a Go rewrite of GhostDriver<\/a>, one other PoC created by BlackSnufkin.<\/p>\n A extra intensive modification effort could be seen in SmilingKiller, an EDR killer not too long ago noticed by ESET researchers throughout LockBit and Dire Wolf intrusions. Its developer was impressed by kill-floor<\/a>, an EDR killer PoC that abuses Avast\u2019s aswArPot.sys<\/span>. In addition to modifying debug messages and including control-flow flattening obfuscation (see Determine 4), the creator additionally switched the abused driver to K7RKScan.sys<\/span>, the identical driver abused by K7Terminator<\/a>, one other of BlackSnufkin\u2019s PoCs.<\/p>\n Given the robust and rising demand for EDR-disruption instruments, it’s no shock {that a} parallel market for business EDR killers has emerged. The vary of choices is huge: some commercials present solely imprecise guarantees with no technical particulars, whereas others embrace intensive function lists, utilization directions, and even video demonstrations. Beneath are three notable examples.<\/p>\n One such commercial, disclosed<\/a> by Flare in October 2025, originated from a menace actor utilizing the moniker \u0411\u0430\u0444\u043e\u043c\u0435\u0442. The menace actor marketed an EDR killer that ESET researchers later named DemoKiller. ESET telemetry confirms that DemoKiller has been utilized by associates of the Qilin, Akira, and Gents gangs, and we additionally noticed it deployed as soon as throughout a RansomHouse intrusion. The commercial is proven in Determine\u00a05.<\/p>\n One other paid EDR killer revolves across the ABYSSWORKER rootkit, beforehand mentioned on this blogpost. When paired with its HeartCrypt<\/a>-packed loader part, which ESET researchers named AbyssKiller, this EDR killer has grow to be one of the generally noticed business ones within the wild. ESET researchers have seen AbyssKiller utilized by associates of the Medusa, DragonForce, and the now-disrupted<\/a> BlackSuit gangs.<\/p>\n The ultimate noteworthy instance is an EDR killer that we name CardSpaceKiller. This device is constantly packed utilizing VX Crypt, a comparatively new packer as a service analyzed<\/a> by Sophos in late 2025. VX Crypt will not be distinctive to this EDR killer; it has additionally been used to guard different malware households corresponding to BumbleBee. In keeping with Sophos, CardSpaceKiller has appeared in intrusions involving Akira, Medusa, Qilin, and Crytox. ESET telemetry aligns with these findings and moreover reveals deployment throughout MedusaLocker incidents. Analyzing the unpacked payload, it’s instantly clear that this EDR killer comes from a business providing, the place the developer tries to deal with edge circumstances with a warning (see Determine 6).<\/p>\n The character and value of such commercially marketed instruments range. Some declare to promote supply code, others solely particular person builds. The worth is usually a matter of particular person negotiation; when disclosed publicly, the value has different from tons of to hundreds of US {dollars}.<\/p>\n Whereas the set of abused susceptible drivers stays comparatively small, the variety of distinct user-mode parts which might be a part of trendy EDR killers within the wild is rising quickly. Given this surge in quantity and selection, it’s pure in 2026 to ask: is AI contributing to this proliferation?<\/p>\n Figuring out whether or not AI straight assisted in producing a selected codebase is usually virtually unattainable. There is no such thing as a definitive forensic marker that reliably distinguishes AI-generated code from human-written code, particularly when attackers post-process or obfuscate it. Nonetheless, ESET researchers assess that at the least some not too long ago noticed EDR killers exhibit traits strongly suggestive of AI-assisted era.<\/p>\n A transparent instance seems in an EDR killer not too long ago deployed by Warlock. The device accommodates a piece of code that not solely prints a listing of Doable fixes<\/span>, a sample typical for AI-generated boilerplate, but in addition, as an alternative of exploiting a selected driver, implements a trial-and-error mechanism that cycles via a number of unrelated, generally abused machine names till it finds one which works. The corresponding code is proven in Determine 7.<\/p>\n Absolutely understanding the EDR killer ecosystem requires trying far past susceptible drivers. Whereas driver exploitation stays a dominant pillar of many instruments, it’s only one a part of a wider panorama. Our analysis reveals that specializing in drivers alone obscures significant relationships between instruments, associates, and exercise clusters.<\/p>\n A key statement is the division of labor in RaaS ecosystems. Operators usually provide the encryptor and supporting infrastructure, however EDR killer choice is left to associates. Because of this the bigger the affiliate pool, the extra numerous the EDR killer tooling turns into. On the similar time, the constant reuse of particular instruments inside specific clusters might help determine new affiliations, strengthen infrastructure linkages, and reveal operator-affiliate relationships that might stay invisible if one regarded solely at encryptor households.<\/p>\n Public PoCs have made driver exploitation broadly accessible, however this has created a deceptive scenario: the identical susceptible driver is usually reused throughout unrelated EDR killers, and the identical EDR killer can make the most of completely different drivers over time. In consequence, driver-based attribution alone is error-prone.<\/p>\n A transparent instance is the Baidu Antivirus driver BdApiUtil.sys<\/span>, which seems in a number of unbiased initiatives, together with:<\/p>\n The identical sample seems with the TfSysMon.sys<\/span> driver (ThreatFire System Monitor). It’s abused by TfSysMon-Killer, Susanoo, and EDRKillShifter \u2013 three codebases with distinct implementations and improvement histories.<\/p>\n Driver switching is equally frequent. CardSpaceKiller, for instance, initially relied on HwRwDrv.sys<\/span>, however later variants migrated to ThrottleStop.sys<\/span> with minimal adjustments to the remaining logic. The motive force is interchangeable; the exploitation layer stays largely the identical.<\/p>\n This illustrates the broader level: drivers are a commodity useful resource, and their presence alone offers little perception into menace actor sophistication or relationships.<\/p>\n Attackers aren\u2019t placing a lot effort into making their encryptors undetected. Reasonably, all the subtle defense-evasion methods have shifted to the user-mode parts of EDR killers. This pattern is most seen in business EDR killers, which regularly incorporate mature anti-analysis and anti-detection capabilities. Notable recurring methods embrace:<\/p>\n Defending in opposition to ransomware requires a essentially completely different mindset than defending in opposition to automated threats. Phishing emails, commodity malware, and exploit chains cease as soon as detected and neutralized by safety options; ransomware intrusions don’t. They’re interactive, human-driven operations, and intruders regularly adapt to detections, device failures, and environmental obstacles. In consequence, even when particular person steps are detected, they solely have defensive worth if defenders \u2013 whether or not an inside SOC staff, an MSSP, or an MDR supplier \u2013 reply appropriately, instantly, and with ample decisiveness.<\/p>\n Most EDR killers depend on reliable however susceptible drivers, which is why defenders typically instinctively concentrate on driver blocking. Blocking the motive force from loading is an important step and does certainly neutralize the EDR killer, however solely on the final attainable second. By the point an affiliate makes an attempt to put in the motive force, they usually have already got excessive privileges and are seconds away from launching the encryptor. If the EDR killer fails, they may merely strive one other device.<\/p>\n As a result of these drivers are reliable, overly aggressive blocking dangers disrupting business-critical software program, complicating incident dealing with. Focused blocking additionally faces challenges. In February 2025, Examine Level confirmed<\/a> that menace actors have been in a position to create over 2,500 samples of Truesight.sys<\/span>, all of them remaining validly signed because of a weak spot within the signature validity checking course of. Truesight.sys<\/span> can be one in all many examples of a weak spot<\/a> in Microsoft\u2019s driver signing coverage. A 12 months later, in February 2026, Huntress analyzed<\/a> an intrusion the place EnPortv.sys<\/span> was abused regardless of its certificates being expired and explicitly revoked.<\/p>\n Because of this a prevention-first technique is important. Blocking generally misused drivers from loading is an efficient and mandatory protection mechanism, but it surely shouldn\u2019t be the one one. Finding out EDR killers permits defenders to give you a multilayered technique that expands the horizons; the objective is to cease the EDR killer earlier than execution. In spite of everything, relating to ransomware, the simplest protection technique is to have strategies in place to detect, include, and remediate the menace at each attainable step.<\/p>\n EDR killers endure as a result of they\u2019re low cost, constant, and decoupled from the encryptor \u2013 an ideal match for each encryptor builders, who don\u2019t have to concentrate on making their encryptors undetectable, and associates, who possess an easy-to-use, highly effective utility to disrupt defenses previous to encryption.<\/p>\n Our analysis presents telemetry-backed insights into the EDR killer ecosystem that transfer previous the generally seen driver-centric strategy. We doc how associates, not operators, form tooling variety, and the way codebases routinely reuse and swap drivers. We define how the previous 12 months noticed more and more commercialized choices for EDR killers, and showcase how business EDR killers particularly can provide the protection evasion methods generally lacking in encryptors.<\/p>\n We emphasize that whereas stopping susceptible drivers from loading is an important step within the line of protection, it could additionally result in potential enterprise disruptions, which is why one shouldn’t rely solely on that and intention to disrupt EDR killers earlier than they even get an opportunity to load the motive force. Moreover, we demonstrated that driverless approaches, whether or not script- or vulnerability-based, are a popular addition to any ransomware menace actor\u2019s arsenal.<\/p>\n A complete listing of indicators of compromise (IoCs) and samples could be present in our GitHub repository<\/a>.<\/p>\n This desk was constructed utilizing model 18<\/a> of the MITRE ATT&CK framework.<\/strong><\/p>\n\n
\n
The EDR killer panorama<\/h2>\n
\n
\n
Why are EDR killers so common?<\/h2>\n
Reliability and operational simplicity for encryptor builders<\/h3>\n
Low price, excessive energy<\/h3>\n
Predictability and repeatability throughout intrusions<\/h3>\n
The know-how behind EDR killers<\/h2>\n
Scripts<\/h3>\n
Grey zone: Anti-rootkits<\/h3>\n
![\"Figure_01_GMER\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/edr-killers\/figure-01-gmer.jpg\" "\\"Figure")
Rootkits<\/h3>\n
Weak drivers<\/h3>\n
Driverless EDR killers<\/h3>\n
Who develops EDR killers?<\/h2>\n
\n
Closed teams<\/h3>\n
\n
![\"Figure_02_Susanoo\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/edr-killers\/figure-02-susanoo.png\" "\\"Figure")
Modification of a PoC<\/h3>\n
\n
![\"Figure_03_BlackSnufkin\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/edr-killers\/figure-03-blacksnufkin.png\" "\\"Figure")
![\"Figure_04_SmilingKiller_KillFloor\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/edr-killers\/figure-04-smilingkiller-killfloor.png\" "\\"Figure")
EDR killer as a service<\/h3>\n
![\"Figure_05_DemoKiller_ad\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/edr-killers\/figure-05-demokiller-ad.png\" "\\"Figure")
![\"Figure_06_CardSpaceKiller\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/edr-killers\/figure-06-cardspacekiller.png\" "\\"Figure")
EDR killers and AI<\/h2>\n
![\"Figure_07_AI\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/edr-killers\/figure-07-ai.png\" "\\"Figure")
Past the drivers<\/h2>\n
Driver reuse and switching<\/h3>\n
\n
Detection evasion<\/h3>\n
\n
Defending in opposition to ransomware and EDR killers<\/h2>\n
Conclusion<\/h2>\n
\n
IoCs<\/h2>\n
Information<\/h3>\n
\n\n
\n SHA-1<\/strong><\/td>\n Filename<\/strong><\/td>\n Detection<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n\n \n 54547180A99474B0DBA2
<\/span><\/td>\n2Gk8.exe
<\/span><\/td>\nWin32\/Loader.Ly AbyssKiller EDR killer.<\/td>\n<\/tr>\n \n 75F85CAEA52FE5A124FA
<\/span><\/td>\nsmuot.sys
<\/span><\/td>\nWin64\/Rootkit. The ABYSSWORKER rootkit.<\/td>\n<\/tr>\n \n 002573D80091F7F8167B
<\/span><\/td>\nlasdjfioasdjfioer
<\/span><\/td>\nWin64\/HackTool. EDRSilencer EDR killer.<\/td>\n<\/tr>\n \n 1E7567C0D525AD037FBB
<\/span><\/td>\nEDR-Freeze.exe
<\/span><\/td>\nWin64\/HackTool. EDR-Freeze EDR killer.<\/td>\n<\/tr>\n \n 65C2388B0AFB1D1F1860
<\/span><\/td>\nKiller.exe
<\/span><\/td>\nWin64\/KillAV.DQ<\/td>\n EDRKillShifter EDR killer.
<\/span><\/td>\n<\/tr>\n\n A9F37104D2D89051F34E
<\/span><\/td>\nEDRGay.exe
<\/span><\/td>\nWin32\/KillAV.NVJ<\/td>\n DLKiller EDR killer.<\/td>\n<\/tr>\n \n 083F604377D74C437782
<\/span><\/td>\nsusanoo.exe
<\/span><\/td>\nWin64\/KillAV.CQ<\/td>\n Susanoo EDR killer.<\/td>\n<\/tr>\n \n 570161A420992280A8EC
<\/span><\/td>\nvmtools.exe
<\/span><\/td>\nWin32\/KillAV.NVL<\/td>\n HexKiller EDR killer.<\/td>\n<\/tr>\n \n BBE0E14BC7ECE8A7A123
<\/span><\/td>\nTake a look at.exe
<\/span><\/td>\nWinGo\/KillAV.M<\/td>\n SevexKiller EDR killer.<\/td>\n<\/tr>\n \n 31CE76931CA09D3918B3
<\/span><\/td>\nTfSysMon-Killer.exe
<\/span><\/td>\nWin64\/KillAV.DP<\/td>\n TfSysMon-Killer EDR killer.<\/td>\n<\/tr>\n \n B9820BF443C375577CEE
<\/span><\/td>\ndeadav.exe
<\/span><\/td>\nWinGo\/KillAV.L<\/td>\n dead-av EDR killer.<\/td>\n<\/tr>\n \n 34270B07538B7357CF10
<\/span><\/td>\nzcasdfhsdjfhoqewruo
<\/span><\/td>\nWin64\/KillAV.DP<\/td>\n GhostDriver EDR killer.<\/td>\n<\/tr>\n \n 09735640D6634B030375
<\/span><\/td>\npip.exe
<\/span><\/td>\nWin32\/KillAV.NVQ<\/td>\n SmilingKiller EDR killer.<\/td>\n<\/tr>\n \n 85BC0A4F67522D6AC6BE
<\/span><\/td>\nkill-floor.exe
<\/span><\/td>\nWin64\/KillAV.AV<\/td>\n kill-floor EDR killer.<\/td>\n<\/tr>\n \n 711C95FEAD2215E9AC59
<\/span><\/td>\ndemor.exe
<\/span><\/td>\nWin64\/Agent.GAJ<\/td>\n DemoKiller EDR killer.<\/td>\n<\/tr>\n \n BC65ED919988C8E4B8F5
<\/span><\/td>\ndemo.exe
<\/span><\/td>\nWin64\/KillAV.DR<\/td>\n DemoKiller EDR killer.<\/td>\n<\/tr>\n \n 148C0CDE4F2EF807AEA7
<\/span><\/td>\nBdApiUtil64.sys
drivergay.sys
Gosling.sys
kihost.sys
<\/span><\/span><\/span><\/span><\/td>\nWin64\/VulnDriver. Baidu Antivirus BdApi susceptible driver.<\/td>\n<\/tr>\n \n 468121E7D6952799F929
<\/span><\/td>\nK7RKScan.sys
K7RKScan_1516.sys
wamsdk.sys
<\/span><\/span><\/span><\/td>\nWin64\/VulnDriver. K7RKScan Kernel Module susceptible driver.<\/td>\n<\/tr>\n \n C881F43C7FE94A6F056A
<\/span><\/td>\nelliot.sys
kill.sys
TfSysMon.sys
WatchMgrs.sys
<\/span><\/span><\/span><\/span><\/td>\nWin64\/Riskware.PC ThreatFire System Monitor susceptible driver.<\/td>\n<\/tr>\n \n 67D17CA90880B448D5C3
<\/span><\/td>\n1721894530.sys
rentdrv2.sys
<\/span><\/span><\/td>\nWin64\/VulnDriver. Rentdrv2 susceptible driver.<\/td>\n<\/tr>\n \n F329AE0FDF1E198BEA6B
<\/span><\/td>\nknowledge.sys
<\/span><\/td>\nWin64\/VulnDriver. USB-C Energy Supply Firmware Replace Utility susceptible driver.<\/td>\n<\/tr>\n \n 82ED942A52CDCF120A89
<\/span><\/td>\nNitrogenK.sys
rwdrv.sys
ThrottleBlood.sys
ThrottleStop.sys
<\/span><\/span><\/span><\/span><\/td>\nWin64\/VulnDriver. ThrottleStop susceptible driver.<\/td>\n<\/tr>\n \n CE1B9909CEF820E52816
<\/span><\/td>\nhlpdrv.sys
<\/span><\/td>\nWin64\/Agent.GRL<\/td>\n Customized rootkit utilized by CardSpaceKiller.<\/td>\n<\/tr>\n \n 5D6B9E80E12BFC595D4D
<\/span><\/td>\naswArPot.sys
kallmekris.sys
<\/span><\/span><\/td>\nWin64\/VulnDriver. Avast anti-rootkit susceptible driver.<\/td>\n<\/tr>\n \n 7310D6399683BA3EB2F6
<\/span><\/td>\nprobmon.sys
Sysprox.sys
<\/span><\/span><\/td>\nWin64\/VulnDriver. ITM SYSTEM File Filter susceptible driver.<\/td>\n<\/tr>\n \n C85C9A09CD1CB1691DA0
<\/span><\/td>\nkl.sys
rspot.sys
<\/span><\/span><\/td>\nWin64\/VulnDriver. Beijing Rising Community Safety susceptible driver.<\/td>\n<\/tr>\n \n 6EE94F6BDC4C4ED0FFF6
<\/span><\/td>\nmsupdate.sys
thelper.sys
<\/span><\/span><\/td>\nWin32\/IP-guard.E<\/td>\n OCular THelper susceptible driver.<\/td>\n<\/tr>\n \n BA14C43031411240A083
<\/span><\/td>\npraxisbackup.exe
<\/span><\/td>\nWin64\/Agent.ECW<\/td>\n MS4Killer EDR killer.<\/td>\n<\/tr>\n \n 127B50C8185986A52AE6
<\/span><\/td>\nmodel.dll
<\/span><\/td>\nWin64\/KillAV.Card CardSpaceKiller EDR killer.<\/td>\n<\/tr>\n \n A3BDB419703A70157F2B
<\/span><\/td>\n0th3r_av5.exe
<\/span><\/td>\nWin64\/KillAV.Card CardSpaceKiller EDR killer.<\/td>\n<\/tr>\n \n 4A57083122710D51F247
<\/span><\/td>\nDrKiller_Cry_0x000
<\/span><\/td>\nWin64\/Kryptik.FBC<\/td>\n CardSpaceKiller EDR killer.<\/td>\n<\/tr>\n \n DB8BCB8693DDF715552F
<\/span><\/td>\nHwRwDrv.sys
MegaDrov.sys
<\/span><\/span><\/td>\nWin64\/VulnDriver. CardSpaceKiller EDR killer.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n MITRE ATT&CK methods<\/h2>\n
\n\n
\n Tactic<\/strong><\/td>\n ID<\/strong><\/td>\n Identify<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n\n \n Execution<\/strong><\/td>\n T1059.003<\/a><\/td>\n Command and Scripting Interpreter: Home windows Command Shell<\/td>\n Script-based EDR killers use taskkill<\/span>, sc<\/span>, web cease<\/span>, and related instructions to tamper with safety.<\/td>\n<\/tr>\n \n T1569.002<\/a><\/td>\n System Companies: Service Execution<\/td>\n EDR killers execute susceptible drivers as companies.<\/td>\n<\/tr>\n \n Persistence<\/strong><\/td>\n T1543.003<\/a><\/td>\n Create or Modify System Course of: Home windows Service<\/td>\n Some EDR killers could create companies to run throughout Protected Mode or at subsequent boot.<\/td>\n<\/tr>\n \n T1037.001<\/a><\/td>\n Boot or Logon Initialization Scripts: Logon Script (Home windows)<\/td>\n EDR killers register scripts and companies to run early at boot to intrude with EDR loading.<\/td>\n<\/tr>\n \n Privilege Escalation<\/strong><\/td>\n T1068<\/a><\/td>\n Exploitation for Privilege Escalation<\/td>\n BYOVD-based EDR killers exploit susceptible drivers to escalate kernel-level privileges.<\/td>\n<\/tr>\n \n Protection Evasion<\/strong><\/td>\n T1562.001<\/a><\/td>\n Impair Defenses: Disable or Modify Instruments<\/td>\n EDR killers terminate or droop EDR\/AV processes and companies to bypass detection.<\/td>\n<\/tr>\n \n T1562.009<\/a><\/td>\n Impair Defenses: Protected Mode Boot<\/td>\n Script-based EDR killers reboot methods into Protected Mode to tamper with safety parts.<\/td>\n<\/tr>\n \n T1070.004<\/a><\/td>\n Indicator Removing: File Deletion<\/td>\n EDR killers could try and delete EDR\/AV recordsdata to disable protections.<\/td>\n<\/tr>\n \n T1562.006<\/a><\/td>\n Impair Defenses: Indicator Blocking<\/td>\n Driverless EDR killers block telemetry and community communication (e.g., EDRSilencer).<\/td>\n<\/tr>\n \n T1027<\/a><\/td>\n Obfuscated Information or Info<\/td>\n Business EDR killers particularly use obfuscation and encryption (e.g., CardSpaceKiller).<\/td>\n<\/tr>\n \n T1027.009<\/a><\/td>\n Obfuscated Information or Info: Embedded Payloads<\/td>\n Some EDR killers embed the drivers straight into their user-mode parts, typically encrypted.<\/td>\n<\/tr>\n \n T1027.002<\/a><\/td>\n Obfuscated Information or Info: Software program Packing<\/td>\n Business EDR killers depend on packers like HeartCrypt or VX Crypt, and in addition superior code protectors like Themida and VMProtect.<\/td>\n<\/tr>\n \n T1027.005<\/a><\/td>\n Obfuscated Information or Info: Indicator Removing from Instruments<\/td>\n EDR killers like SmilingKiller use control-flow flattening and code obfuscation.<\/td>\n<\/tr>\n \n T1140<\/a><\/td>\n Deobfuscate\/Decode Information or Info<\/td>\n Some EDR killers retailer encrypted drivers and shellcode in devoted recordsdata on disk.<\/td>\n<\/tr>\n \n Affect<\/strong><\/td>\n T1490<\/a><\/td>\n Inhibit System Restoration<\/td>\n Some EDR killers delete or rename security-related recordsdata, impacting restoration.<\/td>\n<\/tr>\n \n T1489<\/a><\/td>\n Service Cease<\/td>\n EDR killers cease protected companies of safety merchandise and tamper with their performance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\")
<\/a><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"