Gmer

GMER is a legitimate anti-rootkit/rootkit scanner and remover that is repeatedly described in the provided reporting as being abused by threat actors, especially ransomware affiliates, to identify, terminate, or otherwise interfere with protected security processes. The content specifically characterizes GMER as a rootkit detector/remover and rootkit scanner that can be used to kill processes, including antivirus and EDR components, and notes it is often used alongside other defense-impairment tools such as HRSword, PC Hunter/PCHunter, YDark, WKTools, DumpGuard, StpProcessMonitor BYOVD, PowerTool, TrueSightKiller, GhostDriver, Poortry, AuKill, and Warp AVKiller.

The reporting links GMER to multiple ransomware intrusion sets and incidents. Symantec observed Trigona ransomware affiliates using GMER before deploying a custom exfiltration tool, as part of a broader toolkit that also included HRSword and PCHunter to disable security protections, often via vulnerable kernel drivers. ESET states that ransomware affiliates frequently abuse legitimate anti-rootkit tools such as GMER, HRSword, and PC Hunter to terminate protected processes or services, and specifically observed DeadLock using anti-rootkits including GMER and PC Hunter. Sophos reported Ryuk operators deploying GMER after attempts to launch ransomware, using it to hunt processes and attempt to shut down antivirus. NCC Group also documented GMER in a NoEscape ransomware intrusion where the actor used multiple drivers and tools in a noisy effort to disable EDR/AV.

Across the content, GMER’s high-confidence role is defense impairment: it is used post-compromise to find and forcibly terminate hidden, protected, antivirus, or EDR-related processes prior to data theft or ransomware deployment. The content does not provide a distinct malware family lineage, infection vector, or standalone IoCs for GMER itself beyond its executable/tool name and its use as an anti-rootkit/process-killing utility in ransomware operations.