HeartCrypt-Packed ‘AVKiller’ Tool Actively Deployed in Ransomware Attacks to Disable EDR

Threat actors are placing a higher priority on neutralizing endpoint detection and response (EDR) systems in order to remain stealthy in the dynamic world of multi-stage cyberattacks.

Since 2022, malware sophistication has surged, with tools specifically engineered to disable EDR on compromised endpoints.

These utilities, often developed by ransomware affiliates or sourced from underground markets, leverage packer-as-a-service solutions like HeartCrypt for obfuscation.

A notable example is the AVKiller tool, embedded within HeartCrypt-packed samples, which has been observed in active ransomware campaigns.

This payload, detected amid thousands of similar artifacts, exhibits heavy protection layers, targets a variable list of security vendors, and relies on malicious drivers signed with compromised certificates.

Rising Sophistication in EDR Evasion Tactics

For instance, one variant, uA8s.exe (SHA-1: 2bc75023f6a4c50b21eb54d1394a7b8417608728), injects malicious code into legitimate utilities like Beyond Compare’s Clipboard Compare, decoding itself upon execution to reveal an executable that scans for randomly named drivers, such as mraml.sys (SHA-1: 21a9ca6028992828c9c360d752cb033603a2fd93).

According to a Sophos report, these drivers, often masquerading as legitimate components (e.g., mimicking CrowdStrike Falcon Sensor), are signed by abused entities like Changsha Hengxiang Information Technology Co., Ltd., with certificates revoked since 2016.

Newer iterations employ signatures from Fuzhou Dingxin Trade Co., Ltd., invalid since 2012, highlighting the exploitation of expired or compromised signing infrastructure to bypass kernel-level protections.

The AVKiller’s functionality is multifaceted: it terminates processes and services from vendors including Bitdefender, Cylance, F-Secure, Fortinet, HitmanPro, Kaspersky, McAfee, Microsoft, SentinelOne, Sophos, Symantec, Trend Micro, and Webroot.

The target list varies across samples, sometimes focusing on one or two vendors, other times encompassing a broader array, demonstrating adaptability to specific environments.

If the required driver is absent, the tool halts with a “Failed to get device” error but creates a service tied to the driver’s name, ensuring persistence.

Memory dumps confirm its intent, revealing strings targeting processes like MsMpEng.exe, SophosHealth.exe, SAVService.exe, and sophosui.exe.

Detection often occurs via static rules like Mal/HCrypt- or Troj/HCrypt-, or dynamic mitigations such as SysCall, DynamicShellcode, or HollowProcess, underscoring the tool’s reliance on evasion through heavy obfuscation and code injection.

Real-World Deployments

AVKiller’s deployment is tightly coupled with ransomware operations, appearing in attacks by families including Blacksuit, RansomHub, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC, suggesting potential tool-sharing among groups.

In a typical RansomHub incident, a HeartCrypt-packed dropper (e.g., vp4n.exe, SHA256: c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d) deploys the killer, which loads a driver like zsogd.sys.

Followed by ransomware execution (e.g., FoPefI.exe, SHA256: e1ed281c521ad72484c7e5e74e50572b48ea945543c6bcbd480f698c2812cdfe) appending extensions like .0416f0 and dropping notes such as README_0416f0.txt.

A MedusaLocker case highlighted initial access via a zero-day remote code execution in SimpleHelp, triggering DynamicShellcode alerts on 6Vwq.exe (SHA256: 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98), unpacking to a payload (SHA256: a44aa98dd837010265e4af1782b57989de07949f0c704a6325f75af956cc85de) targeting six vendors, succeeded by Medusa ransomware (SHA256: 3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da).

An INC ransomware attack in June 2025 showcased layered packing, combining an updated Impersonators-style packer with HeartCrypt on CSd2.exe (SHA256: ce1ba2a584c7940e499194972e1bd6f829ffbae2ecf2148cdb03ceeca906d151), extracting payloads (e.g., SHA256: 61557a55ad40b8c40f363c4760033ef3f4178bf92ce0db657003e718dffd25bd), and embedding the killer (SHA256: 597d4011deb4f08540e10d1419b5cbdfb38506ed53a5c0ccfb12f96c74f4a7a1), which loads noedt.sys (SHA256: 6fc26e8ac9c44a8e461a18b20929f345f8cfc86e9a454eae3509084cf).

CryptoGuard mitigations flagged the ensuing encryption, with ransom notes like README.txt. This cross-family usage indicates knowledge transfer among ransomware actors, amplifying the threat of EDR evasion tools in coordinated attacks.

Indicators of Compromise (IOCs)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free