AuKill Malware Abuses Signed Process Explorer Driver to Disable EDR
Sophos X-Ops reported that the AuKill malware uses a bring-your-own-vulnerable-driver (BYOVD) technique to disable endpoint detection and response tools before follow-on payloads such as ransomware or backdoors are deployed. The tool abuses an outdated, Microsoft-signed Process Explorer driver, PROCEXP.SYS, and was linked to at least three intrusions involving ransomware operators including Medusa Locker and LockBit. Researchers identified six variants developed between late 2022 and early 2023, indicating active refinement of the malware.
AuKill requires administrative privileges, installs itself as a Windows service, drops the vulnerable driver into the system drivers directory, and repeatedly kills processes and disables services tied to security products; some versions also unload defensive drivers. Sophos said the malware shares strong code and behavioral similarities with the open-source Backstab project, suggesting the author reused existing offensive techniques to build the tool. The findings highlight continued criminal use of signed but vulnerable drivers to evade defenses and weaken security controls ahead of broader compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
GitHub repository publishes process-killer driver exploitation project
A GitHub repository named 'Killers' was published, presenting tooling for exploitation of process-killer drivers. This is a new public technical disclosure related to the driver-abuse technique used to terminate security processes.
Sophos publishes analysis of AuKill BYOVD malware
Sophos X-Ops publicly reported its analysis of AuKill, describing it as a bring-your-own-vulnerable-driver tool that reuses code and techniques similar to the open-source Backstab project. Sophos said it detects the malware as ATK/BackStab-D and highlighted malicious driver abuse as a growing trend.
AuKill linked to multiple ransomware attacks
In early 2023, Sophos linked AuKill to at least three ransomware incidents, including attacks involving Medusa Locker and LockBit. In these intrusions, the tool was used to disable endpoint detection and response software before ransomware or backdoor deployment.
AuKill development continued across multiple variants
From November 2022 through February 2023, Sophos observed six AuKill variants, indicating ongoing refinement of the tool's capabilities for terminating processes, disabling services, and in some cases unloading security drivers.
Earliest AuKill variant observed in the wild
Sophos identified the earliest known AuKill malware variant in November 2022, marking the start of observed development of the defense-evasion tool. The malware abused an outdated Microsoft-signed Process Explorer driver to disable security products.
Sources
3 references tracked. Mallory keeps watching after this page renders.
GitHub - xalicex/Killers: Exploitation of process killer drivers · GitHub
github.com
Open source‘AuKill’ EDR killer malware abuses Process Explorer driver | SOPHOS
news.sophos.com
Open source‘AuKill’ EDR killer malware abuses Process Explorer driver | SOPHOS
sophos.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EDR Killer Malware Abuses Revoked EnCase Kernel Driver to Terminate Security Tools
Huntress reported an intrusion in which attackers deployed a custom **EDR killer** that disables endpoint security by abusing a legitimate but long-revoked kernel driver originally shipped with Guidance Software’s *EnCase* forensics product. The malware embeds the vulnerable driver (reported as `EnPortv.sys`) and uses a **Bring Your Own Vulnerable Driver (BYOVD)** approach: once the driver is loaded, it exposes an `IOCTL` interface that enables user-mode code to terminate arbitrary processes from kernel mode, bypassing user-mode protections including **Protected Process Light (PPL)**. The tool is described as capable of targeting **59** endpoint security products. In the observed incident, initial access was achieved by successfully authenticating to **SonicWall SSL VPN** using previously compromised credentials, with reporting noting the absence of **MFA** on the VPN account. Post-compromise activity included internal reconnaissance (e.g., ICMP ping sweeps, NetBIOS/SMB probing) and high-rate SYN activity, followed by execution of the EDR killer disguised as a legitimate utility (e.g., a firmware update tool). The malware reportedly uses a custom encoding scheme to conceal the embedded driver, writes it to disk under an OEM-like path, hides it, timestomps it to blend in, and registers it as a Windows kernel service for persistence; despite the driver’s certificate being expired and revoked for years, Windows can still load it due to signature verification and timestamping behavior.
Mar 21, 2026
Signed vulnerable drivers used to disable EDR and aid ransomware attacks
Researchers and incident responders reported continued abuse of **Bring Your Own Vulnerable Driver (BYOVD)** techniques to disable endpoint protections, including **CrowdStrike Falcon**, by loading legitimately signed but flawed Windows kernel drivers. One newly analyzed zero-day driver family included more than 15 variants with valid Microsoft signatures and an IOCTL path such as `0x22E010` that accepted a process ID and invoked `ZwOpenProcess` and `ZwTerminateProcess` from kernel mode, allowing attackers to kill protected security processes without alerts. A proof-of-concept dubbed **PoisonKiller** demonstrated successful termination of the CrowdStrike EDR process through the driver’s symbolic link, underscoring the risk created by trusted but unrevoked third-party drivers. Separate reporting from Sophos and industry coverage tied the same broader tactic to real intrusions and ransomware activity, including ongoing abuse of **Terminator** and related tools built around vulnerable **Zemana** drivers. Attackers used IOCTL flaws to place their own processes on allow lists and then terminate AV and EDR components, while some incidents showed operators switching to alternatives such as **AuKill** when initial attempts failed. Defenders were urged to combine tamper protection, strict privilege controls, patching, and aggressive blocklisting of unnecessary vulnerable drivers, as signed-driver abuse has spread from advanced actors to commodity ransomware crews and lower-tier criminals.
May 25, 2026
Malware Families Employing BYOVD and Driver-Based EDR Bypass Techniques
Multiple malware families have adopted advanced techniques to bypass endpoint detection and response (EDR) solutions by leveraging Bring Your Own Vulnerable Driver (BYOVD) attacks and stealthy driver installations. Notably, DeadLock ransomware has been observed exploiting a vulnerable Baidu driver to achieve kernel-level defense bypass, allowing it to disable security products and facilitate ransomware deployment. Similarly, Makop ransomware has evolved to incorporate GuLoader and BYOVD-based EDR killers, specifically targeting networks with exposed Remote Desktop Protocol (RDP) services to gain initial access and evade detection. In parallel, the ValleyRAT malware family has demonstrated the use of stealthy driver installation methods to circumvent Windows 11 security protections. The public leak of the ValleyRAT builder has expanded its accessibility, enabling a broader range of threat actors to deploy this sophisticated backdoor. These developments highlight a growing trend among threat actors to exploit driver vulnerabilities and kernel-level techniques to undermine modern security controls across various malware campaigns.
Mar 21, 2026