A newly discovered EDR-killer tool is being actively deployed by at least eight different ransomware groups to disable antivirus and endpoint detection systems during attacks. The tool exploits a Bring Your Own Vulnerable Driver (BYOVD) method, allowing threat actors to neutralize even the most well-known security software.
Shared but customized for each attack
According to security researchers at Sophos, this tool is not a one-size-fits-all malware. Each ransomware group appears to be using a uniquely compiled version, which strongly suggests a shared framework rather than a leaked binary. Sophos first noticed the tool being used by the RansomHub gang and later observed similar variants employed by other ransomware groups, including:
- BlackSuit
- Medusa
- Qilin
- Dragonforce
- Crytox
- Lynx
- INC
Each group is believed to have received the tool through private sharing, potentially indicating collaboration or access to a paid service.
How the tool works
The EDR-killer is delivered as a heavily obfuscated binary that self-decodes during execution. Once active, it injects itself into legitimate processes and searches for a hardcoded, signed driver file, usually given a randomly generated five-character filename.
Using the BYOVD technique, the tool then loads a vulnerable or stolen signed driver into the Windows kernel. In many observed cases, it impersonates legitimate drivers, such as the CrowdStrike Falcon Sensor Driver, to elevate privileges and disable security processes without detection.
Disabling top security tools
The goal of the tool is to cripple antivirus and EDR systems before deploying the ransomware payload. It targets a broad range of security products, including:
- Microsoft Defender
- Sophos
- SentinelOne
- Cylance
- Kaspersky
- Trend Micro
- Webroot
- Symantec
- McAfee
- HitmanPro
- F-Secure
By terminating their processes or services at the kernel level, the ransomware can operate without interference.
Growing trend of modular offensive tools
This tool follows the path of previously seen attack frameworks like EDRKillShifter, AuKill, and AvNeutralizer, which were also shared among ransomware operators. These tools are increasingly modular and easy to adapt, making them attractive to multiple groups seeking stealthy, reliable ways to bypass security controls.
Defenders urged to act
Sophos has published technical details and Indicators of Compromise (IOCs) to help defenders recognize the tool’s usage in the wild. Organizations are encouraged to monitor for signs of suspicious driver installations, especially during initial stages of compromise.
Final Thoughts
The emergence of this new EDR-killer tool marks another escalation in the cybercriminal ecosystem. With at least eight ransomware gangs now using customized builds, the tool’s distribution model suggests a thriving underground market for security-disabling malware. Enterprises must prioritize driver integrity monitoring, kernel-level visibility, and rapid threat response mechanisms to stay ahead of this evolving threat.
