Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

DemoKiller

DemoKiller is a commercial EDR-killer malware/tool used to disable or terminate endpoint security products during ransomware intrusions, typically before encryptor deployment. ESET identified it as one of the underground-marketed EDR killers offered as a service, and noted it is also referred to as Бафомет. ESET telemetry confirmed DemoKiller use by affiliates of the Qilin, Akira, and Gentlemen ransomware gangs, and it was also observed once in a RansomHouse intrusion. In reporting on Gentlemen, ESET specifically assessed DemoKiller as affiliate-specific and excluded it from Gentlemen’s in-house tool suite, finding no ties between DemoKiller and the gang’s centrally maintained GentleKiller framework. The provided content does not include specific technical indicators, process lists, driver names, or infection vectors for DemoKiller itself beyond its role as an EDR killer and its observed use across multiple ransomware affiliate intrusions.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Бафомет

The threat actor advertised an EDR killer that ESET researchers later named DemoKiller. ESET telemetry confirms that DemoKiller has been used by affiliates of the Qilin, Akira, and Gentlemen gangs...

via eset welivesecurity blogwelivesecurity.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique
T1068Exploitation for Privilege EscalationEvidence2

BYOVD-based EDR killers exploit vulnerable drivers to escalate kernel-level privileges.

Other

2 techniques
T1562Impair DefensesEvidence1

Before launching their file-encrypting malware, cybercriminals routinely deploy specialized tools to bypass security software... Attackers are now heavily using driverless methods, custom command-line scripts, and legitimate anti-rootkit utilities to turn off security defenses.

T1562.001Disable or Modify ToolsEvidence1

EDR killers terminate or suspend EDR/AV processes and services to bypass detection.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
thecybersecguruNews
Jun 21, 2026
GentleKiller: Inside Gentlemen RaaS's EDR-Killer Suite | The CyberSec Guru

An EDR killer observed in several intrusions but treated as affiliate-specific tooling rather than part of the Gentlemen-maintained suite.

Read more
eset welivesecurity blogNews
Jun 18, 2026
Killing me gently: Inside Gentlemen’s EDR killer framework

An affiliate-specific EDR killer observed in some intrusions, but not attributed to Gentlemen’s maintained toolset.

Read more
the hacker newsNews
Mar 19, 2026
54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security

A commercialized EDR killer marketed on underground marketplaces as a service to disable security tools.

Read more
eset welivesecurity blogNews
Mar 19, 2026
EDR killers explained: Beyond the drivers

Commercial EDR killer sold underground and used by multiple ransomware affiliates across several gangs.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.