Shared secret: EDR killer in the kill chain
This intelligence report analyzes a sophisticated tool designed to disable endpoint security solutions, particularly EDR systems, on infected systems. The tool, known as AVKiller, has been observed in multiple ransomware attacks since 2022. It is heavily protected, targets various security vendors, and uses a driver with a compromised certificate to terminate processes and services. The report details the tool's characteristics, its connection to ransomware attacks, and provides examples of its use in specific ransomware families. Notably, the report highlights evidence of tool sharing and technical knowledge transfer among competing ransomware groups, suggesting a more complex ecosystem than previously thought.
AI Analysis
Technical Summary
The threat described, known as AVKiller, is a sophisticated malware tool specifically designed to disable Endpoint Detection and Response (EDR) systems on compromised hosts. AVKiller has been observed in multiple ransomware campaigns since 2022, indicating its active use in the wild by various ransomware groups. The tool operates by leveraging a malicious driver signed with a compromised certificate, allowing it to terminate critical security processes and services stealthily. This capability effectively neutralizes endpoint security defenses, enabling ransomware payloads to execute with reduced risk of detection or interruption. AVKiller targets a broad range of security vendors, demonstrating a high level of adaptability and technical sophistication. The malware is heavily protected, likely employing obfuscation and anti-analysis techniques to evade detection and reverse engineering. The report also highlights an ecosystem of threat sharing and technical knowledge transfer among competing ransomware groups, suggesting that AVKiller or its components are shared or sold within underground markets, increasing its proliferation and complicating attribution. The tactics employed by AVKiller align with multiple MITRE ATT&CK techniques, including process injection, masquerading, disabling security tools, and use of signed drivers to bypass security controls. Although no specific affected software versions or patches are listed, the presence of a compromised certificate and driver-based approach indicates a high level of sophistication and persistence. The lack of known exploits in the wild for this tool suggests it is primarily deployed post-compromise as part of the ransomware kill chain rather than as an initial attack vector.
Potential Impact
For European organizations, the impact of AVKiller is significant due to its ability to disable EDR solutions, which are widely deployed as a frontline defense against advanced threats. By neutralizing endpoint security, AVKiller facilitates ransomware operators in encrypting critical data, leading to operational disruption, financial loss, and potential data breaches. The tool’s use in multiple ransomware families increases the risk of widespread attacks across sectors such as finance, healthcare, manufacturing, and critical infrastructure, which are heavily reliant on endpoint security. The stealthy nature of AVKiller’s driver and process termination capabilities can delay detection and response efforts, increasing dwell time and damage. Additionally, the sharing of this tool among ransomware groups may accelerate the spread and evolution of attacks targeting European entities. The potential compromise of certificates used to sign malicious drivers undermines trust in software supply chains and complicates defense strategies. Overall, AVKiller poses a medium to high risk to European organizations, especially those with mature EDR deployments that may be targeted to bypass security controls.
Mitigation Recommendations
1. Implement strict code-signing certificate management and monitoring to detect and revoke compromised certificates promptly. 2. Employ advanced behavioral analytics and anomaly detection that do not solely rely on signature-based EDR detection, to identify suspicious process terminations or driver loads. 3. Harden endpoint configurations by restricting driver installation privileges and enforcing application control policies to prevent unauthorized driver loading. 4. Use multi-layered security approaches combining network, endpoint, and identity protections to detect lateral movement and post-compromise activities. 5. Regularly update and patch all security solutions and operating systems to mitigate exploitation of known vulnerabilities that could facilitate AVKiller deployment. 6. Conduct threat hunting exercises focused on detecting signs of EDR tampering or disabling, including monitoring for unusual service stoppages or driver installations. 7. Establish incident response playbooks specifically addressing EDR bypass techniques and ensure rapid containment and remediation capabilities. 8. Collaborate with threat intelligence sharing communities to stay informed about emerging variants and indicators of compromise related to AVKiller and associated ransomware groups.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Finland
Indicators of Compromise
- hash: 03af2bf85923ce0fda7c20f8f82839c9
- hash: 43e12d7695fb568b5fce049341ae9175
- hash: 557233b045b52a4b5a72424683d6da48
- hash: f09c2115e5029e8e8b10b7e2309fab47
- hash: 54547180a99474b0dba289d92c4a8f3eea78b531
- hash: 6b76184d186d93cef98df43f1e307eb2ab866c1b
- hash: c348147c75ccd95fbb6b0587f8cc9842c1735223
- hash: f58e1b5508a9a14e2b3bda1834d7f79d221912b7
- hash: 05f8f514d1367aca856564af5443a75f47d22a30ce63f0b024a41e6b9553a527
- hash: 0b4295bcd7bf850fea2b1bc09f652da028af33d625b11781ac875c603a52e5a8
- hash: 0eaa413dc13bc846258e5b4670142bea20e567065b7f4bbc135fe62d93878160
- hash: 10c1b292e67b22b5d91071185e33597a242c8dea6a7a523befab5922e3002285
- hash: 147dee11a406a86dd9b42982c091e8acbaca13614edb75f447cbaffb23017a90
- hash: 15cd13e0cad20394ec1405748e4bd50e3f27313c6274aee098c4eb0ede970b4c
- hash: 1c1c7a3305e87bf58eb116a09167c1135f3ba23aaca5c0bfcd1b545510ac271c
- hash: 2073d94af0aa560c11e3399d2b83a720ee373a46ccf835486e57c37e3d1d9a25
- hash: 22e2f183175ec02d1bb8bf32f1731d77fa855f24b588dffb398ac741f91e1698
- hash: 27502080db7fc2815afb6e19c5cbb3206cd80863d19f97644519fa1c1c343a7b
- hash: 2912be03b75dab3131f41d658e149b64c089839052472e36f5f13f193bf16253
- hash: 3fbe5a1ed857a6736e061a6850706f9e8a7e881f024bff044df1c34795b89bf4
- hash: 422800c5553ec5444f7ec593805e0cf4622921d6d5cb3da3a511007047a24721
- hash: 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98
- hash: 45f9d530edb5c71c24d7787ba0f12743d0ecf042ba9e96922364bbacbb32927c
- hash: 4686bf07db10376fb4c8ce3b729c4ab60d89b454fc57feb39f9607cb43a081d9
- hash: 48e6e071b70566bc9fabbbff995946076b410f5459356b65051ae10e04fe512f
- hash: 49ed990459486e569cd1428b045baff1e61b86cdeef84a75384b5f7f46bd678e
- hash: 4aa0456c7f0ad4d85324ab135d55641b15245b58e681efcaba319e605c5bed07
- hash: 56add2f70df9a1cb46b675e928a15d3769e2060059f4bb286fa217a2ec930ca5
- hash: 597d4011deb4f08540e10d1419b5cbdfb38506ed53a5c0ccfb12f96c74f4a7a1
- hash: 5baf5445c4b22c645ff6d509a744e0b6c96fe5c5ea84ed471421af890cfd8533
- hash: 5c8f53bd9eb13ac07ca5190ed0946c9feb5c73627bf5c0c9e79b28626310ad90
- hash: 5e423483165666976997e17b9834b9f6bd0da6c4b0da23f45584203f7c08fe4c
- hash: 5ec67fc827c2335c31303238b439822addf52552c9895478cb27840e252b6029
- hash: 6d5f086f742883c0905a0c9593d332762c9b73016b87d933161cbdb97b3cf1ca
- hash: 6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be
- hash: 77e089dfeb1d114d4171e461e0c4f36b895ed8ef5ee23e8b243bdf491837b5b6
- hash: 7e19a1ca2144051c9cd66440b4fe54fbb01aee6a86fd196f5d0b67f04d19a18a
- hash: 875f4fd64c50e293859e04396e6342fd93695c3f21606596cf982a9205e92fd9
- hash: 927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11
- hash: a2d071da4bfc6bd9cd576a922d1677160f03c9bf7bd65e8f96c78cbb1068d41c
- hash: a3938d9639148406d218835f1e1f0afcfbd566de3849b61a51fdcc54d100abba
- hash: aa99b6c308d07acac8c7066c29d44442054815e62ea9a3f21cc22cdec0080bc8
- hash: aae2e7f4feb75a61c98a727a9da9c3eba213e9e43aa7c9e81e2b3c2f6439b908
- hash: af7d822da46d777b512a90ee982a7661d8a6c78f9bd1f3d34ce38ef2b44117e6
- hash: b8c1f3d24f0282c84ed599147462d4031df43cd4fceef38afcee4b3fc8f16e7b
- hash: bbab99faba116f5dd2ad138f036787e56141e1b4c6368d8852743fe7c78948ce
- hash: bdaea3d46444373d7107d62270c0358b82569fbf5d66e6dd7c90faf53308f477
- hash: c56feeb27a58d24e9f53319513c838e22e92124aa1ef24d977c7ab12b7c5c9c3
- hash: c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d
- hash: ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151
- hash: d2939cd18c9072488767520be081fef71d560896c6293b6633cab099fcd238ae
- hash: ddf23db6881e42e65440c26a208c9175ad705c708f0a5d8426a2636bad79777c
- hash: df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851
- hash: e6309fdb03313dd1b62467684a49692de5c27bbc3c17e65e2010cfbf686a4bf3
- hash: efb642ad3fab4a2e6cb4de829b60e04dd0d9ae7c2b4cf544de28c38f978b4136
- hash: f11930cb70556941b6e3c8530956f1381a4cdbd1e3fe8e9f363487a73b45a9c0
- hash: f1c37f93d000134b4bfe439add26f3c146958dd87b230123d58790fedce6336a
- hash: f51397bb18e166c933fe090320ec23397fed73b68157ce86406db9f07847d355
- hash: f60c3942b4247f5da17dbfd7cc92250f0107f8d259a8644a2988c5699751ea2f
- hash: b59d7c331e96be96bcfa2633b5f32f2c
- hash: 21a9ca6028992828c9c360d752cb033603a2fd93
- hash: 2bc75023f6a4c50b21eb54d1394a7b8417608728
- hash: d58dade6ea03af145d29d896f56b2063e2b078a4
- hash: 3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da
- hash: 61557a55ad40b8c40f363c4760033ef3f4178bf92ce0db657003e718dffd25bd
- hash: a44aa98dd837010265e4af1782b57989de07949f0c704a6325f75af956cc85de
- hash: e1ed281c521ad72484c7e5e74e50572b48ea945543c6bcbd480f698c2812cdfe
- hash: e5e418da909f73050b0b38676f93ca8f0551981894e2120fb50e8f03f4e2df4f
Shared secret: EDR killer in the kill chain
Description
This intelligence report analyzes a sophisticated tool designed to disable endpoint security solutions, particularly EDR systems, on infected systems. The tool, known as AVKiller, has been observed in multiple ransomware attacks since 2022. It is heavily protected, targets various security vendors, and uses a driver with a compromised certificate to terminate processes and services. The report details the tool's characteristics, its connection to ransomware attacks, and provides examples of its use in specific ransomware families. Notably, the report highlights evidence of tool sharing and technical knowledge transfer among competing ransomware groups, suggesting a more complex ecosystem than previously thought.
AI-Powered Analysis
Technical Analysis
The threat described, known as AVKiller, is a sophisticated malware tool specifically designed to disable Endpoint Detection and Response (EDR) systems on compromised hosts. AVKiller has been observed in multiple ransomware campaigns since 2022, indicating its active use in the wild by various ransomware groups. The tool operates by leveraging a malicious driver signed with a compromised certificate, allowing it to terminate critical security processes and services stealthily. This capability effectively neutralizes endpoint security defenses, enabling ransomware payloads to execute with reduced risk of detection or interruption. AVKiller targets a broad range of security vendors, demonstrating a high level of adaptability and technical sophistication. The malware is heavily protected, likely employing obfuscation and anti-analysis techniques to evade detection and reverse engineering. The report also highlights an ecosystem of threat sharing and technical knowledge transfer among competing ransomware groups, suggesting that AVKiller or its components are shared or sold within underground markets, increasing its proliferation and complicating attribution. The tactics employed by AVKiller align with multiple MITRE ATT&CK techniques, including process injection, masquerading, disabling security tools, and use of signed drivers to bypass security controls. Although no specific affected software versions or patches are listed, the presence of a compromised certificate and driver-based approach indicates a high level of sophistication and persistence. The lack of known exploits in the wild for this tool suggests it is primarily deployed post-compromise as part of the ransomware kill chain rather than as an initial attack vector.
Potential Impact
For European organizations, the impact of AVKiller is significant due to its ability to disable EDR solutions, which are widely deployed as a frontline defense against advanced threats. By neutralizing endpoint security, AVKiller facilitates ransomware operators in encrypting critical data, leading to operational disruption, financial loss, and potential data breaches. The tool’s use in multiple ransomware families increases the risk of widespread attacks across sectors such as finance, healthcare, manufacturing, and critical infrastructure, which are heavily reliant on endpoint security. The stealthy nature of AVKiller’s driver and process termination capabilities can delay detection and response efforts, increasing dwell time and damage. Additionally, the sharing of this tool among ransomware groups may accelerate the spread and evolution of attacks targeting European entities. The potential compromise of certificates used to sign malicious drivers undermines trust in software supply chains and complicates defense strategies. Overall, AVKiller poses a medium to high risk to European organizations, especially those with mature EDR deployments that may be targeted to bypass security controls.
Mitigation Recommendations
1. Implement strict code-signing certificate management and monitoring to detect and revoke compromised certificates promptly. 2. Employ advanced behavioral analytics and anomaly detection that do not solely rely on signature-based EDR detection, to identify suspicious process terminations or driver loads. 3. Harden endpoint configurations by restricting driver installation privileges and enforcing application control policies to prevent unauthorized driver loading. 4. Use multi-layered security approaches combining network, endpoint, and identity protections to detect lateral movement and post-compromise activities. 5. Regularly update and patch all security solutions and operating systems to mitigate exploitation of known vulnerabilities that could facilitate AVKiller deployment. 6. Conduct threat hunting exercises focused on detecting signs of EDR tampering or disabling, including monitoring for unusual service stoppages or driver installations. 7. Establish incident response playbooks specifically addressing EDR bypass techniques and ensure rapid containment and remediation capabilities. 8. Collaborate with threat intelligence sharing communities to stay informed about emerging variants and indicators of compromise related to AVKiller and associated ransomware groups.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://news.sophos.com/en-us/2025/08/06/shared-secret-edr-killer-in-the-kill-chain/"]
- Adversary
- RansomHub
- Pulse Id
- 6894f706ccd8068cfdffd6e7
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash03af2bf85923ce0fda7c20f8f82839c9 | — | |
hash43e12d7695fb568b5fce049341ae9175 | — | |
hash557233b045b52a4b5a72424683d6da48 | — | |
hashf09c2115e5029e8e8b10b7e2309fab47 | — | |
hash54547180a99474b0dba289d92c4a8f3eea78b531 | — | |
hash6b76184d186d93cef98df43f1e307eb2ab866c1b | — | |
hashc348147c75ccd95fbb6b0587f8cc9842c1735223 | — | |
hashf58e1b5508a9a14e2b3bda1834d7f79d221912b7 | — | |
hash05f8f514d1367aca856564af5443a75f47d22a30ce63f0b024a41e6b9553a527 | — | |
hash0b4295bcd7bf850fea2b1bc09f652da028af33d625b11781ac875c603a52e5a8 | — | |
hash0eaa413dc13bc846258e5b4670142bea20e567065b7f4bbc135fe62d93878160 | — | |
hash10c1b292e67b22b5d91071185e33597a242c8dea6a7a523befab5922e3002285 | — | |
hash147dee11a406a86dd9b42982c091e8acbaca13614edb75f447cbaffb23017a90 | — | |
hash15cd13e0cad20394ec1405748e4bd50e3f27313c6274aee098c4eb0ede970b4c | — | |
hash1c1c7a3305e87bf58eb116a09167c1135f3ba23aaca5c0bfcd1b545510ac271c | — | |
hash2073d94af0aa560c11e3399d2b83a720ee373a46ccf835486e57c37e3d1d9a25 | — | |
hash22e2f183175ec02d1bb8bf32f1731d77fa855f24b588dffb398ac741f91e1698 | — | |
hash27502080db7fc2815afb6e19c5cbb3206cd80863d19f97644519fa1c1c343a7b | — | |
hash2912be03b75dab3131f41d658e149b64c089839052472e36f5f13f193bf16253 | — | |
hash3fbe5a1ed857a6736e061a6850706f9e8a7e881f024bff044df1c34795b89bf4 | — | |
hash422800c5553ec5444f7ec593805e0cf4622921d6d5cb3da3a511007047a24721 | — | |
hash43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98 | — | |
hash45f9d530edb5c71c24d7787ba0f12743d0ecf042ba9e96922364bbacbb32927c | — | |
hash4686bf07db10376fb4c8ce3b729c4ab60d89b454fc57feb39f9607cb43a081d9 | — | |
hash48e6e071b70566bc9fabbbff995946076b410f5459356b65051ae10e04fe512f | — | |
hash49ed990459486e569cd1428b045baff1e61b86cdeef84a75384b5f7f46bd678e | — | |
hash4aa0456c7f0ad4d85324ab135d55641b15245b58e681efcaba319e605c5bed07 | — | |
hash56add2f70df9a1cb46b675e928a15d3769e2060059f4bb286fa217a2ec930ca5 | — | |
hash597d4011deb4f08540e10d1419b5cbdfb38506ed53a5c0ccfb12f96c74f4a7a1 | — | |
hash5baf5445c4b22c645ff6d509a744e0b6c96fe5c5ea84ed471421af890cfd8533 | — | |
hash5c8f53bd9eb13ac07ca5190ed0946c9feb5c73627bf5c0c9e79b28626310ad90 | — | |
hash5e423483165666976997e17b9834b9f6bd0da6c4b0da23f45584203f7c08fe4c | — | |
hash5ec67fc827c2335c31303238b439822addf52552c9895478cb27840e252b6029 | — | |
hash6d5f086f742883c0905a0c9593d332762c9b73016b87d933161cbdb97b3cf1ca | — | |
hash6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be | — | |
hash77e089dfeb1d114d4171e461e0c4f36b895ed8ef5ee23e8b243bdf491837b5b6 | — | |
hash7e19a1ca2144051c9cd66440b4fe54fbb01aee6a86fd196f5d0b67f04d19a18a | — | |
hash875f4fd64c50e293859e04396e6342fd93695c3f21606596cf982a9205e92fd9 | — | |
hash927e3aef03a8355d236230cace376b3023480a40c5ac08453c07dab343dd1f11 | — | |
hasha2d071da4bfc6bd9cd576a922d1677160f03c9bf7bd65e8f96c78cbb1068d41c | — | |
hasha3938d9639148406d218835f1e1f0afcfbd566de3849b61a51fdcc54d100abba | — | |
hashaa99b6c308d07acac8c7066c29d44442054815e62ea9a3f21cc22cdec0080bc8 | — | |
hashaae2e7f4feb75a61c98a727a9da9c3eba213e9e43aa7c9e81e2b3c2f6439b908 | — | |
hashaf7d822da46d777b512a90ee982a7661d8a6c78f9bd1f3d34ce38ef2b44117e6 | — | |
hashb8c1f3d24f0282c84ed599147462d4031df43cd4fceef38afcee4b3fc8f16e7b | — | |
hashbbab99faba116f5dd2ad138f036787e56141e1b4c6368d8852743fe7c78948ce | — | |
hashbdaea3d46444373d7107d62270c0358b82569fbf5d66e6dd7c90faf53308f477 | — | |
hashc56feeb27a58d24e9f53319513c838e22e92124aa1ef24d977c7ab12b7c5c9c3 | — | |
hashc793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d | — | |
hashce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151 | — | |
hashd2939cd18c9072488767520be081fef71d560896c6293b6633cab099fcd238ae | — | |
hashddf23db6881e42e65440c26a208c9175ad705c708f0a5d8426a2636bad79777c | — | |
hashdf6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851 | — | |
hashe6309fdb03313dd1b62467684a49692de5c27bbc3c17e65e2010cfbf686a4bf3 | — | |
hashefb642ad3fab4a2e6cb4de829b60e04dd0d9ae7c2b4cf544de28c38f978b4136 | — | |
hashf11930cb70556941b6e3c8530956f1381a4cdbd1e3fe8e9f363487a73b45a9c0 | — | |
hashf1c37f93d000134b4bfe439add26f3c146958dd87b230123d58790fedce6336a | — | |
hashf51397bb18e166c933fe090320ec23397fed73b68157ce86406db9f07847d355 | — | |
hashf60c3942b4247f5da17dbfd7cc92250f0107f8d259a8644a2988c5699751ea2f | — | |
hashb59d7c331e96be96bcfa2633b5f32f2c | — | |
hash21a9ca6028992828c9c360d752cb033603a2fd93 | — | |
hash2bc75023f6a4c50b21eb54d1394a7b8417608728 | — | |
hashd58dade6ea03af145d29d896f56b2063e2b078a4 | — | |
hash3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da | — | |
hash61557a55ad40b8c40f363c4760033ef3f4178bf92ce0db657003e718dffd25bd | — | |
hasha44aa98dd837010265e4af1782b57989de07949f0c704a6325f75af956cc85de | — | |
hashe1ed281c521ad72484c7e5e74e50572b48ea945543c6bcbd480f698c2812cdfe | — | |
hashe5e418da909f73050b0b38676f93ca8f0551981894e2120fb50e8f03f4e2df4f | — |
Threat ID: 68951f00ad5a09ad00fd40d4
Added to database: 8/7/2025, 9:47:44 PM
Last enriched: 8/7/2025, 10:03:00 PM
Last updated: 8/16/2025, 6:47:01 AM
Views: 20
Related Threats
Scammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumColt Telecom attack claimed by WarLock ransomware, data up for sale
HighBuilding a Free Library for Phishing & Security Awareness Training — Looking for Feedback!
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.