1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Your antivirus is under attack from new "killer" tool - here's wh

    From TechnologyDaily@1337:1/100 to All on Tue Aug 12 12:30:08 2025
    Your antivirus is under attack from new "killer" tool - here's what we know

    Date:
    Tue, 12 Aug 2025 11:28:00 +0000

    Description:
    Hackers devised new tools to terminate your antivirus solutions, leaving
    users at risk.

    FULL STORY ======================================================================EDRKillS hifter is getting a dangerous upgrade The new malware can disable AV and EDR from reputable vendors Sophos, Bitdefender, and Kaspersky among the tools being targeted

    Cybercriminals appear to have improved their antivirus -killing capabilities, as recent research suggest a new tool being shared within the underground community.

    In a new report, security researchers from Sophos said multiple ransomware groups are successfully disabling endpoint detection and response (EDR) systems before deploying the encryptor.

    Originally, the group known as RansomHub developed a tool called EDRKillShifter, which Sophos says is now made obsolete thanks to this new and improved variant. The new tool can disable security software from multiple high-end vendors such as Sophos, Bitdefender, and Kaspersky. Shifting strategies

    The malware is often packed using a service called HeartCrypt, which obfuscates the code to evade detection.

    Sophos found the attackers are using all sorts of obfuscation and anti-analysis techniques to protect their tools from security defenders, and in some cases, theyre even using signed drivers (either stolen or compromised).

    In one case, the malicious code was embedded inside a legitimate utility, Beyond Compares Clipboard Compare tool, the researchers explained.

    Sophos also said that multiple ransomware groups are using this new EDR-killing tool, suggesting a high level of collaboration between players.

    EDRKillShifter was first spotted in mid-2024, after a failed attempt to disable an antivirus and deploy ransomware.

    Sophos then uncovered that the malware dropped a legitimate, but vulnerable driver.

    Now, it seems there is a new method - taking an already legitimate executable and modifying it locally by inserting malicious code and payload resources
    (as was the case with Beyond Compares tool). This is often done after the attacker has access to a victims machine, or when creating a malicious
    package that pretends to be legitimate.

    To defend against this threat, Sophos suggests users check whether their endpoint protection security products implement, and enable, tamper protection.

    Furthermore, businesses should practice strong hygiene for Windows security roles, since the attack is only possible if the attacker escalates privileges they control, or if they can obtain admin rights.

    Finally, businesses should keep their systems updated, as Microsoft recently started de-certifying old signed drivers. You might also like Cybercriminals launch new malware that can completely wipe out your antivirus Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/your-antivirus-is-under-attack-from-new -killer-tool-heres-what-we-know


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)