TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

ESET WeLiveSecurity

EDR killers explained: Beyond the drivers

2026-03-19 · Read original ↗

ATT&CK techniques detected

62 predictions
T1486Data Encrypted for Impact
100%
“to victims ’ networks, and exfiltrate data from victims ’ machines. why are edr killers so popular? to successfully encrypt data, ransomware encryptors need to evade detection. nowadays, a wide range of mature evasion techniques is available, ranging from packing and code virtual…”
T1014Rootkit
99%
“, such activity is very noisy, as it requires a reboot, which is risky and unreliable in unknown environments. therefore, it is seen only rarely in the wild. gray zone : anti - rootkits years ago, before microsoft enforced kernel - mode driver signing, rootkits flourished in the …”
T1486Data Encrypted for Impact
99%
“based on the following : - we detect a total of almost 90 edr killers actively used in the wild by basically any ransomware gang, big or small : 54 of these are byovd - based, abusing a total of 35 vulnerable drivers, 7 of these are script - based, and 15 of these are anti - root…”
T1486Data Encrypted for Impact
98%
“researchers have seen quick adoption of these tools in a matter of days by ransomware threat actors. who develops edr killers? in 2025, eset researchers published an analysis of edrkillshifter, an edr killer developed by ransomhub operators and offered directly to their affiliate…”
T1068Exploitation for Privilege Escalation
98%
“exploited in ransomware incidents. however, the availability of public pocs means that there is effectively no limit on the number of threat actors that can adopt or adapt exploits for these vulnerabilities. some attackers reuse existing codebases with minimal or no changes, othe…”
T1486Data Encrypted for Impact
96%
“##cted is rather challenging. edr killers provide a cleaner alternative. instead of burying detection - evading logic inside every encryptor update, attackers simply rely on an external tool to disrupt or disable security controls immediately before execution, keeping encryptors …”
T1068Exploitation for Privilege Escalation
96%
“same time, the consistent reuse of specific tools inside particular clusters can help identify new affiliations, strengthen infrastructure linkages, and reveal operator - affiliate relationships that would remain invisible if one looked only at encryptor families. driver reuse an…”
T1652Device Driver Discovery
95%
“edr killers explained : beyond the drivers in recent years, edr killers have become one of the most commonly seen tools in modern ransomware intrusions : an attacker acquires high privileges, deploys such a tool to disrupt protection, and only then launches the encryptor. besides…”
T1068Exploitation for Privilege Escalation
94%
“pc hunter. rootkits although rootkits are largely rare in modern cybercrime, notable exceptions still surface. one example from last year is abyssworker, a kernel - mode rootkit that drew attention after its creators managed to sign it using certificates stolen from chinese compa…”
T1652Device Driver Discovery
94%
“least some recently observed edr killers exhibit traits strongly suggestive of ai - assisted generation. a clear example appears in an edr killer recently deployed by warlock. the tool contains a section of code that not only prints a list of possible fixes, a pattern typical for…”
T1068Exploitation for Privilege Escalation
93%
“killer, susanoo, and edrkillshifter – three codebases with distinct implementations and development histories. driver switching is equally common. cardspacekiller, for example, initially relied on hwrwdrv. sys, but later variants migrated to throttlestop. sys with minimal changes…”
T1652Device Driver Discovery
92%
“detect, contain, and remediate the threat at every possible step. conclusion edr killers endure because they ’ re cheap, consistent, and decoupled from the encryptor – a perfect fit for both encryptor developers, who don ’ t need to focus on making their encryptors undetectable, …”
T1652Device Driver Discovery
92%
“detection challenges, but also provides research opportunities. defending against ransomware and edr killers defending against ransomware requires a fundamentally different mindset than defending against automated threats. phishing emails, commodity malware, and exploit chains st…”
T1068Exploitation for Privilege Escalation
92%
“suspect that ai assisted with the development of some edr killers, and we provide a concrete example with the warlock gang. - while byovd dominates, custom scripts, anti - rootkits, and driverless edr killers are utilized as well. the edr killer landscape eset researchers focus b…”
T1486Data Encrypted for Impact
92%
“, and we also observed it deployed once during a ransomhouse intrusion. the advertisement is shown in figure 5. another paid edr killer revolves around the abyssworker rootkit, previously discussed in this blogpost. when paired with its heartcrypt - packed loader component, which…”
T1652Device Driver Discovery
88%
“killer poc that abuses avast ’ s aswarpot. sys. besides modifying debug messages and adding control - flow flattening obfuscation ( see figure 4 ), the author also switched the abused driver to k7rkscan. sys, the same driver abused by k7terminator, another of blacksnufkin ’ s poc…”
T1068Exploitation for Privilege Escalation
88%
“previously documented in september 2024 and used by the mustang panda apt group, while also pioneering the malicious use of velociraptor. ever since, warlock has consistently relied on these techniques. its approach to encryptors mirrors this pattern as well – warlock has employe…”
T1652Device Driver Discovery
87%
“suspect that ai assisted with the development of some edr killers, and we provide a concrete example with the warlock gang. - while byovd dominates, custom scripts, anti - rootkits, and driverless edr killers are utilized as well. the edr killer landscape eset researchers focus b…”
T1588.001Malware
86%
“researchers have seen quick adoption of these tools in a matter of days by ransomware threat actors. who develops edr killers? in 2025, eset researchers published an analysis of edrkillshifter, an edr killer developed by ransomhub operators and offered directly to their affiliate…”
T1652Device Driver Discovery
86%
“##cted is rather challenging. edr killers provide a cleaner alternative. instead of burying detection - evading logic inside every encryptor update, attackers simply rely on an external tool to disrupt or disable security controls immediately before execution, keeping encryptors …”
T1652Device Driver Discovery
85%
“disrupt edr killers before they even get a chance to load the driver. furthermore, we demonstrated that driverless approaches, whether script - or vulnerability - based, are a favored addition to any ransomware threat actor ’ s arsenal. for any inquiries about our research publis…”
T1652Device Driver Discovery
84%
“defense. we explain why driver - centric analysis often misleads group attribution, show concrete cases of driver reuse and switching across unrelated codebases, and highlight the growth of driverless disruption alongside commercialized, hardened kits. the result is a clear, evid…”
T1068Exploitation for Privilege Escalation
84%
“edr killers explained : beyond the drivers in recent years, edr killers have become one of the most commonly seen tools in modern ransomware intrusions : an attacker acquires high privileges, deploys such a tool to disrupt protection, and only then launches the encryptor. besides…”
T1068Exploitation for Privilege Escalation
80%
“this is by far the most common approach observed in ransomware intrusions. threat actors frequently take an existing, well - tested poc, and adjust only the noncritical components before deploying it in real attacks. these modifications typically include : - removing or altering …”
T1486Data Encrypted for Impact
79%
“defense. we explain why driver - centric analysis often misleads group attribution, show concrete cases of driver reuse and switching across unrelated codebases, and highlight the growth of driverless disruption alongside commercialized, hardened kits. the result is a clear, evid…”
T1588.002Tool
77%
“with these findings and additionally shows deployment during medusalocker incidents. analyzing the unpacked payload, it is immediately clear that this edr killer comes from a commercial offering, where the developer tries to handle edge cases with a warning ( see figure 6 ). the …”
T1486Data Encrypted for Impact
75%
“component. - use of commercial packers. packers such as vx crypt ( as used with cardspacekiller ) and heartcrypt ( as used with abysskiller ) provide structure - level obfuscation, anti ‑ vm behavior, and continuous repacking to evade static signatures. popular code virtualizatio…”
T1068Exploitation for Privilege Escalation
73%
“byovd. regularly updated, it contains ( at the time of writing ) pocs for exploiting 10 vulnerable drivers, each implemented following the same modular template. the implementation allows for easy modifications, extensions, and new driver support. furthermore, the code is well do…”
T1652Device Driver Discovery
73%
“another tool. because these drivers are legitimate, overly aggressive blocking risks disrupting business - critical software, complicating incident handling. targeted blocking also faces challenges. in february 2025, check point showed that threat actors were able to create over …”
T1553.002Code Signing
67%
“another tool. because these drivers are legitimate, overly aggressive blocking risks disrupting business - critical software, complicating incident handling. targeted blocking also faces challenges. in february 2025, check point showed that threat actors were able to create over …”
T1486Data Encrypted for Impact
66%
“detect, contain, and remediate the threat at every possible step. conclusion edr killers endure because they ’ re cheap, consistent, and decoupled from the encryptor – a perfect fit for both encryptor developers, who don ’ t need to focus on making their encryptors undetectable, …”
T1486Data Encrypted for Impact
66%
“disrupt edr killers before they even get a chance to load the driver. furthermore, we demonstrated that driverless approaches, whether script - or vulnerability - based, are a favored addition to any ransomware threat actor ’ s arsenal. for any inquiries about our research publis…”
T1068Exploitation for Privilege Escalation
63%
“disrupt edr killers before they even get a chance to load the driver. furthermore, we demonstrated that driverless approaches, whether script - or vulnerability - based, are a favored addition to any ransomware threat actor ’ s arsenal. for any inquiries about our research publis…”
T1486Data Encrypted for Impact
63%
“edr killers explained : beyond the drivers in recent years, edr killers have become one of the most commonly seen tools in modern ransomware intrusions : an attacker acquires high privileges, deploys such a tool to disrupt protection, and only then launches the encryptor. besides…”
T1059.012Hypervisor CLI
63%
“, and we also observed it deployed once during a ransomhouse intrusion. the advertisement is shown in figure 5. another paid edr killer revolves around the abyssworker rootkit, previously discussed in this blogpost. when paired with its heartcrypt - packed loader component, which…”
T1588.002Tool
63%
“researchers have seen quick adoption of these tools in a matter of days by ransomware threat actors. who develops edr killers? in 2025, eset researchers published an analysis of edrkillshifter, an edr killer developed by ransomhub operators and offered directly to their affiliate…”
T1543.003Windows Service
63%
“killer poc that abuses avast ’ s aswarpot. sys. besides modifying debug messages and adding control - flow flattening obfuscation ( see figure 4 ), the author also switched the abused driver to k7rkscan. sys, the same driver abused by k7terminator, another of blacksnufkin ’ s poc…”
T1486Data Encrypted for Impact
62%
“payload during the final phase of the intrusion. due to the layered protection provided by security products, packed encryptors may still be detected in memory or at other stages of execution. edr killers, on the other hand, provide a predictable and repeatable step in the attack…”
T1068Exploitation for Privilege Escalation
61%
“least some recently observed edr killers exhibit traits strongly suggestive of ai - assisted generation. a clear example appears in an edr killer recently deployed by warlock. the tool contains a section of code that not only prints a list of possible fixes, a pattern typical for…”
T1652Device Driver Discovery
61%
“killer, susanoo, and edrkillshifter – three codebases with distinct implementations and development histories. driver switching is equally common. cardspacekiller, for example, initially relied on hwrwdrv. sys, but later variants migrated to throttlestop. sys with minimal changes…”
T1574.010Services File Permissions Weakness
57%
“killer poc that abuses avast ’ s aswarpot. sys. besides modifying debug messages and adding control - flow flattening obfuscation ( see figure 4 ), the author also switched the abused driver to k7rkscan. sys, the same driver abused by k7terminator, another of blacksnufkin ’ s poc…”
T1486Data Encrypted for Impact
53%
“detection challenges, but also provides research opportunities. defending against ransomware and edr killers defending against ransomware requires a fundamentally different mindset than defending against automated threats. phishing emails, commodity malware, and exploit chains st…”
T1068Exploitation for Privilege Escalation
52%
“killer poc that abuses avast ’ s aswarpot. sys. besides modifying debug messages and adding control - flow flattening obfuscation ( see figure 4 ), the author also switched the abused driver to k7rkscan. sys, the same driver abused by k7terminator, another of blacksnufkin ’ s poc…”
T1486Data Encrypted for Impact
50%
“another tool. because these drivers are legitimate, overly aggressive blocking risks disrupting business - critical software, complicating incident handling. targeted blocking also faces challenges. in february 2025, check point showed that threat actors were able to create over …”
T1055.001Dynamic-link Library Injection
48%
“##lock using two edr killers, dlkiller ( also mentioned as an unnamed loader by cisco talos ) and susanoo, and anti - rootkits such as gmer and pc hunter. eset researchers believe with low confidence that dlkiller and the deadlock encryptor are the work of the same developer due …”
T1059.012Hypervisor CLI
48%
“disrupt edr killers before they even get a chance to load the driver. furthermore, we demonstrated that driverless approaches, whether script - or vulnerability - based, are a favored addition to any ransomware threat actor ’ s arsenal. for any inquiries about our research publis…”
T1059.012Hypervisor CLI
46%
“. given this level of operational discipline, developing their own edr killers becomes a natural extension of their toolset. eset researchers highlighted an early example of this in - house development model in 2024 with the embargo gang. at the time, embargo relied on two edr ki…”
T1014Rootkit
46%
“##lock using two edr killers, dlkiller ( also mentioned as an unnamed loader by cisco talos ) and susanoo, and anti - rootkits such as gmer and pc hunter. eset researchers believe with low confidence that dlkiller and the deadlock encryptor are the work of the same developer due …”
T1059.012Hypervisor CLI
45%
“killer poc that abuses avast ’ s aswarpot. sys. besides modifying debug messages and adding control - flow flattening obfuscation ( see figure 4 ), the author also switched the abused driver to k7rkscan. sys, the same driver abused by k7terminator, another of blacksnufkin ’ s poc…”
T1068Exploitation for Privilege Escalation
43%
“detect, contain, and remediate the threat at every possible step. conclusion edr killers endure because they ’ re cheap, consistent, and decoupled from the encryptor – a perfect fit for both encryptor developers, who don ’ t need to focus on making their encryptors undetectable, …”
T1679Selective Exclusion
41%
“to victims ’ networks, and exfiltrate data from victims ’ machines. why are edr killers so popular? to successfully encrypt data, ransomware encryptors need to evade detection. nowadays, a wide range of mature evasion techniques is available, ranging from packing and code virtual…”
T1679Selective Exclusion
39%
“##cted is rather challenging. edr killers provide a cleaner alternative. instead of burying detection - evading logic inside every encryptor update, attackers simply rely on an external tool to disrupt or disable security controls immediately before execution, keeping encryptors …”
T1068Exploitation for Privilege Escalation
38%
“detection challenges, but also provides research opportunities. defending against ransomware and edr killers defending against ransomware requires a fundamentally different mindset than defending against automated threats. phishing emails, commodity malware, and exploit chains st…”
T1068Exploitation for Privilege Escalation
38%
“defense. we explain why driver - centric analysis often misleads group attribution, show concrete cases of driver reuse and switching across unrelated codebases, and highlight the growth of driverless disruption alongside commercialized, hardened kits. the result is a clear, evid…”
T1490Inhibit System Recovery
37%
“based on the following : - we detect a total of almost 90 edr killers actively used in the wild by basically any ransomware gang, big or small : 54 of these are byovd - based, abusing a total of 35 vulnerable drivers, 7 of these are script - based, and 15 of these are anti - root…”
T1486Data Encrypted for Impact
36%
“byovd. regularly updated, it contains ( at the time of writing ) pocs for exploiting 10 vulnerable drivers, each implemented following the same modular template. the implementation allows for easy modifications, extensions, and new driver support. furthermore, the code is well do…”
T1059.012Hypervisor CLI
34%
“based on the following : - we detect a total of almost 90 edr killers actively used in the wild by basically any ransomware gang, big or small : 54 of these are byovd - based, abusing a total of 35 vulnerable drivers, 7 of these are script - based, and 15 of these are anti - root…”
T1657Financial Theft
33%
“researchers have seen quick adoption of these tools in a matter of days by ransomware threat actors. who develops edr killers? in 2025, eset researchers published an analysis of edrkillshifter, an edr killer developed by ransomhub operators and offered directly to their affiliate…”
T1652Device Driver Discovery
33%
“based on the following : - we detect a total of almost 90 edr killers actively used in the wild by basically any ransomware gang, big or small : 54 of these are byovd - based, abusing a total of 35 vulnerable drivers, 7 of these are script - based, and 15 of these are anti - root…”
T1486Data Encrypted for Impact
32%
“previously documented in september 2024 and used by the mustang panda apt group, while also pioneering the malicious use of velociraptor. ever since, warlock has consistently relied on these techniques. its approach to encryptors mirrors this pattern as well – warlock has employe…”
T1652Device Driver Discovery
31%
“byovd. regularly updated, it contains ( at the time of writing ) pocs for exploiting 10 vulnerable drivers, each implemented following the same modular template. the implementation allows for easy modifications, extensions, and new driver support. furthermore, the code is well do…”
T1652Device Driver Discovery
30%
“previously documented in september 2024 and used by the mustang panda apt group, while also pioneering the malicious use of velociraptor. ever since, warlock has consistently relied on these techniques. its approach to encryptors mirrors this pattern as well – warlock has employe…”

Summary

ESET researchers dive deeper into the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers