|
EDR Killers Explained: Beyond the Drivers
Summary:
EDR killers have become one of the most commonly seen tools in modern ransomware intrusions, with attackers acquiring high privileges, deploying such tools to disrupt endpoint protection, and only then launching an encryptor.
ESET Research published a comprehensive analysis today grounded in telemetry and incident investigations covering nearly 90 EDR killers actively observed in the wild, with 54 classified as Bring Your Own Vulnerable Driver (BYOVD)-based tools abusing 35 distinct drivers, 7 as script-based, and 15 as abused anti-rootkit utilities.
The research identifies three primary classes of threat actors:
- Closed non-RaaS groups that develop proprietary tools (e.g., Warlock, DeadLock, Embargo).
- Affiliates who fork and lightly modify publicly available proof-of-concept code.
- Actors purchasing commercial offerings via underground marketplaces.
Notable commercial EDR killers include DemoKiller (used by Qilin, Akira, and Gentlemen affiliates), AbyssKiller (used against Medusa, DragonForce, and BlackSuit victims), and CardSpaceKiller (observed in Akira, Medusa, Qilin, Crytox, and MedusaLocker incidents).
A key finding challenges conventional attribution methodology: the same vulnerable driver routinely appears across unrelated codebases, and the same EDR killer frequently migrates between drivers over time, meaning driver-based attribution to specific threat groups is often misleading.
ESET researchers also assess that at least some recently observed EDR killers exhibit strong indicators of AI-assisted development, citing a Warlock-deployed tool containing AI-characteristic boilerplate and a trial-and-error driver selection mechanism as a concrete example.
The research additionally documents a growing class of driverless EDR killers, tools like EDRSilencer and EDR-Freeze, that block EDR communications or suspend processes entirely without interacting with the kernel.
Analyst comments:
The proliferation and commercialization of EDR killers represent a structural shift in ransomware operational tradecraft that directly threatens the efficacy of endpoint security investments across all sectors. Because EDR killers rely on legitimate but vulnerable drivers, defense is significantly more complicated without risking disruption of legacy or enterprise software, offering kernel-level impact with minimal development effort.
The EDR killer as a product model dramatically lowers the barrier to entry. Affiliates with limited technical capability can now acquire hardened, obfuscation-packed tools with mature anti-analysis features through underground marketplaces for hundreds to thousands of dollars, while larger RaaS affiliate pools produce increasing tooling diversity that complicates pattern-based detection and attribution.
The emergence of AI-assisted EDR killer development signals a potential acceleration in the volume and variety of novel tools, compressing the window between PoC publication and weaponized deployment. Organizations relying solely on vulnerable driver blocklists face an increasingly unreliable defensive posture, as demonstrated by threat actors generating over 2,500 validly signed Truesight[.]sys variants.
Mitigation:
Organizations should implement a prevention-first, multilayered strategy aimed at disrupting EDR killers before execution rather than solely relying on driver blocking at the final moment before encryptor launch.
- Practically, this means maintaining a current vulnerable driver blocklist (referencing resources such as the LOLDrivers project and Microsoft's recommended block rules) as a necessary but insufficient control, pairing it with behavioral detection rules targeting the privilege escalation, service creation, and process termination patterns common across EDR killer classes.
- EDR and XDR telemetry should be tuned to alert on the loading of known vulnerable drivers, use of administrative utilities like taskkill and sc delete against security product processes, and anomalous Safe Mode reboot registrations.
- For the growing driverless threat category, network-level telemetry should monitor for interruptions in EDR-to-backend communications consistent with tools like EDRSilencer.
- Organizations should also ensure SOC or MDR capabilities are positioned to act on EDR killer deployment detections in real time, as the window between tool execution and encryptor launch is measured in seconds.
- IoCs and samples for all named tools are available in ESET's public GitHub repository at github.com/eset/malware-ioc/tree/master/edr_killers.
Source:
https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
_______________________________________________________________________
Max Severity Ubiquiti UniFi Flaw May Allow Account Takeover
Summary:
Ubiquiti has patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts.
The most severe flaw, tracked as CVE-2026-22557, is a Path Traversal vulnerability assigned a CVSS score of 10.0. A malicious actor with access to the network could exploit it to step outside of restricted directories and access sensitive files on the underlying system. This flaw affects UniFi Network Application version 10.1.85 and earlier.
A second vulnerability, CVE-2026-22558, involves an authenticated NoSQL Injection weakness that could allow a malicious actor with authenticated network access to escalate their privileges within the application.
Analyst comments:
The Path Traversal vulnerability impacts a wide range of popular networking hardware managed through the UniFi Network Application, including the UniFi Express and standard application releases. Successful exploitation of CVE-2026-22557 could allow an unauthenticated attacker to read sensitive system files, potentially exposing credentials, configuration data, or other material that could facilitate full account or system compromise. The privilege escalation flaw in CVE-2026-22558, while requiring an authenticated foothold, creates a chained exploitation path, an attacker gaining low-privileged access could escalate to higher levels of control.
The broader risk is elevated by historical threat actor interest in Ubiquiti infrastructure; in February 2024, the FBI dismantled a botnet of hacked Ubiquiti Edge OS routers used by Russia's GRU to proxy malicious traffic in attacks targeting the United States and its allies. Organizations using UniFi deployments in critical or enterprise environments should treat this as high-priority exposure.
Mitigation:
Both vulnerabilities are addressed in UniFi Network Application version 10.1.89 or later.
- Administrators should prioritize upgrading affected deployments immediately, particularly any internet-facing or cloud-hosted UniFi controllers.
- Where immediate patching is not feasible, network access to the UniFi management interface should be restricted to trusted management VLANs or hosts only, limiting the attacker's ability to reach the vulnerable Path Traversal endpoint.
- Organizations should also audit for any unauthorized access or anomalous file system activity on systems running affected versions, and review user account privilege levels as a precaution against exploitation of the NoSQL Injection flaw.
- Ubiquiti's recommended deployment model, hosting the UniFi Network Application on a UniFi Cloud Gateway rather than a general-purpose server, should be enforced where possible, as it provides a more controlled and consistently updated environment.
Source:
https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b
_______________________________________________________________________
Critical Microsoft SharePoint Flaw Now Exploited in Attacks
Summary:
A critical vulnerability in Microsoft SharePoint Server, originally patched in January 2026, is now seeing active exploitation in the wild. Tracked as CVE-2026-20963, the flaw is a deserialization of untrusted data issue that allows an attacker with low-privileged authenticated access to execute arbitrary code remotely on the affected server. While Microsoft initially categorized the likelihood of exploitation as "less likely," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog as of March 18, 2026. This addition signals that attackers are actively weaponizing the flaw to breach enterprise environments, prompting urgent remediation requirements for federal agencies and a strong recommendation for private sector entities to follow suit.
Analyst comments:
The transition of CVE-2026-20963 from a "less likely" exploit to an actively traded and used threat is a significant development for organizations. SharePoint remains a high-value target for adversaries because it often serves as a central repository for sensitive corporate intellectual property and serves as a springboard for lateral movement within a network. Because the attack requires only "low" privileges, an attacker who has compromised a single set of employee credentials, perhaps through a simple phishing campaign, can escalate that foothold into full system command. For our broad range of members, this means that even if your external perimeter is robust, an internal threat or a leaked credential could lead to a catastrophic breach of your primary collaboration platform. We are seeing a trend where attackers specifically wait for the "post-patch" window to target organizations that are slower to update their internal-facing infrastructure.
Mitigation:
To defend against this active threat, organizations should prioritize the following actions:
-
Immediate Patching: Apply the security updates provided by Microsoft in the January 2026 Patch Tuesday release. This affects SharePoint Server 2016, 2019, and Subscription Edition.
-
Enforce MFA: Since the exploit requires authentication, robust Multi-Factor Authentication (MFA) across all SharePoint access points is the most effective way to prevent the initial access required to trigger the vulnerability.
-
Monitor for Anomalous Processes: Security teams should hunt for unusual child processes spawning from the SharePoint worker process (w3wp.exe). Specifically, look for the execution of cmd.exe, powershell.exe, or any unexpected network connections originating from the SharePoint application tier.
-
Network Segmentation: Ensure that SharePoint servers are isolated from the broader internet where possible and that internal access is restricted to only the necessary user segments to reduce the potential attack surface.
Source:
https://www.bleepingcomputer.com/news/microsoft/critical-microsoft-sharepoint-flaw-now-exploited-in-attacks/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963/
_______________________________________________________________________
New Malware Targets Users of Cobra DocGuard Software
Summary:
A new information-stealing malware, dubbed "Speagle," has been identified targeting organizations that utilize the Cobra DocGuard data protection software. Attributed to a newly tracked threat actor named "Runningcrab," Speagle is unique in its highly specific operational requirements; the malware is programmed to execute its data harvesting and exfiltration routines only when it detects the presence of Cobra DocGuard on the host system. Once active, Speagle surreptitiously collects sensitive information and transmits it to a legitimate Cobra DocGuard server that has been compromised by the attackers. This tactic allows the malware to mask its malicious exfiltration as authorized client-to-server communication, effectively bypassing many standard network monitoring tools. While the exact infection vector is currently unconfirmed, researchers suggest a possible supply chain attack or a trojanized software update, noting that the malware leverages a legitimate Cobra DocGuard driver to perform self-deletion and evade detection.
Analyst comments:
This development highlights a sophisticated shift in targeting logic where attackers "piggyback" on trusted security and data protection vendors. By specifically targeting Cobra DocGuard users and hijacking its infrastructure for command-and-control (C2) purposes, the Runningcrab actor exploits the inherent trust placed in security software. For organizations in critical infrastructure or manufacturing that rely on specialized data protection suites, this represents a significant risk: your security tools could be transformed into the very conduits used to exfiltrate your intellectual property. The use of a legitimate driver for self-deletion further suggests that the actor has a deep understanding of the target's environment, pointing toward either a state-sponsored entity or a highly skilled private contractor engaged in industrial espionage. This incident underscores that "security-aware" software is not immune to being weaponized, and traditional indicators of compromise (IOCs) may be missed if they are disguised as routine vendor traffic.
Mitigation:
To defend against Speagle and similar targeted infostealers, organizations should implement a multi-layered defense strategy starting with rigorous supply chain risk management. It is critical to monitor for any unusual behavior originating from security software processes, such as unexpected outbound connections to known vendor servers at irregular intervals or volumes. Administrators should employ endpoint detection and response (EDR) solutions to audit the behavior of kernel-mode drivers, specifically looking for legitimate drivers being called by unsigned or unrecognized executables for file deletion. Furthermore, organizations should implement strict network segmentation and egress filtering to ensure that even "trusted" vendor communication is restricted to necessary ports and validated destinations. Regularly verifying the integrity of software updates and maintaining an offline backup of critical data will also help mitigate the impact of an initial compromise before it scales into a full-scale data breach.
Source:
https://www.security.com/threat-intelligence/speagle-cobradocguard-infostealer
_______________________________________________________________________
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
Summary:
The Google Threat Intelligence Group (GTIG) has identified DarkSword, a highly sophisticated iOS full-chain exploit utilizing six vulnerabilities to fully compromise devices running iOS versions 18.4 through 18.7. Active since at least November 2025, the exploit chain has been adopted by multiple distinct threat actors, including commercial surveillance vendors like PARS Defense and suspected state-sponsored groups such as UNC6353 and UNC6748. These actors have successfully deployed DarkSword against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The widespread proliferation of this single exploit chain signifies a concerning trend regarding the commoditization of advanced mobile surveillance capabilities. Apple patched all underlying vulnerabilities associated with DarkSword with the release of iOS 26.3.
Analyst comments:
GTIG observed DarkSword campaigns beginning in early November 2025. DarkSword leverages six vulnerabilities to bypass sandbox restrictions and achieve full compromise with kernel privileges, with three of them exploited as a zero-day. The threat cluster UNC6748 targeted Saudi Arabian users via a Snapchat-themed decoy website (snapshare[.]chat), utilizing obfuscated JavaScript to load subsequent exploit stages. To avoid reinfection, the actors checked a specific session storage key ("uid") and redirected victims to the legitimate Snapchat website to mask the malicious activity. In late November 2025 and January 2026, PARS Defense utilized DarkSword in Turkey and Malaysia with improved operational security, including encrypted payloads and device fingerprinting. Additionally, UNC6353, a suspected Russian espionage group, incorporated DarkSword into their watering hole campaigns.
The DarkSword infection chain operates in JavaScript, bridging native APIs and IPC channels to execute its payload. This pure JavaScript approach eliminates the need to identify vulnerabilities for bypassing iOS exploit mitigations, such as Page Protection Layer (PPL) or Secure Page Table Monitor (SPTM), which restrict unsigned binary execution. The initial exploit loader manages Web Worker objects for remote code execution exploits, with logic either split across contexts using postMessage or fully contained within the worker itself.
Threat actors employed several notable tactics to ensure operational security and successful exploitation. Attackers utilized the "uid" session storage key to track infections and fingerprint devices. UNC6748 implemented the x-safari-https protocol handler to force the exploit page to open in Safari if a target attempted to access the landing page using Chrome, likely indicating the lack of a Chrome exploit chain. PARS Defense utilized ECDH and AES to encrypt exploits in transit between the server and the victim.
Following a successful exploit, actors deploy one of three distinct JavaScript-based malware families:
-
GHOSTKNIFE: Deployed by UNC6748. A backdoor that exfiltrates signed-in accounts, messages, browser data, and audio recordings. It uses a custom binary protocol over HTTP encrypted with ECDH and AES. It writes files to disk under randomly generated UUID directories in /tmp/ and periodically erases system crash logs to avoid detection.
-
GHOSTBLADE: Deployed by UNC6353 (suspected Russian espionage group). A dataminer that collects identity tokens, communications databases, cryptocurrency wallet data, and location history. It operates less continuously than GHOSTKNIFE but also actively deletes crash reports, specifically targeting the /…/systemgroup.com.apple.osanalytics/DiagnosticReports/ directory.
-
GHOSTSABER: Deployed in PARS Defense (Turkish commercial surveillance vendor) campaigns in Turkey and Malaysia as a final backdoor payload.
Mitigation:
Actionable Mitigations
- Update all iOS devices to version 26.3 or the latest available version to patch the six vulnerabilities leveraged by the DarkSword chain.
- Enable iOS Lockdown Mode for targeted or high-risk users if immediate device updates are not possible.
- Block access to the known malicious domain snapshare[.]chat at the network perimeter.
- Investigate iOS devices for anomalous directory structures, specifically randomized UUID folders stored within the /tmp/ directory.
- Monitor for the unexpected deletion of crash logs within the CrashReporter and DiagnosticReports system directories.
General Best Practices
- Ensure domains involved in exploit delivery are continually added to and blocked via Safe Browsing integrations.
- Enforce strict Mobile Device Management (MDM) policies to mandate timely OS updates across enterprise environments.
- Educate high-risk users on the dangers of sophisticated watering hole attacks and application-themed decoy websites masquerading as legitimate services.
A list of IOCs is available in the blog post.
Source:
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain
| 
