EDRSandBlast
EDRSandBlast is an open-source EDR-killing and defense-evasion tool used to disable endpoint security products at the kernel level via bring-your-own-vulnerable-driver (BYOVD) techniques. The provided reporting states it has been used by multiple threat actors, including in Qilin ransomware intrusions and by Russian SVR/APT29 operators during post-exploitation of JetBrains TeamCity compromises. In observed Qilin activity, attackers deployed a legitimate signed Carbon Black Cloud Sensor executable (upd.exe) to sideload a malicious avupdate.dll, which decoded an XOR-encoded payload (web.dat) into a customized EDRSandBlast variant. That customized variant used the signed Toshiba driver TPwSav.sys rather than the tool’s more commonly associated vulnerable drivers, abused the driver’s arbitrary physical memory read/write capability, hijacked Beep.sys for arbitrary kernel memory access, and removed kernel callback routines and kernel event tracing used by EDR products. Reporting also notes EDRSandBlast can be used to disable or kill EDR/AV products and remove Protected Process Light (PPL) protections. Sophos reporting cited it as one of the most frequently seen EDR killer tools in 2024, appearing in waves of attempted ransomware attacks, with a notable peak around the U.S. Thanksgiving period. High-confidence observables directly tied to the described customized deployment include upd.exe, avupdate.dll, web.dat, and TPwSav.sys.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniquePrivilege Escalation
1 techniquethe threat actor (TA) opted to use a driver named TPwSav.sys... making it an attractive choice for bypassing EDR protections through a bring-your-own-vulnerable-driver (BYOVD) attack.
Stealth
3 techniques“T1014: Rootkit” and tools/drivers listed (e.g., YDArk; vulnerable drivers used for BYOVD).
The decoded PE is a customized variant of the tool EDRSandblast, designed to disable EDR products at the kernel level by exploiting a vulnerable signed driver.
Defense Impairment
1 technique脆弱な署名済みドライバを武器化し ... Process Explorer(ProcExp)ドライバ(Microsoft署名済み)を悪用
Credential Access
1 techniqueEDRSandblast ... LSASS保護(RunAsPPL/Credential Guard)のバイパスとダンプ
Other
2 techniquesIOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
EDRSandBlast is a malware tool designed to disable endpoint detection and response (EDR) software, facilitating ransomware deployment by attackers.
EDRSandblast is an EDR-disabling tool used to tamper with kernel structures and neutralize endpoint protections. In this case it was customized to use the TPwSav.sys vulnerable driver, hijack Beep.sys, and perform arbitrary kernel memory read/write to remove callbacks and event tracing.
Tool that weaponizes a vulnerable signed driver (BYOVD) to bypass/disable EDR protections; used by Qilin operators via DLL sideloading.
Tool that weaponizes a vulnerable signed driver (BYOVD) to impair/bypass EDR protections; described as deployed by Qilin via DLL sideloading.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.