PowerTool
PowerTool is a post-compromise utility observed in ransomware intrusions, primarily used to disable security software and evade detection. The provided content specifically states that Akira threat actors used PowerTool to exploit the Zemana AntiMalware driver in order to terminate antivirus-related processes. It was also observed alongside tools such as PCHunter, Universal Virus Sniffer, and Process Hacker in activity intended to evade detection or disable antivirus protections. In Akira-related incidents, PowerTool appeared after initial access obtained through methods including VPN access without MFA, exploitation of Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269, exposed RDP, spear phishing, and valid account abuse. In separate reporting on Qilin/GOLD FEATHER intrusions, CTU researchers observed PowerTool deployed post-compromise, possibly to disable antivirus software, after RDP was abused for initial access and lateral movement. High-confidence associations in the content link PowerTool to Akira ransomware operators and to Qilin-related activity. The content does not provide standalone malware family details, persistence mechanisms, or specific IOCs for PowerTool beyond its use to terminate antivirus processes via the Zemana AntiMalware driver.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
CTU researchers have observed remote desktop protocol (RDP) abused for initial access and lateral movement before the post-compromise PCHunter and PowerTool tools were deployed, possibly with the intention of disabling antivirus software.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
2 techniquesFor defense evasion, tools such as GMER, IOBit, and PowerTool are deployed to disable endpoint protection and clear event logs.
The threat actor was observed deleting files that had been dropped to disk.
Other
2 techniquesRecent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Tool used by Akira operators for defense evasion by exploiting the Zemana AntiMalware driver to terminate antivirus-related processes.
Post-compromise tool observed in Qilin intrusions, possibly used to disable antivirus/endpoint protections ahead of ransomware execution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.