In today’s multi-stage attacks, neutralizing endpoint security solutions is a critical step in the process, allowing threat actors to operate undetected. Since 2022, we’ve seen an increase in the sophistication of malware designed to disable EDR systems on an infected system.
Some of these tools are developed by ransomware groups. Others are purchased from underground marketplaces – evidence of this was found in the leaked chat logs of the Black Basta group. In many cases, packer-as-a-service offerings such as HeartCrypt are used to obfuscate the tools.
EDRKillShifter was created by the RansomHub group and later made obsolete by a new tool, which will be detailed in this post. In addition, we’ll look at the evidence for tool sharing and technical knowledge transfer among ransomware groups using different builds of the described tool.
AVKiller
We will focus first on one specific payload, an AV killer tool, found among the thousands of payloads in the HeartCrypt packed samples. In multiple cases, the detection of this tool occurred during an ongoing ransomware attack. Other defenders have seen evidence of this tool, notably Cylerian, as shown in Figure 1. There is possible evidence of an early version detailed in a Palo Alto Networks post from January 2024.
Figure 1: Cylerian notes activity attributable to the tool in question
In one particular example we observed the EDR killer file uA8s.exe (SHA-1: 2bc75023f6a4c50b21eb54d1394a7b8417608728) was created by inserting malicious content into the Clipboard Compare tool in Beyond Compare, a legitimate utility from Scooter Software. (We alerted Scooter Software to the abuse prior to publication of this post, and they confirmed to us that their installer, executables, and DLL are all code-signed.) The loader code was injected near the entry point, and the malicious payload and additional loader components were inserted as resources. Upon execution, the payload decodes itself – it is, in fact, a heavily protected executable. The substantial protection on the executable is among five significant characteristics we noted about it:
- The code is heavily protected.
- It looks for a driver with a five-letter random name.
- The driver is signed with a compromised certificate.
- It targets multiple security vendors.
- The list of targets varies among samples.
The memory dump reveals the executable to be an AV killer, which in this specific case targets Sophos products.
Figure 2: An excerpt from the memory dump, showing Sophos products being targeted
There are many different versions of this tool. The actual list of targeted security products varies widely between them — sometimes only one or two are specifically targeted, other times a larger list:
Figure 3: A further excerpt from the memory dump, showing other products the tool targets
It also attempts to kill processes such as MsMpEng.exe, SophosHealth.exe, SAVService.exe, and sophosui.exe:
Figure 4: A list of processes targeted by the tool
We noted a long list of security products targeted by one or another version of the killer:
- Bitdefender
- Cylance
- Fset
- F-Secure
- Fortinet
- HitManPro
- Kaspersky
- McAfee
- Microsoft
- SentinelOne
- Sophos
- Symantec
- Trend Micro
- Webroot
The file searches for a driver file mraml.sys (the one we observed had a hash of SHA-1: 21a9ca6028992828c9c360d752cb033603a2fd93). When it finds it, it loads the driver and terminates the processes and services from the target list. The name of the SYS file is hardcoded into the executable. It is apparently random and different in each sample.
Figure 5: Functions in the tool
If the sys file is not present, the executable file doesn’t proceed and throws the error “Failed to get device”, but creates a service named mraml.exe. The service name seems to be dependent on the driver file.
The sys file that we recovered has fake file version information. It pretends to be a CrowdStrike Falcon Sensor Driver, but the file is signed by Changsha Hengxiang Information Technology Co., Ltd. The signer is abused, as shown in Figures 6 and 7.
Figure 6: The details of the digital signature shows that it is known to be abused (and revoked)
Figure 7: The certificate is revoked and has not been valid since 2016
The drivers signed by this certificate were called out on X earlier this year and tagged as ransomware-related, as shown in Figure 8.
Figure 8: The @threatintel tweet identifying the drivers as bad
The latest variant of the killer uses a different signature on the driver file, this time from Fuzhou Dingxin Trade Co., Ltd. This certificate is also expired, as shown in Figure 9.
Figure 9: Signing information on the Fuzhou Dingxin Trade certificate, invalid since 2012
Files using the same signature, almost all of them from China or Hong Kong, were all malicious and submitted to VirusTotal between December 2024 and March 2025.
Ransomware connection
The HeartCrypt-packed EDR killer tools were observed to be used in ransomware attacks. In fact, multiple ransomware families were sighted together with the killer.
Typical use case
In a typical attack scenario, we observed the attempted execution of the HeartCrypt-packed dropper. It would drop a heavily protected EDR killer executable, which in turn load a driver signed by a compromised signature.
The execution attempt is usually blocked with one of the Mal/HCrypt- , Troj/HCrypt- , or Mal/Isher-Gen generic static detections. In other cases, our dynamic protection mitigations, such as SysCall, DynamicShellcode, or HollowProcess, block the execution.
Malware name: Mal/HCrypt-A
Name: c:\users\{}\desktop\vp4n.exe
"sha256" : "c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d",
Additionally, we saw that the EDR killer executable attempted to load the coupled driver:
Malware name: Mal/Isher-Gen
Name: c:\users\{}\desktop\zsogd.sys
Shortly after the EDR killer attempt, we observed the following ransomware alert:
Mitigation CryptoGuard V5 Policy CryptoGuard Timestamp 2025-01-20T11:59:18 Path: C:\FoPefI.ex Hash: e1ed281c521ad72484c7e5e74e50572b48ea945543c6bcbd480f698c2812cdfe Ransom note: README_0416f0.txt Appended file extension: .0416f0
The process trace:
1 C:\FoPefI.exe [64500]
C:\FoPefI.exe -only-local -pass b65{redacted}a64
2 C:\Windows\System32\services.exe [1004] *
3 C:\Windows\System32\wininit.exe [900] *
wininit.exe
The ransomware in this case was RansomHub.
We have observed the same sequence of events (EDR Killer -> ransomware) with the following ransomware families:
- Blacksuit
- RansomHug
- Medusa
- Qilin
- Dragonforce
- Crytox
- Lynx
- INC
…which is an impressive list of competing threat actor groups.
MedusaLocker
This was a particularly interesting case worth specific mention, because we think the threat actor used a zero-day RCE in SimpleHelp to gain initial access.
Here we see a DynamicShellcode alert:
Mitigation DynamicShellcode Policy HeapHeapHooray Timestamp 2025-01-22T09:53:42 Name: Setup/Uninstall Path: c:\temp\6Vwq.exe SHA-256 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98 SHA-1 d58dade6ea03af145d29d896f56b2063e2b078a4 MD5 b59d7c331e96be96bcfa2633b5f32f2c
The process trace revealed that the malicious killer was executed from the JWrapper-Remote Access component of SimpleHelp:
1 C:\temp\6Vwq.exe [13296] 2 C:\Windows\System32\cmd.exe [16536] * cmd.exe /c start c:\temp\6Vwq.exe 3 C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00000000000-complete\bin\Remote Access.exe [7864] * "C:\ProgramData\JWrapper-Remote Access\JWrapper-Windows64JRE-00000000000-complete\bin\Remote Access.exe" "-cp" "C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00056451424-complete\customer.jar;C:\ProgramData\JWrapper-Remote Access\JWrapper-Re
The process trace indicates that the initial infection could be related to the zero-day RCE exploits discussed by Horizon3.al in January 2025.
The SHA256 hash in the DynamicShellcode alert shown above, 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98, was later found on VT. It is packed with HeartCrypt. The extracted payload has the hash: a44aa98dd837010265e4af1782b57989de07949f0c704a6325f75af956cc85de.
We saw the same AV Killer again. It specifically targets products from six companies: Eset, Symantec, Sophos, HitManPro, Webroot, and Kaspersky. This was followed by the use of a file previously identified as Medusa ransomware:
2025-01-22 10:04:12 Mal/Medusa-C/Windows/Temp/MilanoSoftware.exe "hash": "3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da",
INC
A June 2025 case was of special interest, because the EDR killer was seen using an additional layer of packing. This additional layer looks like an updated version of the packer we described in our Impersonators paper at last year’s Virus Bulletin conference. In this case, the threat actor used two different packers as a service offering for layered protection.
CryptoGuard flagged the ransomware:
Mitigation CryptoGuard V5 Policy CryptoGuard Timestamp 2025-06-04T04:13:52 Ransom note: README.txt
It was identified as INC ransomware:
Malware name: Troj/Inc-Gen Beacon time: 2025-06-04T04:32:33.000Z Name: c:\programdata\1.exe "sha256" : "e5e418da909f73050b0b38676f93ca8f0551981894e2120fb50e8f03f4e2df4f",
Before that point, we observed execution attempts by the EDR killer:
Mitigation HollowProcess Policy HollowProcessGuard Timestamp 2025-06-03T21:11:12 Name: AVG Dump Process 25.5.10141.0 Path: C:\ProgramData\CSd2.exe Hash: ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151 bd6f829ffbae2ecf2148cdb03ceeca906d151
Here, the killer loads the driver:
"path" : "c:\\programdata\\noedt.sys", "sha256" : "6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be",
The file (ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151) had the payload stored as a resource, with XOR encryption.
The extracted payload was a file with SHA256 value 61557a55ad40b8c40f363c4760033ef3f4178bf92ce0db657003e718dffd25bd that had embedded executables, one of them being 597d4011deb4f08540e10d1419b5cbdfb38506ed53a5c0ccfb12f96c74f4a7a1, which turned out to be a HeartCrypt-packed EDR killer used in earlier INC ransomware incidents.
It loads the driver noedt.sys (SHA256: 6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf6ece3be), which was also seen in an earlier INC incident.
Perhaps the most concerning aspect of this investigation is the evidence suggesting tool sharing and technical knowledge transfer between competing ransomware groups (Ransomhub, Qilin, DragonForce, and INC, to name just a few). Even though these groups are competitors and have different business and affiliate models, there appears to be information/tool leakage between them.
To be clear, it’s not that a single binary of the EDR killer leaked out and was shared between threat actors. Instead, each attack used a different build of the proprietary tool. In addition, all variants were then packed with the subscription-based HeartCrypt packer-as-a-service. This may therefore be at least somewhat coordinated. It may be that information about the availability and feasibility of using HeartCrypt for this purpose was communicated in channels built for this kind of sharing — though perhaps all those ransomware groups coincidentally chose to purchase the very same off-the-shelf EDR-killer.
Information about similar sharing/leakage was recently published by Eset researchers, and our own findings as detailed here support the same conclusion. This suggests that the ransomware ecosystem is more complicated than a collection of competing and fighting ransomware groups – yet another headache for defenders.
IOCs related to this article are available in our GitHub repository.
