POORTRY
Poortry is a malicious Windows kernel-mode driver used primarily for defense evasion via Bring Your Own Vulnerable Driver (BYOVD) tradecraft. It is also referred to as BurntCigar, and some reporting additionally associates it with the name Abyssworker. Public reporting describes it as a signed malicious driver, including variants signed through Microsoft’s WHQL process, that is commonly deployed with the STONESTOP userland loader/orchestrator. Poortry exposes an IOCTL interface used to tamper with processes; reported capabilities include terminating, suspending, and resuming processes, especially antivirus and EDR agents, and later versions added file deletion and overwrite functionality. SentinelOne reported multiple versions of the POORTRY/STONESTOP toolkit, including handshake-based authentication between STONESTOP and the driver, and documented IOCTLs used for process termination and file tampering. The malware has been observed or reported in intrusions affecting telecommunications, BPO, MSSP, financial services, entertainment, transportation, cryptocurrency, and medical-sector organizations. It has been linked in reporting to multiple threat actors and ransomware operations, including Scattered Spider, Akira affiliates, ALPHV/BlackCat affiliates, Medusa-related activity, and Osiris intrusions. Reported use cases center on disabling endpoint protection from the kernel level to evade detection and facilitate follow-on actions such as ransomware deployment, SIM-swapping-related intrusions, and data theft. In some incidents, Poortry was disguised as a Malwarebytes component. High-confidence behavioral details from reporting include use alongside STONESTOP, termination of selected Windows processes such as EDR agents, abuse of signed-driver trust, and BYOVD-based impairment of security controls.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"Scattered Spider uses POORTRY and STONESTOP to terminate security software and evade detection. POORTRY is a malicious driver used to terminate selected processes on Windows systems, e.g., Endpoint Detection and Response (EDR) agent on an endpoint."
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...install a malicious signed driver dubbed ‘POORTRY’, which is designed to terminate processes associated with security software and to delete files as part of a Bring Your Own Vulnerable Driver (BYOVD) attack.
"Scattered Spider uses POORTRY and STONESTOP to terminate security software and evade detection. POORTRY is a malicious driver used to terminate selected processes on Windows systems, e.g., Endpoint Detection and Response (EDR) agent on an endpoint."
The attackers used the known POORTRY driver... for the purposes of killing security software during this attack
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueMITRE ATT&CK list includes "T1195.002: Compromise Software Supply Chain" and the text discusses malicious drivers certified via Microsoft’s Windows Hardware Developer Program.
Execution
1 techniquePrivilege Escalation
1 techniqueuse a loader named ‘STONESTOP’ to install a malicious signed driver dubbed ‘POORTRY’, which is designed to terminate processes associated with security software and to delete files as part of a Bring Your Own Vulnerable Driver (BYOVD) attack.
Stealth
3 techniquesThe second version was VMProtected and signed through the WHQL signing process. The third version was also signed through the WHQL signing process, but was protected with an unidentified packer.
Additional functionality in the 3rd version of the toolkit includes the ability to tamper with files... The 3rd version of POORTRY offers functionality to delete files from disk.
SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions... a threat actor utilizing a Microsoft signed malicious driver to attempt evasion of multiple security products.
Defense Impairment
1 technique"...use of attestation signing to sign malware..." and "attackers have signed POORTRY driver with a Microsoft Windows Hardware Compatibility Authenticode signature." plus ATT&CK list includes "T1553.002"
Impact
1 techniqueThe file-tampering functionality features the capability to overwrite files... IOCTL 0x22218c Used to overwrite target files.
Other
2 techniquesRecent activity
23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Driver used in BYOVD attacks to disarm security tools in conjunction with the Osiris ransomware operation.
BYOVD-associated defense-evasion tool referenced as commonly used by ransomware groups to disable security products prior to encryption.
A malicious driver, also called BurntCigar, often used with the Stonestop loader; unlike many drivers, it may have been developed by attackers and successfully signed.
Custom malicious Windows driver used to disable/impair security tooling (masquerading as Malwarebytes) as part of the Osiris ransomware intrusion chain.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.