AvNeutralizer
AvNeutralizer, also known as AuKill, is a specialized anti-EDR/AV tool linked with high confidence to the FIN7 cluster and marketed on underground forums since 2022. It is designed to disable, tamper with, or bypass endpoint security products on Windows systems, including by abusing vulnerable drivers to terminate protected EDR-related processes from the kernel. Reporting states FIN7 began developing it in April 2022, advertised it via personas including goodsoft, lefroggy, killerAV, and Stupor, and sold customized builds for buyers’ targeted security products for roughly $4,000 to $15,000.
Observed AvNeutralizer behavior includes use of weaker Process Explorer drivers below version 17.0 in earlier variants, and later use of the built-in Windows ProcLaunchMon.sys driver together with Process Explorer driver version 17.02 to interfere with protected security processes and in some cases induce crashes. SentinelOne reported the unpacked payload used more than 10 user-mode and kernel-mode techniques to tamper with security solutions. Userland components were delivered under filenames mimicking security products, including AVDieSe.exe, AVDieSophos.exe, AVDieMS.exe, AVDiePanda.exe, and later au-prefixed names such as auSentinel.exe, auSophos.exe, auElastic.exe, and auSyma.exe.
The tool was initially observed in early June 2022 and was previously associated for a period with Black Basta, but by early 2023 it was no longer exclusive and was seen in intrusions involving multiple ransomware operators. Reported associated ransomware deployments include Black Basta, AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. Additional reporting states it has been used by well-known ransomware groups to impair EDR systems prior to follow-on activity such as ransomware deployment.
AvNeutralizer has also been delivered in packed form using a private packer referred to as PackXOR. PackXOR-protected AvNeutralizer samples were reported in ransomware operations from April 2023 onward. High-confidence sample identifiers directly mentioned in the content include earliest reported sample SHA1 2fc8b38d3f40d8151ec717c8a8813cf06df90c10, updated packed sample SHA1 15186e9d03600c667bbe4b34c5e1348bfc0a8168, and unpacked payload SHA1 8a03580d29fe1dcc3de9fffaf8960bc339ecd994.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The tool, known as AvNeutralizer, is used by criminal hackers to bypass threat detection systems on victims' devices.
The tool, known as AvNeutralizer, is used by criminal hackers to bypass threat detection systems on victims' devices.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
5 techniques
Stealth
The packer employs anti-analysis techniques... The final PE payload is unpacked with two iterations of XOR decryption, separated by a step of LZNT1 decompression.
Researchers have previously discovered that the tool was used exclusively for six months by another hacker group, Black Basta.
Most of these techniques are already documented, such as removing the PPL protection through the vulnerable RTCore64.sys driver...
Discovery
1 technique
Discovery
Impact
2 techniques
Impact
IOCs tracked for this family
16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom tool designed to disable or evade endpoint security products, sold/shared to support ransomware operations.
A specialized tool developed by FIN7 to disable or tamper with endpoint security products. It uses multiple user-mode and kernel-mode techniques, including abuse of vulnerable or permissive drivers and a newer technique leveraging ProcLaunchMon.sys to induce denial-of-service conditions in protected security processes.
Anti-EDR utility that abuses vulnerable kernel drivers to terminate EDR-related processes from kernel mode; observed delivered as packed or unpacked payloads and used in ransomware operations.
Tool designed to disable or impair endpoint detection and response (EDR) systems, facilitating malware and ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.