Skip to main content

Shared secret: EDR killer in the kill chain

Medium
Published: Thu Aug 07 2025 (08/07/2025, 18:57:10 UTC)
Source: AlienVault OTX General

Description

This intelligence report analyzes a sophisticated tool designed to disable endpoint security solutions, particularly EDR systems, on infected systems. The tool, known as AVKiller, has been observed in multiple ransomware attacks since 2022. It is heavily protected, targets various security vendors, and uses a driver with a compromised certificate to terminate processes and services. The report details the tool's characteristics, its connection to ransomware attacks, and provides examples of its use in specific ransomware families. Notably, the report highlights evidence of tool sharing and technical knowledge transfer among competing ransomware groups, suggesting a more complex ecosystem than previously thought.

AI-Powered Analysis

AILast updated: 08/07/2025, 22:03:00 UTC

Technical Analysis

The threat described, known as AVKiller, is a sophisticated malware tool specifically designed to disable Endpoint Detection and Response (EDR) systems on compromised hosts. AVKiller has been observed in multiple ransomware campaigns since 2022, indicating its active use in the wild by various ransomware groups. The tool operates by leveraging a malicious driver signed with a compromised certificate, allowing it to terminate critical security processes and services stealthily. This capability effectively neutralizes endpoint security defenses, enabling ransomware payloads to execute with reduced risk of detection or interruption. AVKiller targets a broad range of security vendors, demonstrating a high level of adaptability and technical sophistication. The malware is heavily protected, likely employing obfuscation and anti-analysis techniques to evade detection and reverse engineering. The report also highlights an ecosystem of threat sharing and technical knowledge transfer among competing ransomware groups, suggesting that AVKiller or its components are shared or sold within underground markets, increasing its proliferation and complicating attribution. The tactics employed by AVKiller align with multiple MITRE ATT&CK techniques, including process injection, masquerading, disabling security tools, and use of signed drivers to bypass security controls. Although no specific affected software versions or patches are listed, the presence of a compromised certificate and driver-based approach indicates a high level of sophistication and persistence. The lack of known exploits in the wild for this tool suggests it is primarily deployed post-compromise as part of the ransomware kill chain rather than as an initial attack vector.

Potential Impact

For European organizations, the impact of AVKiller is significant due to its ability to disable EDR solutions, which are widely deployed as a frontline defense against advanced threats. By neutralizing endpoint security, AVKiller facilitates ransomware operators in encrypting critical data, leading to operational disruption, financial loss, and potential data breaches. The tool’s use in multiple ransomware families increases the risk of widespread attacks across sectors such as finance, healthcare, manufacturing, and critical infrastructure, which are heavily reliant on endpoint security. The stealthy nature of AVKiller’s driver and process termination capabilities can delay detection and response efforts, increasing dwell time and damage. Additionally, the sharing of this tool among ransomware groups may accelerate the spread and evolution of attacks targeting European entities. The potential compromise of certificates used to sign malicious drivers undermines trust in software supply chains and complicates defense strategies. Overall, AVKiller poses a medium to high risk to European organizations, especially those with mature EDR deployments that may be targeted to bypass security controls.

Mitigation Recommendations

1. Implement strict code-signing certificate management and monitoring to detect and revoke compromised certificates promptly. 2. Employ advanced behavioral analytics and anomaly detection that do not solely rely on signature-based EDR detection, to identify suspicious process terminations or driver loads. 3. Harden endpoint configurations by restricting driver installation privileges and enforcing application control policies to prevent unauthorized driver loading. 4. Use multi-layered security approaches combining network, endpoint, and identity protections to detect lateral movement and post-compromise activities. 5. Regularly update and patch all security solutions and operating systems to mitigate exploitation of known vulnerabilities that could facilitate AVKiller deployment. 6. Conduct threat hunting exercises focused on detecting signs of EDR tampering or disabling, including monitoring for unusual service stoppages or driver installations. 7. Establish incident response playbooks specifically addressing EDR bypass techniques and ensure rapid containment and remediation capabilities. 8. Collaborate with threat intelligence sharing communities to stay informed about emerging variants and indicators of compromise related to AVKiller and associated ransomware groups.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://news.sophos.com/en-us/2025/08/06/shared-secret-edr-killer-in-the-kill-chain/"]
Adversary
RansomHub
Pulse Id
6894f706ccd8068cfdffd6e7
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash03af2bf85923ce0fda7c20f8f82839c9
hash43e12d7695fb568b5fce049341ae9175
hash557233b045b52a4b5a72424683d6da48
hashf09c2115e5029e8e8b10b7e2309fab47
hash54547180a99474b0dba289d92c4a8f3eea78b531
hash6b76184d186d93cef98df43f1e307eb2ab866c1b
hashc348147c75ccd95fbb6b0587f8cc9842c1735223
hashf58e1b5508a9a14e2b3bda1834d7f79d221912b7
hash05f8f514d1367aca856564af5443a75f47d22a30ce63f0b024a41e6b9553a527
hash0b4295bcd7bf850fea2b1bc09f652da028af33d625b11781ac875c603a52e5a8
hash0eaa413dc13bc846258e5b4670142bea20e567065b7f4bbc135fe62d93878160
hash10c1b292e67b22b5d91071185e33597a242c8dea6a7a523befab5922e3002285
hash147dee11a406a86dd9b42982c091e8acbaca13614edb75f447cbaffb23017a90
hash15cd13e0cad20394ec1405748e4bd50e3f27313c6274aee098c4eb0ede970b4c
hash1c1c7a3305e87bf58eb116a09167c1135f3ba23aaca5c0bfcd1b545510ac271c
hash2073d94af0aa560c11e3399d2b83a720ee373a46ccf835486e57c37e3d1d9a25
hash22e2f183175ec02d1bb8bf32f1731d77fa855f24b588dffb398ac741f91e1698
hash27502080db7fc2815afb6e19c5cbb3206cd80863d19f97644519fa1c1c343a7b
hash2912be03b75dab3131f41d658e149b64c089839052472e36f5f13f193bf16253
hash3fbe5a1ed857a6736e061a6850706f9e8a7e881f024bff044df1c34795b89bf4
hash422800c5553ec5444f7ec593805e0cf4622921d6d5cb3da3a511007047a24721
hash43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98
hash45f9d530edb5c71c24d7787ba0f12743d0ecf042ba9e96922364bbacbb32927c
hash4686bf07db10376fb4c8ce3b729c4ab60d89b454fc57feb39f9607cb43a081d9
hash48e6e071b70566bc9fabbbff995946076b410f5459356b65051ae10e04fe512f
hash49ed990459486e569cd1428b045baff1e61b86cdeef84a75384b5f7f46bd678e
hash4aa0456c7f0ad4d85324ab135d55641b15245b58e681efcaba319e605c5bed07
hash56add2f70df9a1cb46b675e928a15d3769e2060059f4bb286fa217a2ec930ca5
hash597d4011deb4f08540e10d1419b5cbdfb38506ed53a5c0ccfb12f96c74f4a7a1
hash5baf5445c4b22c645ff6d509a744e0b6c96fe5c5ea84ed471421af890cfd8533
hash5c8f53bd9eb13ac07ca5190ed0946c9feb5c73627bf5c0c9e79b28626310ad90
hash5e423483165666976997e17b9834b9f6bd0da6c4b0da23f45584203f7c08fe4c
hash5ec67fc827c2335c31303238b439822addf52552c9895478cb27840e252b6029
hash6d5f086f742883c0905a0c9593d332762c9b73016b87d933161cbdb97b3cf1ca
hash6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be
hash77e089dfeb1d114d4171e461e0c4f36b895ed8ef5ee23e8b243bdf491837b5b6
hash7e19a1ca2144051c9cd66440b4fe54fbb01aee6a86fd196f5d0b67f04d19a18a
hash875f4fd64c50e293859e04396e6342fd93695c3f21606596cf982a9205e92fd9
hash927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11
hasha2d071da4bfc6bd9cd576a922d1677160f03c9bf7bd65e8f96c78cbb1068d41c
hasha3938d9639148406d218835f1e1f0afcfbd566de3849b61a51fdcc54d100abba
hashaa99b6c308d07acac8c7066c29d44442054815e62ea9a3f21cc22cdec0080bc8
hashaae2e7f4feb75a61c98a727a9da9c3eba213e9e43aa7c9e81e2b3c2f6439b908
hashaf7d822da46d777b512a90ee982a7661d8a6c78f9bd1f3d34ce38ef2b44117e6
hashb8c1f3d24f0282c84ed599147462d4031df43cd4fceef38afcee4b3fc8f16e7b
hashbbab99faba116f5dd2ad138f036787e56141e1b4c6368d8852743fe7c78948ce
hashbdaea3d46444373d7107d62270c0358b82569fbf5d66e6dd7c90faf53308f477
hashc56feeb27a58d24e9f53319513c838e22e92124aa1ef24d977c7ab12b7c5c9c3
hashc793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d
hashce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151
hashd2939cd18c9072488767520be081fef71d560896c6293b6633cab099fcd238ae
hashddf23db6881e42e65440c26a208c9175ad705c708f0a5d8426a2636bad79777c
hashdf6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851
hashe6309fdb03313dd1b62467684a49692de5c27bbc3c17e65e2010cfbf686a4bf3
hashefb642ad3fab4a2e6cb4de829b60e04dd0d9ae7c2b4cf544de28c38f978b4136
hashf11930cb70556941b6e3c8530956f1381a4cdbd1e3fe8e9f363487a73b45a9c0
hashf1c37f93d000134b4bfe439add26f3c146958dd87b230123d58790fedce6336a
hashf51397bb18e166c933fe090320ec23397fed73b68157ce86406db9f07847d355
hashf60c3942b4247f5da17dbfd7cc92250f0107f8d259a8644a2988c5699751ea2f
hashb59d7c331e96be96bcfa2633b5f32f2c
hash21a9ca6028992828c9c360d752cb033603a2fd93
hash2bc75023f6a4c50b21eb54d1394a7b8417608728
hashd58dade6ea03af145d29d896f56b2063e2b078a4
hash3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da
hash61557a55ad40b8c40f363c4760033ef3f4178bf92ce0db657003e718dffd25bd
hasha44aa98dd837010265e4af1782b57989de07949f0c704a6325f75af956cc85de
hashe1ed281c521ad72484c7e5e74e50572b48ea945543c6bcbd480f698c2812cdfe
hashe5e418da909f73050b0b38676f93ca8f0551981894e2120fb50e8f03f4e2df4f

Threat ID: 68951f00ad5a09ad00fd40d4

Added to database: 8/7/2025, 9:47:44 PM

Last enriched: 8/7/2025, 10:03:00 PM

Last updated: 8/16/2025, 4:18:02 PM

Views: 21

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats