Shared secret: EDR killer in the kill chain
Essential information
- Published
- 07/08/2025 18:57
- Modified
- 07/08/2025 22:14
- Tags
- 2025-08-07 avkiller blacksuit compromise crytox dragonforce driver edr heartcrypt inc lynx medusalocker qilin ransomhub ransomware threat-sharing
- Related entities
- 56 observables, 1 intrusion sets (apt), 9 malware
Description
This intelligence report analyzes a sophisticated tool designed to disable endpoint security solutions, particularly EDR systems, on infected systems. The tool, known as AVKiller, has been observed in multiple ransomware attacks since 2022. It is heavily protected, targets various security vendors, and uses a driver with a compromised certificate to terminate processes and services. The report details the tool's characteristics, its connection to ransomware attacks, and provides examples of its use in specific ransomware families. Notably, the report highlights evidence of tool sharing and technical knowledge transfer among competing ransomware groups, suggesting a more complex ecosystem than previously thought.