AV, anti-malware, and EDR are tools that are primarily used to detect and prevent cyber-attacks.
While the AV/EDR bypass tools are designed to evade detection by AV and EDR systems. These tools are often used by threat actors for several malicious purposes.
Cybersecurity researchers at Palo Alto Networks’ Unit 42 recently discovered that hackers have been actively using AV and EDR bypass tools from cybercrime forums to bypass endpoints.
EDRSandBlast to Bypass Defences
The investigation of an extortion incident uncovered two compromised endpoints running outdated Cortex XDR agents.
These endpoints were being used to test an AV/EDR bypass tool named “disabler.exe,” it is a modified version of “EDRSandBlast” designed to disable security hooks in both user-mode libraries and kernel-mode callbacks.
Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs
The investigation revealed a virtual machine (hostname: DESKTOP-J8AOTJS) containing sophisticated attack tools, including “Mimikatz” (a credential harvesting tool), “shellcode generators,” “kernel driver utilities,” and “code obfuscation tools.”
Notable discoveries included “ContiTraining.rar” (containing leaked Conti ransomware playbooks), alongside files connecting to cybercrime forums XSS and Exploit through a user known as “Marti71” and “KernelMode”.
.webp)
However, the analysis of the system revealed connections to domains like ‘temp.vxsh.net’ (used for fake AV/EDR tokens), and evidence of tool testing via ‘Oracle VM VirtualBox.’
The threat actor’s operational security was compromised through artifacts including a Kazakhstan-based P-1 form, browser history showing visits to ya.ru and sourceforge.net, and video demonstrations recorded using OBS Studio that showed “WinBox” (Mikrotik router administration tool) usage under a username beginning with “Andry.”
.webp)
The endpoints contained a “Z:freelance” directory structure that helped map connections between various criminal affiliates and their tools.
Besides this, the security investigation uncovered a sophisticated cyber attack with tactics matching the Conti ransomware playbook, specifically through several technical indicators like:-
- Attackers used Atera for initial access and persistence.
- Deployed Cobalt Strike beacons (watermark ID: 1357776117) for C&C.
- Used PsExec for lateral movement.
- Leveraged Rclone for data theft.
Analysis of the Cobalt Strike configuration revealed connections to approximately “160” unique IP addresses and domain names with some infrastructure overlapping with “Dark Scorpius” (aka ‘Black Basta’) ransomware operations.
The breakthrough of the investigation came via the discovery of a compromised system labeled “DESKTOP-J8AOTJS,” which contained revealing artifacts like AV/EDR bypass tool demonstration videos and a P-1 expense form.
These operational security failures led investigators to identify an individual named “Andry” from Kazakhstan, who appears to operate under the alias “KernelMode” on cybercrime forums.
.webp)
This individual is believed to be active in developing “sophisticated AV/EDR bypass tools” that are distributed via “subscription-based models” in underground markets. However, the direct evidence linking them to the actual network intrusion remains unclear.
The technical sophistication of the attack suggests the attack was interrupted before reaching its final stage which highlights the evolving nature of modern cyber threats that combine both “automated tools” and “human expertise.”
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!