Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

KillAV

KillAV is a defense-evasion tool used to disable endpoint security software by deploying vulnerable kernel drivers as part of a Bring Your Own Vulnerable Driver (BYOVD) technique, enabling termination of antivirus/security processes.

It is repeatedly reported in intrusion chains associated with the Medusa ransomware operation (tracked by Symantec as Spearwing; also referred to as Storm-1175), where it is used in “almost all” observed Medusa attacks to help disable security controls prior to or during hands-on-keyboard activity, lateral movement, data exfiltration, and ransomware deployment.

KillAV is also reported in other campaigns using BYOVD for security-tool disruption, including:

  • Osiris ransomware activity (Nov 2025), where KillAV was used alongside the POORTRY/Abyssworker driver to disable security tools.
  • Jewelbug (aka REF7707 / CL-STA-0049 / Earth Alux) intrusions, where KillAV was used to disable security software, including in a Taiwanese software company intrusion that also involved BYOVD via EchoDrv.

No standalone delivery vector, specific vulnerable driver filenames/hashes, or unique network indicators for KillAV itself are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Spearwing

In almost all Medusa attacks, KillAV and associated vulnerable drivers are used... to disable security software... Dropping AVKiller and a driver...

via symantec blogsecurity.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Other

1 technique
T1562.001Disable or Modify ToolsEvidence3

Step 5 - Defense Evasion T1562.001... | Both PowerTool or KillAV tool abuses Zemana AntiMalware driver to terminate AV/EDR processes at kernel level... Disables Windows Defender via PowerShell

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app16 days ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
security affairsNews
Jan 24, 2026
Osiris ransomware emerges, leveraging BYOVD technique to kill security tools

Tool used to disable/kill security software as part of the defensive evasion stage prior to ransomware deployment.

Read more
the hacker newsNews
Jan 22, 2026
New Osiris Ransomware Emerges as New Strain Using POORTRY Driver in BYOVD Attack

Tool used to deploy (typically) vulnerable drivers to terminate security processes as part of defense evasion in ransomware intrusions.

Read more
darktrace blogNews
Jan 8, 2026
Medusa Ransomware 2025: RMM Abuse in Ransomware Campaigns

Tool referenced as used to terminate/disable antivirus processes as part of Medusa-related intrusion activity (BYOVD/defense evasion).

Read more
the hacker newsNews
Oct 15, 2025
Chinese Threat Group 'Jewelbug' Quietly Infiltrated Russian IT Network for Months

Tool used to disable security software on compromised systems, facilitating further malicious activity.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.