MalwareRansomware

TfSysMon-Killer

TfSysMon-Killer is a publicly available proof-of-concept BYOVD-based EDR killer associated with BlackSnufkin’s repository of vulnerable-driver abuse tools. It is designed to disable or interfere with endpoint security products by abusing the ThreatFire System Monitor driver/component TFSysMon. ESET identified it as one of the public PoC codebases that attackers fork and tweak for use in ransomware intrusions. ESET detected TfSysMon-Killer deployed during a Monti ransomware attack in February 2025; the observed sample retained the same functionality as the original but had been reimplemented from Rust to C++, reportedly to better align with the threat actor’s other tooling. The content directly links the tool to ransomware tradecraft as a pre-encryption defense-evasion component and notes that attackers commonly adapt PoCs such as TfSysMon-Killer rather than developing all EDR killers from scratch.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique

T1068Exploitation for Privilege EscalationEvidence1

BYOVD-based EDR killers exploit vulnerable drivers to escalate kernel-level privileges.

Other

1 technique

T1562.001Disable or Modify ToolsEvidence2

EDR killers terminate or suspend EDR/AV processes and services to bypass detection.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

the hacker newsNews

Mar 19, 2026

54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security

An EDR killer tool based on tweaked proof-of-concept code, used to interfere with endpoint security defenses.

eset welivesecurity blogNews

Mar 19, 2026

EDR killers explained: Beyond the drivers

BYOVD-based EDR killer from BlackSnufkin’s repository; observed in a Monti ransomware intrusion and reimplemented from Rust to C++.

eset welivesecurity blogNews

Mar 26, 2025

Shifting the sands of RansomHub’s EDRKillShifter

A publicly available proof-of-concept EDR killer using the TFSysMon vulnerable driver; its code and driver overlap with techniques seen in EDRKillShifter.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.