Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 1 actorExploits 1 CVE

DLKiller

DLKiller is a BYOVD-based EDR killer/loader associated with DeadLock ransomware activity. ESET observed DeadLock using DLKiller alongside another EDR killer, Susanoo, as well as anti-rootkit tools such as GMER and PC Hunter during intrusions. DLKiller was used as a pre-encryption tool to disable or terminate security products. The malware abuses the vulnerable Baidu Antivirus driver BdApiUtil.sys via CVE-2024-51324 and uses IOCTL 0x800024b4 to achieve kernel-level process termination. Reporting describes it as a BYOVD loader used with DeadLock ransomware for killing EDR or AV processes. ESET assessed with low confidence that DLKiller and the DeadLock encryptor may have been developed by the same author based on code similarities. The available content does not provide specific IOCs beyond the abused driver name, CVE, and IOCTL value.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2024-51324Arbitrary Process Termination in Baidu Antivirus BdApiUtil DriverExploited in the wild

DLKiller ... DeadLockランサムウェアで使用されたBYOVDローダー。Baidu AntivirusドライバBdApiUtil.sysの脆弱性(CVE-2024-51324)を悪用し、IOCTL 0x800024b4でカーネルレベルのプロセス終了を実行 | DLKiller マルウェア(攻撃者作成) ... DeadLockランサムウェアで使用されたBYOVDローダー。Baidu AntivirusドライバBdApiUtil.sysの脆弱性(CVE-2024-51324)を悪用し、IOCTL 0x800024b4でカーネルレベルのプロセス終了を実行。

via sdsgsdsg.moe
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
DeadLock

ESET researchers have observed DeadLock using two EDR killers, DLKiller (also mentioned as an unnamed loader by Cisco Talos) and Susanoo, and anti-rootkits such as GMER and PC Hunter.

via eset welivesecurity blogwelivesecurity.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique
T1068Exploitation for Privilege EscalationEvidence2

BYOVD-based EDR killers exploit vulnerable drivers to escalate kernel-level privileges.

Defense Impairment

1 technique
T1553Subvert Trust ControlsEvidence1

脆弱な署名済みドライバを武器化し ... Process Explorer(ProcExp)ドライバ(Microsoft署名済み)を悪用

Impact

1 technique
T1489Service StopEvidence1

EDR killers stop protected services of security products and tamper with their functionality.

Other

1 technique
T1562.001Disable or Modify ToolsEvidence2

EDR killers terminate or suspend EDR/AV processes and services to bypass detection.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.