Security researchers from Sophos have uncovered a new EDR-killing utility, likely an evolution of the previously documented “EDRKillShifter,” now being used by at least eight different ransomware operations. These include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.
Tool Behavior and Attack Flow
The EDR killer is delivered as a heavily obfuscated binary that decodes itself at runtime and injects into trusted system processes. It looks for a digitally signed driver, often using a stolen or expired certificate, with a randomly generated five-character name hardcoded into the executable. Once located, the driver is used to perform a Bring Your Own Vulnerable Driver (BYOVD) attack, which allows the tool to achieve kernel-level privileges.
Once active in the kernel, the rogue driver poses as a legitimate file, such as the CrowdStrike Falcon Sensor Driver, but proceeds to shut down core antivirus and EDR services. The tool systematically kills processes and stops services associated with major security vendors.
Targeted Security Solutions
Vendors affected by these attacks include:
- Sophos
- Microsoft Defender
- SentinelOne
- Kaspersky
- Symantec
- Trend Micro
- McAfee
- Cylance
- Webroot
- F-Secure
- HitmanPro
Though each sample varies slightly in its configuration (e.g., targeted software or driver names), the presence of a shared packing mechanism (HeartCrypt) and consistent functionality points to a collaborative development effort rather than opportunistic reuse.
Shared Framework, Not Leaked Code
Sophos noted that this is not a case of a single leaked binary spreading among threat actors. Instead, the evidence indicates each group is using a unique build from a common proprietary toolkit. This form of code sharing and modular reuse is increasingly common among ransomware syndicates looking to streamline operations.
Trend Mirrors Previous Tool Sharing
This tactic is not isolated. Other tools like AuKill, used by Medusa Locker and LockBit, and FIN7’s AvNeutralizer, which was sold to multiple gangs including BlackCat, AvosLocker, and BlackBasta, follow similar patterns of reuse and collaborative tooling in the ransomware space.
What SOC Teams Need to Know
Security operations teams should treat this wave of EDR killer tools as a priority threat, especially given the speed and sophistication of the tactics involved. These tools bypass traditional user-space protections by abusing signed kernel-mode drivers, many of which originate from legitimate vendors but are either expired or stolen. SOC analysts should closely monitor for anomalous driver loading events, especially those tied to unsigned or improperly signed drivers using rare filenames. Emphasis should also be placed on kernel telemetry, driver validation policies, and lateral movement behaviors immediately following driver installation. Runtime obfuscation and process injection mean that static signatures will often fail, so behavioral analytics and memory inspection must become baseline components of detection strategy. Additionally, SOC teams should consider implementing driver blocklists via Windows Defender Application Control (WDAC) or equivalent kernel-level protections to prevent the loading of known malicious or legacy drivers.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
