Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

MS4Killer

MS4Killer is a Rust-based endpoint detection and response (EDR) killer associated with the Embargo ransomware operation. ESET documented it in 2024 and named it for its similarities to the publicly available s4killer proof of concept; reporting states it was implemented by modifying or drawing inspiration from that PoC. MS4Killer is part of Embargo’s Rust-written toolchain alongside the MDeployer loader and the Embargo ransomware payload.

Its primary role is defense evasion prior to ransomware execution. Embargo has used MS4Killer to deliver a vulnerable driver in a Bring Your Own Vulnerable Driver (BYOVD) attack, specifically probmon.sys version 3.0.0.4, signed with a revoked certificate from ITM System Co., LTD. MS4Killer performs process discovery, captures snapshots of active processes via CreateToolHelp32Snapshot(), enumerates active services via OpenSCManagerW() and EnumServicesStatusExW(), and terminates targeted processes and services based on hardcoded lists, including an embedded XOR-encrypted list of security software processes. Reporting states it was used to terminate security products including SentinelOne, Cylance, ESET, Defender, Bitdefender, Kaspersky, and Webroot. One source also states MS4Killer is custom-compiled for each victim environment to disable selected security solutions.

Within Embargo intrusions, MDeployer decrypts and launches the MS4Killer payload, identified as b.cache, and the Embargo ransomware executable, identified as a.cache, using a hardcoded RC4 key. Related activity includes use of the hardcoded mutex names IntoTheFloodAgainSameOldTrip and LoadUpOnGunsBringYourFriends. MS4Killer has been used together with other Embargo tradecraft such as Safe Mode abuse, registry modification, BAT scripts to weaken defenses, and subsequent ransomware deployment. After execution, MDeployer has been observed terminating the MS4Killer process, deleting decrypted payload files and the dropped driver, and rebooting the system.

MS4Killer is directly tied in the provided reporting to Embargo, also tracked as Storm-0501 in broader campaign reporting, and is used in attacks that culminate in double-extortion ransomware deployment against victim organizations, including notable targeting of U.S. organizations and sectors such as healthcare, technology, business services, and manufacturing.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
BlackCat

At the time, Embargo relied on two EDR killers: a custom Safe Mode script, leveraging the technique already described earlier, and MS4Killer, a tool inspired by the publicly available s4killer PoC.

via eset welivesecurity blogwelivesecurity.com
Storm-0501

Entire toolchain written in Rust - ransomware, loader (MDeployer), and EDR killer (MS4Killer).

via shroudcloudshroudcloud.io
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1059.003Windows Command ShellEvidence1

Script-based EDR killers use taskkill, sc, net stop, and similar commands to tamper with protection.

Persistence

2 techniques
T1037.001Logon Script (Windows)Evidence1

EDR killers register scripts and services to run early at boot to interfere with EDR loading.

T1543.003Windows ServiceEvidence1

Some EDR killers may create services to run during Safe Mode or at next boot.

Privilege Escalation

3 techniques
T1037.001Logon Script (Windows)Evidence1

EDR killers register scripts and services to run early at boot to interfere with EDR loading.

T1068Exploitation for Privilege EscalationEvidence4

BYOVD-based EDR killers exploit vulnerable drivers to escalate kernel-level privileges.

T1543.003Windows ServiceEvidence1

Some EDR killers may create services to run during Safe Mode or at next boot.

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence1

Commercial EDR killers especially use obfuscation and encryption (e.g., CardSpaceKiller).

T1027.009Embedded PayloadsEvidence1

Some EDR killers embed the drivers directly into their user-mode components, often encrypted.

T1027.013Encrypted/Encoded FileEvidence1

Embargo has encrypted both MDeployer and MS4 Killer payloads with RC4.

T1070.004File DeletionEvidence1

Embargo has leveraged MDeployer to terminate the MS4Killer process, delete the decrypted payload files and a driver file dropped by MS4killer, and reboot the system.

T1140Deobfuscate/Decode Files or InformationEvidence2

Embargo has utilized MDeployer to decrypt two payloads that contain MS4Killer toolkit b.cache and the Embargo ransomware executable a.cache with a hardcoded RC4 key.

Discovery

1 technique
T1057Process DiscoveryEvidence1

Embargo has utilized MS4Killer to detect running processes on the victim device. Embargo has also captured a snapshot of active running processes using the Windows API CreateToolHelp32Snapshot().

Impact

1 technique
T1489Service StopEvidence2

Embargo has terminated active processes and services based on a hardcoded list using the CloseServiceHandle() function. Embargo has also leveraged MS4Killer to terminate processes contained in an embedded list of security software process names that were XOR-encrypted.

Other

2 techniques
T1562.001Disable or Modify ToolsEvidence3

EDR killers terminate or suspend EDR/AV processes and services to bypass detection.

T1562.009Safe Mode BootEvidence1

Script-based EDR killers reboot systems into Safe Mode to tamper with security components.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
shroudcloudNews
Apr 14, 2026
Embargo - ShroudCloud

Rust-based BYOVD EDR killer used with Embargo. It decrypts and loads a vulnerable driver (probmon.sys), creates kernel services, and continuously terminates victim-specific security products such as SentinelOne, Cylance, ESET, Defender, Bitdefender, Kaspersky, and Webroot.

Read more
eset welivesecurity blogNews
Mar 19, 2026
EDR killers explained: Beyond the drivers

EDR killer used by Embargo; based on the s4killer PoC but modified with parallelism, altered code flow, and encrypted strings and embedded driver.

Read more
mitre attack websiteNews
Oct 19, 2025
Embargo, Software S1247 | MITRE ATT&CK®

Toolkit used alongside Embargo to disable or terminate security software and processes, enumerate processes, and deploy a vulnerable driver as part of BYOVD activity to facilitate ransomware execution.

Read more
govinfosecurityNews
Aug 13, 2025
Embargo Ransomware Group Tied to $34M in Ransom Profits

Custom-compiled per victim to target selected security solutions and attempt to disable them, facilitating ransomware execution.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.