Shared secret: EDR killer in the kill chain
Aug. 7, 2025, 10:14 p.m.
Description
This intelligence report analyzes a sophisticated tool designed to disable endpoint security solutions, particularly EDR systems, on infected systems. The tool, known as AVKiller, has been observed in multiple ransomware attacks since 2022. It is heavily protected, targets various security vendors, and uses a driver with a compromised certificate to terminate processes and services. The report details the tool's characteristics, its connection to ransomware attacks, and provides examples of its use in specific ransomware families. Notably, the report highlights evidence of tool sharing and technical knowledge transfer among competing ransomware groups, suggesting a more complex ecosystem than previously thought.
Tags
Date
- Created: Aug. 7, 2025, 6:57 p.m.
- Published: Aug. 7, 2025, 6:57 p.m.
- Modified: Aug. 7, 2025, 10:14 p.m.
Indicators
- e5e418da909f73050b0b38676f93ca8f0551981894e2120fb50e8f03f4e2df4f
- e1ed281c521ad72484c7e5e74e50572b48ea945543c6bcbd480f698c2812cdfe
- a44aa98dd837010265e4af1782b57989de07949f0c704a6325f75af956cc85de
- 61557a55ad40b8c40f363c4760033ef3f4178bf92ce0db657003e718dffd25bd
- 3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da
- f60c3942b4247f5da17dbfd7cc92250f0107f8d259a8644a2988c5699751ea2f
- f51397bb18e166c933fe090320ec23397fed73b68157ce86406db9f07847d355
- f1c37f93d000134b4bfe439add26f3c146958dd87b230123d58790fedce6336a
- f11930cb70556941b6e3c8530956f1381a4cdbd1e3fe8e9f363487a73b45a9c0
- efb642ad3fab4a2e6cb4de829b60e04dd0d9ae7c2b4cf544de28c38f978b4136
- e6309fdb03313dd1b62467684a49692de5c27bbc3c17e65e2010cfbf686a4bf3
- ddf23db6881e42e65440c26a208c9175ad705c708f0a5d8426a2636bad79777c
- d2939cd18c9072488767520be081fef71d560896c6293b6633cab099fcd238ae
- ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151
- c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d
- c56feeb27a58d24e9f53319513c838e22e92124aa1ef24d977c7ab12b7c5c9c3
- bdaea3d46444373d7107d62270c0358b82569fbf5d66e6dd7c90faf53308f477
- bbab99faba116f5dd2ad138f036787e56141e1b4c6368d8852743fe7c78948ce
- b8c1f3d24f0282c84ed599147462d4031df43cd4fceef38afcee4b3fc8f16e7b
- af7d822da46d777b512a90ee982a7661d8a6c78f9bd1f3d34ce38ef2b44117e6
- aae2e7f4feb75a61c98a727a9da9c3eba213e9e43aa7c9e81e2b3c2f6439b908
- aa99b6c308d07acac8c7066c29d44442054815e62ea9a3f21cc22cdec0080bc8
- a3938d9639148406d218835f1e1f0afcfbd566de3849b61a51fdcc54d100abba
- a2d071da4bfc6bd9cd576a922d1677160f03c9bf7bd65e8f96c78cbb1068d41c
- 927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11
- 875f4fd64c50e293859e04396e6342fd93695c3f21606596cf982a9205e92fd9
- 7e19a1ca2144051c9cd66440b4fe54fbb01aee6a86fd196f5d0b67f04d19a18a
- 77e089dfeb1d114d4171e461e0c4f36b895ed8ef5ee23e8b243bdf491837b5b6
- 6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be
- 6d5f086f742883c0905a0c9593d332762c9b73016b87d933161cbdb97b3cf1ca
- 5e423483165666976997e17b9834b9f6bd0da6c4b0da23f45584203f7c08fe4c
- 5ec67fc827c2335c31303238b439822addf52552c9895478cb27840e252b6029
- 5c8f53bd9eb13ac07ca5190ed0946c9feb5c73627bf5c0c9e79b28626310ad90
- 597d4011deb4f08540e10d1419b5cbdfb38506ed53a5c0ccfb12f96c74f4a7a1
- 5baf5445c4b22c645ff6d509a744e0b6c96fe5c5ea84ed471421af890cfd8533
- 56add2f70df9a1cb46b675e928a15d3769e2060059f4bb286fa217a2ec930ca5
- 49ed990459486e569cd1428b045baff1e61b86cdeef84a75384b5f7f46bd678e
- 4aa0456c7f0ad4d85324ab135d55641b15245b58e681efcaba319e605c5bed07
- 48e6e071b70566bc9fabbbff995946076b410f5459356b65051ae10e04fe512f
- 4686bf07db10376fb4c8ce3b729c4ab60d89b454fc57feb39f9607cb43a081d9
- 45f9d530edb5c71c24d7787ba0f12743d0ecf042ba9e96922364bbacbb32927c
- 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98
- 422800c5553ec5444f7ec593805e0cf4622921d6d5cb3da3a511007047a24721
- 3fbe5a1ed857a6736e061a6850706f9e8a7e881f024bff044df1c34795b89bf4
- 2912be03b75dab3131f41d658e149b64c089839052472e36f5f13f193bf16253
- 27502080db7fc2815afb6e19c5cbb3206cd80863d19f97644519fa1c1c343a7b
- 22e2f183175ec02d1bb8bf32f1731d77fa855f24b588dffb398ac741f91e1698
- 2073d94af0aa560c11e3399d2b83a720ee373a46ccf835486e57c37e3d1d9a25
- 1c1c7a3305e87bf58eb116a09167c1135f3ba23aaca5c0bfcd1b545510ac271c
- 15cd13e0cad20394ec1405748e4bd50e3f27313c6274aee098c4eb0ede970b4c
- 10c1b292e67b22b5d91071185e33597a242c8dea6a7a523befab5922e3002285
- 147dee11a406a86dd9b42982c091e8acbaca13614edb75f447cbaffb23017a90
- 0eaa413dc13bc846258e5b4670142bea20e567065b7f4bbc135fe62d93878160
- 05f8f514d1367aca856564af5443a75f47d22a30ce63f0b024a41e6b9553a527
- 0b4295bcd7bf850fea2b1bc09f652da028af33d625b11781ac875c603a52e5a8
- df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851
Attack Patterns
- Crytox
- AVKiller
- Dragonforce
- Lynx
- MedusaLocker
- Brave Prince - S0252
- Qilin
- RansomHub
- BlackSuit
- RansomHub