EDR killers defined: Past the drivers

Lately, EDR killers have grow to be some of the generally seen instruments in trendy ransomware intrusions: an attacker acquires excessive privileges, deploys such a device to disrupt safety, and solely then launches the encryptor. In addition to the dominating Deliver Your Personal Susceptible Driver (BYOVD) method, we additionally see attackers continuously abusing official anti-rootkit utilities or utilizing driverless approaches to dam the communication of endpoint detection and response (EDR) software program or droop it in place. These instruments are usually not simply plentiful, but in addition behave predictably and persistently, which is exactly why associates attain for them.

On this blogpost, we current our view of EDR killers, grounded in ESET telemetry and incident investigations. The analysis is predicated on the evaluation and monitoring of virtually 90 EDR killers actively used within the wild. Our focus goes past the weak drivers that dominate most discussions: we doc how associates choose, adapt, and function EDR killers throughout actual intrusions, and what meaning for attribution and protection.

We clarify why driver-centric evaluation usually misleads group attribution, present concrete instances of driver reuse and switching throughout unrelated codebases, and spotlight the expansion of driverless disruption alongside commercialized, hardened kits. The result’s a transparent, evidence-based image of how EDR killers perform as a predictable stage in trendy ransomware operations.

Key factors of this blogpost:

• EDR killers are a elementary a part of trendy ransomware intrusions; associates choose a brief, dependable window to run encryptors relatively than continually modifying payloads.
• Associates, not operators, choose the EDR killers; bigger affiliate swimming pools result in larger tooling variety.
• The identical driver seems in unrelated instruments, and the identical device can migrate between drivers. Consequently, driver-based attribution to teams is commonly deceptive.
• Packer as a service and “EDR killer as a product” improve availability, muddy attribution, and add protection complexity.
• EDR killers implement protection evasion methods, whereas encryptors focus purely on encryption.
• We strongly suspect that AI assisted with the event of some EDR killers, and we offer a concrete instance with the Warlock gang.
• Whereas BYOVD dominates, customized scripts, anti-rootkits, and driverless EDR killers are utilized as effectively.

The EDR killer panorama

ESET researchers focus past the weak drivers so usually abused by these instruments. As we are going to display, drawing any connections solely based mostly on the misused drivers is inadequate and might result in incorrect assumptions.

The panorama this analysis unveils is very large, starting from infinite forking of proofs of idea (PoCs) to advanced skilled implementations. Specializing in business EDR killers (marketed on the darkish web) permits us to achieve a greater understanding of their buyer base and spot in any other case hidden affiliations. In-house developed EDR killers supply insights into the interior workings of closed teams. Moreover, vibe coding is making issues much more sophisticated. We offer a technical overview of EDR killers, together with weak drivers, within the The know-how behind EDR killers part.

On the time of writing, our perception into the EDR killer panorama is predicated on the next:

• We detect a complete of virtually 90 EDR killers actively used within the wild by mainly any ransomware gang, huge or small:

  ○  54 of those are BYOVD-based, abusing a complete of 35 weak drivers,

  ○  7 of those are script-based, and

  ○  15 of those are anti-rootkits or different freely accessible software program.

• For twenty-four of the BYOVD-based EDR killers, we aren’t conscious of a publicly accessible PoC they’re based mostly on; we assess that their builders carried out these instruments from scratch and had been impressed solely by the driving force exploitation code.

All through this blogpost, we check with entities forming the ransomware-as-a-service mannequin as follows:

• Operators, who develop the ransomware payload, handle decryption keys, preserve the devoted leak website, usually negotiate the ransom cost with victims, and supply different tooling and providers for a month-to-month charge or a proportion from the ransom cost (sometimes 5–20%).
• Associates, who lease ransomware providers from operators, deploy encryptors to victims’ networks, and exfiltrate information from victims’ machines.

Why are EDR killers so well-liked?

To efficiently encrypt information, ransomware encryptors must evade detection. These days, a variety of mature evasion methods is obtainable, starting from packing and code virtualization to classy injection. Nonetheless, we not often see any of those carried out in encryptors. As an alternative, ransomware attackers go for EDR killers to disrupt safety options proper earlier than encryptor deployment. This completely different method naturally raises the query: why not relatively make investments into making encryptors undetected?

Reliability and operational simplicity for encryptor builders

Ransomware gangs, particularly these with ransomware-as-a-service (RaaS) applications, continuously produce new builds of their encryptors, and guaranteeing that every new construct is reliably undetected could be time-consuming. Extra importantly, encryptors are inherently very noisy (as they inherently want to switch numerous information in a brief interval); making such malware undetected is relatively difficult. EDR killers present a cleaner different. As an alternative of burying detection-evading logic inside each encryptor replace, attackers merely depend on an exterior device to disrupt or disable safety controls instantly earlier than execution, holding encryptors easy, steady, and simple to rebuild.

Low price, excessive energy

As proven all through this blogpost, EDR killers are extraordinarily accessible. Not all intruders or associates have the ability set to develop their very own protection evasion methods. However because of giant collections of public PoCs, EDR killers have basically grow to be “plug-and-play”.

On the identical time, EDR killers usually depend on official but weak drivers, making protection considerably tougher with out risking disruption of legacy or enterprise software program. The result’s a category of instruments that gives kernel-level affect with minimal improvement effort, making these instruments disproportionately highly effective given their simplicity.

Predictability and repeatability throughout intrusions

Packing or injecting code could assist an implant slip previous detection, nevertheless it doesn’t make sure the long-term stability of the ransomware payload through the ultimate part of the intrusion. Because of the layered safety supplied by safety merchandise, packed encryptors should be detected in reminiscence or at different phases of execution. EDR killers, however, present a predictable and repeatable step within the assault chain, giving attackers a extra deterministic workflow. Moreover, EDR killers intention to disrupt the safety answer as an entire, successfully eliminating all safety layers.

The know-how behind EDR killers

Years in the past, earlier than Microsoft enforced kernel-mode driver signing, rootkits flourished within the cybercrime ecosystem, hiding malicious exercise by manipulating kernel constructions. Their prevalence led to the event of specialised anti-rootkit instruments designed to detect and take away them. As a result of rootkits function in kernel mode, such instruments naturally require excessive privileges and their very own drivers to find, enumerate, and neutralize the rootkits.

As we speak, ransomware associates continuously abuse these identical anti-rootkit instruments: to not take away rootkits, however to cripple safety options. Many anti-rootkits supply a user-friendly GUI that permits customers (together with attackers with little technical functionality) to terminate protected processes or providers. In different phrases, official remediation instruments have grow to be handy EDR killers when misused. Such instruments embrace GMER (see Determine 1), HRSword, and PC Hunter.

Rootkits

Though rootkits are largely uncommon in trendy cybercrime, notable exceptions nonetheless floor. One instance from final 12 months is ABYSSWORKER, a kernel-mode rootkit that drew consideration after its creators managed to signal it utilizing certificates stolen from Chinese language corporations. These certificates had additionally been used to signal different malware and are due to this fact not particular to ABYSSWORKER. For the reason that stolen certificates belong to a trusted certificates chain, such a driver continues to be allowed to run within the kernel. And, to make issues extra sophisticated, even certificates revocation will not be a bulletproof possibility, as just lately demonstrated by Huntress.

Susceptible drivers

The BYOVD method has grow to be the hallmark of contemporary EDR killers: dominant, dependable, and extensively used. In a typical state of affairs, an attacker drops a official however weak driver onto the sufferer machine, installs the driving force, after which runs malware that abuses the driving force’s vulnerability. The purpose is to terminate protected processes or disable callbacks that safety merchandise depend on.

Though there are literally thousands of official weak drivers, solely a relatively small subset is actively exploited in ransomware incidents. Nonetheless, the provision of public PoCs means that there’s successfully no restrict on the variety of menace actors that may undertake or adapt exploits for these vulnerabilities. Some attackers reuse present codebases with minimal or no modifications, others change no logic however reimplement them of their most popular programming language, and a few even develop solely new EDR killers (holding solely a small portion of the unique code accountable for driver exploitation) that they both use on their very own or supply as a service.

Driverless EDR killers

Lastly, a smaller however rising class of EDR killers achieves its objectives with out touching the kernel in any respect. As an alternative of terminating EDR processes, these instruments intervene with different important options. Examples embrace instruments like EDRSilencer, which blocks communication between an endpoint and its safety backend, and EDR-Freeze, which causes EDR processes to “grasp” or grow to be unresponsive. These driverless methods are well-liked as a result of their unconventional method makes detection and mitigation tougher, and they’re publicly accessible. Certainly, ESET researchers have seen fast adoption of those instruments in a matter of days by ransomware menace actors.

Who develops EDR killers?

In 2025, ESET researchers printed an evaluation of EDRKillShifter, an EDR killer developed by RansomHub operators and provided on to their associates. On the time of writing, we aren’t conscious of some other RaaS applications whose operators present their very own proprietary EDR killers. This makes the now-defunct RansomHub a notable exception within the ransomware panorama.

As an alternative, most menace actors fall into one of many following classes:

• non-RaaS gangs growing their very own EDR killers,
• attackers forking and barely modifying public proof-of-concept code, or
• attackers buying an EDR killer from underground marketplaces.

Let’s break these conditions down in additional element.

Closed teams

Non-RaaS gangs normally function as totally closed ecosystems: no associates, no preliminary entry brokers, and no exterior companions. These teams preserve tight management over their intrusion workflows and sometimes depend on a repeatable, internally constant set of TTPs. Given this degree of operational self-discipline, growing their very own EDR killers turns into a pure extension of their toolset.

ESET researchers highlighted an early instance of this in-house improvement mannequin in 2024 with the Embargo gang. On the time, Embargo relied on two EDR killers:

• a customized Protected Mode script, leveraging the method already described earlier, and
• MS4Killer, a device impressed by the publicly accessible s4killer PoC.

Though MS4Killer was based mostly on an accessible PoC, its builders made important modifications: they added parallelism, modified the code stream, and encrypted strings and the embedded driver. For the reason that publication of that analysis, Embargo has shifted to yet one more public PoC, evil‑mhyprot‑cli, this time with minimal code modifications.

A second, newer, instance is the DeadLock gang. DeadLock maintains a low profile by avoiding having a devoted leak website and conducting all negotiations by way of Session, a well-liked different to the extra widespread Tox. ESET researchers have noticed DeadLock utilizing two EDR killers, DLKiller (additionally talked about as an unnamed loader by Cisco Talos) and Susanoo, and anti-rootkits similar to GMER and PC Hunter. ESET researchers imagine with low confidence that DLKiller and the DeadLock encryptor are the work of the identical developer as a result of notable, however by itself inconclusive, code similarities. Curiously, Susanoo supplies a loading display screen and a GUI, each offered in Determine 2, permitting for guide interplay and anticipating the attacker to have interactive entry to the sufferer’s machine.

Because the screenshot clearly demonstrates, Susanoo gives buttons to pre-load the checklist of monitored processes – a devoted one concentrating on Sophos-related processes and a “TNT” one concentrating on all processes identified to Susanoo.

The third and ultimate instance is Warlock. Though the Warlock leak website has been silent since November 6^th, 2025, the group stays operational and retains increasing its technical arsenal. The gang is understood for its willingness to experiment: it tailored the VS Code abuse method for stealthy distant entry, beforehand documented in September 2024 and used by the Mustang Panda APT group, whereas additionally pioneering the malicious use of Velociraptor. Ever since, Warlock has persistently relied on these methods. Its method to encryptors mirrors this sample as effectively – Warlock has employed a number of completely different encryptors over time, starting from customized ones to variants based mostly on Babyk or generated utilizing the leaked LockBit Black builder.

Given all that, Warlock’s experimentation with EDR killers is no surprise. For the reason that gang first appeared, it has routinely deployed a number of EDR killers per intrusion, generally even dozens throughout latest operations, successfully brute-forcing its solution to a working answer. Warlock’s tooling is numerous not solely in amount but in addition in technical depth: the gang doesn’t restrict itself to a single weak driver and has abused no less than 9 completely different drivers to this point, together with some with none publicly accessible PoC (no less than to our information); a element that underscores the group’s technical proficiency and its means to adapt offensive instruments past what is quickly publicly accessible.

Modification of a PoC

That is by far the most typical method noticed in ransomware intrusions. Risk actors continuously take an present, well-tested PoC, and regulate solely the noncritical parts earlier than deploying it in actual assaults. These modifications sometimes embrace:

• eradicating or altering debugging messages,
• including code obfuscation,
• adjusting the checklist of focused safety merchandise, and
• rewriting the device in a distinct programming language.

The essential level, nonetheless, is that the core exploitation logic, particularly the half that interacts with the weak driver, virtually by no means modifications. This logic is commonly so simple as calling the Home windows API DeviceIoControl with a “appropriate” dwIoControlCode worth and the identify of the method to terminate in lpInBuffer. Whereas renaming strings, restructuring the codebase, or reimplementing the device in one other language are operations that don’t require deep technical information, modifying the exploitation logic actually is and due to this fact is usually averted.

Whereas there are lots of publicly accessible PoCs for EDR killers, one repository stands out: BlackSnufkin’s BYOVD. Commonly up to date, it comprises (on the time of writing) PoCs for exploiting 10 weak drivers, every carried out following the identical modular template. The implementation permits for simple modifications, extensions, and new driver help. Moreover, the code is effectively documented (see Determine 3), making this repository probably the most continuously used one in ransomware exercise within the wild.

We detected one in all BlackSnufkin’s EDR killers, TfSysMon-Killer, deployed throughout a Monti ransomware assault in February 2025; the deployed variant was an identical functionality-wise, however was reimplemented from Rust to C++, prone to align with different instruments of the menace actor. One other instance of language switching is dead-av, which its creator overtly describes as a Go rewrite of GhostDriver, one other PoC created by BlackSnufkin.

A extra intensive modification effort could be seen in SmilingKiller, an EDR killer just lately noticed by ESET researchers throughout LockBit and Dire Wolf intrusions. Its developer was impressed by kill-floor, an EDR killer PoC that abuses Avast’s aswArPot.sys. In addition to modifying debug messages and including control-flow flattening obfuscation (see Determine 4), the creator additionally switched the abused driver to K7RKScan.sys, the identical driver abused by K7Terminator, one other of BlackSnufkin’s PoCs.

EDR killer as a service

Given the robust and rising demand for EDR-disruption instruments, it’s no shock {that a} parallel market for business EDR killers has emerged. The vary of choices is extensive: some commercials present solely imprecise guarantees with no technical particulars, whereas others embrace intensive function lists, utilization directions, and even video demonstrations. Beneath are three notable examples.

One such commercial, disclosed by Flare in October 2025, originated from a menace actor utilizing the moniker Бафомет. The menace actor marketed an EDR killer that ESET researchers later named DemoKiller. ESET telemetry confirms that DemoKiller has been utilized by associates of the Qilin, Akira, and Gents gangs, and we additionally noticed it deployed as soon as throughout a RansomHouse intrusion. The commercial is proven in Determine 5.

One other paid EDR killer revolves across the ABYSSWORKER rootkit, beforehand mentioned on this blogpost. When paired with its HeartCrypt-packed loader part, which ESET researchers named AbyssKiller, this EDR killer has grow to be some of the generally noticed business ones within the wild. ESET researchers have seen AbyssKiller utilized by associates of the Medusa, DragonForce, and the now-disrupted BlackSuit gangs.

The ultimate noteworthy instance is an EDR killer that we name CardSpaceKiller. This device is persistently packed utilizing VX Crypt, a comparatively new packer as a service analyzed by Sophos in late 2025. VX Crypt will not be distinctive to this EDR killer; it has additionally been used to guard different malware households similar to BumbleBee. Based on Sophos, CardSpaceKiller has appeared in intrusions involving Akira, Medusa, Qilin, and Crytox. ESET telemetry aligns with these findings and moreover exhibits deployment throughout MedusaLocker incidents. Analyzing the unpacked payload, it’s instantly clear that this EDR killer comes from a business providing, the place the developer tries to deal with edge instances with a warning (see Determine 6).

The character and worth of such commercially marketed instruments fluctuate. Some declare to promote supply code, others solely particular person builds. The value is commonly a matter of particular person negotiation; when disclosed publicly, the worth has diversified from lots of to 1000’s of US {dollars}.

EDR killers and AI

Whereas the set of abused weak drivers stays comparatively small, the variety of distinct user-mode parts which are a part of trendy EDR killers within the wild is rising quickly. Given this surge in quantity and selection, it’s pure in 2026 to ask: is AI contributing to this proliferation?

Figuring out whether or not AI instantly assisted in producing a particular codebase is commonly virtually inconceivable. There isn’t a definitive forensic marker that reliably distinguishes AI-generated code from human-written code, particularly when attackers post-process or obfuscate it. Nonetheless, ESET researchers assess that no less than some just lately noticed EDR killers exhibit traits strongly suggestive of AI-assisted technology.

A transparent instance seems in an EDR killer just lately deployed by Warlock. The device comprises a piece of code that not solely prints an inventory of Doable fixes, a sample typical for AI-generated boilerplate, but in addition, as a substitute of exploiting a particular driver, implements a trial-and-error mechanism that cycles by way of a number of unrelated, generally abused gadget names till it finds one which works. The corresponding code is proven in Determine 7.

Past the drivers

Totally understanding the EDR killer ecosystem requires trying far past weak drivers. Whereas driver exploitation stays a dominant pillar of many instruments, it is just one a part of a wider panorama. Our analysis exhibits that specializing in drivers alone obscures significant relationships between instruments, associates, and exercise clusters.

A key commentary is the division of labor in RaaS ecosystems. Operators sometimes provide the encryptor and supporting infrastructure, however EDR killer choice is left to associates. Because of this the bigger the affiliate pool, the extra numerous the EDR killer tooling turns into. On the identical time, the constant reuse of particular instruments inside specific clusters may help establish new affiliations, strengthen infrastructure linkages, and reveal operator-affiliate relationships that will stay invisible if one regarded solely at encryptor households.

Driver reuse and switching

Public PoCs have made driver exploitation extensively accessible, however this has created a deceptive scenario: the identical weak driver is commonly reused throughout unrelated EDR killers, and the identical EDR killer can make the most of completely different drivers over time. In consequence, driver-based attribution alone is error-prone.

A transparent instance is the Baidu Antivirus driver BdApiUtil.sys, which seems in a number of impartial initiatives, together with:

• dead-av,
• BdApiUtil-Killer,
• DLKiller,
• HexKiller, one in all Warlock’s EDR killers, and
• SevexKiller, a latest EDR killer detected throughout Akira deployments.

The identical sample seems with the TfSysMon.sys driver (ThreatFire System Monitor). It’s abused by TfSysMon-Killer, Susanoo, and EDRKillShifter – three codebases with distinct implementations and improvement histories.

Driver switching is equally widespread. CardSpaceKiller, for instance, initially relied on HwRwDrv.sys, however later variants migrated to ThrottleStop.sys with minimal modifications to the remaining logic. The motive force is interchangeable; the exploitation layer stays largely the identical.

This illustrates the broader level: drivers are a commodity useful resource, and their presence alone supplies little perception into menace actor sophistication or relationships.

Detection evasion

Attackers aren’t placing a lot effort into making their encryptors undetected. Somewhat, all the delicate defense-evasion methods have shifted to the user-mode parts of EDR killers. This pattern is most seen in business EDR killers, which regularly incorporate mature anti-analysis and anti-detection capabilities. Notable recurring methods embrace:

• Driver decoupling. The killer and the driving force are sometimes delivered individually. Associates manually set up the driving force first, verifying that it hundreds efficiently earlier than executing the precise EDR-killing part.
• Use of business packers. Packers similar to VX Crypt (as used with CardSpaceKiller) and HeartCrypt (as used with AbyssKiller) present structure-level obfuscation, anti‑VM habits, and steady repacking to evade static signatures. Common code virtualization protectors like VMProtect and Themida are additionally favored.
• Encrypted embedded drivers. When a driver is bundled with an EDR killer, it’s continuously saved in encrypted kind.
• Exterior encrypted payloads. Some EDR killers retailer encrypted shellcode or auxiliary parts in separate information. This method successfully hides essential elements of the killer from being simply accessible to defenders.
• Code obfuscation. Frequent methods embrace control-flow flattening (SmilingKiller), call-by-hash decision (CardSpaceKiller), and string obfuscation
• Password safety. EDRKillShifter is an ideal instance of utilizing this system. Defending a vital a part of the EDR killer with a password creates detection challenges, but in addition supplies analysis alternatives.

Defending towards ransomware and EDR killers

Defending towards ransomware requires a basically completely different mindset than defending towards automated threats. Phishing emails, commodity malware, and exploit chains cease as soon as detected and neutralized by safety options; ransomware intrusions don’t. They’re interactive, human-driven operations, and intruders regularly adapt to detections, device failures, and environmental obstacles. In consequence, even when particular person steps are detected, they solely have defensive worth if defenders – whether or not an inner SOC workforce, an MSSP, or an MDR supplier – reply appropriately, instantly, and with enough decisiveness.

Most EDR killers depend on official however weak drivers, which is why defenders usually instinctively give attention to driver blocking. Blocking the driving force from loading is an important step and does certainly neutralize the EDR killer, however solely on the final doable second. By the point an affiliate makes an attempt to put in the driving force, they sometimes have already got excessive privileges and are seconds away from launching the encryptor. If the EDR killer fails, they’ll merely strive one other device.

As a result of these drivers are official, overly aggressive blocking dangers disrupting business-critical software program, complicating incident dealing with. Focused blocking additionally faces challenges. In February 2025, Verify Level confirmed that menace actors had been in a position to create over 2,500 samples of Truesight.sys, all of them remaining validly signed as a result of a weak point within the signature validity checking course of. Truesight.sys can also be one in all many examples of a weak point in Microsoft’s driver signing coverage. A 12 months later, in February 2026, Huntress analyzed an intrusion the place EnPortv.sys was abused regardless of its certificates being expired and explicitly revoked.

For this reason a prevention-first technique is crucial. Blocking generally misused drivers from loading is an efficient and needed protection mechanism, nevertheless it shouldn’t be the one one. Finding out EDR killers permits defenders to provide you with a multilayered technique that expands the horizons; the purpose is to cease the EDR killer earlier than execution. In any case, on the subject of ransomware, the best protection technique is to have strategies in place to detect, comprise, and remediate the menace at each doable step.

Conclusion

EDR killers endure as a result of they’re low cost, constant, and decoupled from the encryptor – an ideal match for each encryptor builders, who don’t must give attention to making their encryptors undetectable, and associates, who possess an easy-to-use, highly effective utility to disrupt defenses previous to encryption.

Our analysis presents telemetry-backed insights into the EDR killer ecosystem that transfer previous the generally seen driver-centric method. We doc how associates, not operators, form tooling variety, and the way codebases routinely reuse and swap drivers. We define how the previous 12 months noticed more and more commercialized choices for EDR killers, and showcase how business EDR killers particularly can provide the protection evasion methods generally lacking in encryptors.

We emphasize that whereas stopping weak drivers from loading is an important step within the line of protection, it might additionally result in potential enterprise disruptions, which is why one mustn’t rely solely on that and intention to disrupt EDR killers earlier than they even get an opportunity to load the driving force. Moreover, we demonstrated that driverless approaches, whether or not script- or vulnerability-based, are a well-liked addition to any ransomware menace actor’s arsenal.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis gives personal APT intelligence experiences and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

A complete checklist of indicators of compromise (IoCs) and samples could be present in our GitHub repository.

Information

MITRE ATT&CK methods

This desk was constructed utilizing model 18 of the MITRE ATT&CK framework.