EDR killers Archives

Winsage

November 4, 2025

Russian spies pack custom malware into hidden VMs on Windows

Bitdefender's senior security researcher, Victor Vrabie, reported that the Russian cyber group Curly COMrades is using Microsoft's Hyper-V hypervisor to conduct sophisticated attacks on compromised Windows machines. They create a concealed Alpine Linux-based virtual machine (VM) that bypasses traditional endpoint security, allowing prolonged access for espionage and malware deployment. This VM is lightweight, requiring only 120MB of disk space and 256MB of memory, and hosts a reverse shell called CurlyShell and a reverse proxy named CurlCat. The group's operations have targeted judicial and governmental institutions in Georgia and an energy company in Moldova. Their current campaign, starting in July, involved activating Hyper-V and downloading the VM with custom malware. The VM uses the Default Switch network adaptor, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell maintains root-level persistence and communicates with a command-and-control server over HTTPS, while CurlCat manages an SSH reverse proxy tunnel disguised as standard HTTP traffic. Additionally, two PowerShell scripts linked to the group enable remote authentication and establish persistent access across domain-joined machines. Vrabie highlighted the evolving tactics of cybercriminals to bypass endpoint detection and response (EDR) systems, emphasizing the need for a multi-layered security strategy.

Tech Optimizer

March 31, 2025

Ransomware crews add EDR killers to their arsenal

Antivirus and endpoint security tools are increasingly challenged by ransomware groups that use sophisticated strategies to disable defenses early in attacks. Cisco Talos reported that in nearly half of the ransomware incidents they handled in 2024, attackers successfully employed "EDR killers" to neutralize endpoint detection and response (EDR) systems, achieving success 48 percent of the time. Tools such as EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator pose significant threats to organizational security. EDRKillShifter exploits vulnerable drivers on Windows machines to terminate EDR products, a tactic observed in operations by rival gangs like Medusa, BianLian, and Play. The primary goal of these tools is to disable EDR protections, allowing attackers to operate undetected, complicating system recovery efforts. Recovery often requires wiping and rebuilding entire networks if robust backups are available. Some EDR killers, like HRSword, are legitimate software tools misused by ransomware actors to disable endpoint protection systems. Attackers have exploited misconfigured systems, particularly EDR products set to audit-only mode, which detect but do not block malicious activity. LockBit has remained the most active ransomware-as-a-service group for the third consecutive year, accounting for 16 percent of claimed attacks in 2024. Newcomer RansomHub secured the second position with 11 percent of posts to leak sites. The effectiveness of law enforcement actions plays a significant role in shaping the ransomware landscape.