ABYSSWORKER

ABYSSWORKER is a malicious Windows kernel-mode driver/rootkit used primarily as an EDR killer and defense-evasion component in ransomware intrusions. Reporting describes it as a custom malicious driver masquerading as a legitimate Palo Alto driver, while Elastic Security Labs analyzed a 64-bit Windows PE driver named smuol.sys that imitates a legitimate CrowdStrike Falcon driver. It has also been referred to as Poortry, and Elastic assessed Google Cloud Mandiant’s 2022 POORTRY disclosure as likely the earliest public mention of the same driver family.

ABYSSWORKER has been observed in financially motivated campaigns, especially alongside MEDUSA ransomware, where a HEARTCRYPT-packed loader installs the driver and uses it to target and silence different EDR vendors. ESET also reported AbyssKiller, a commercially sold tool pairing the ABYSSWORKER rootkit with a HeartCrypt-packed loader, as one of the most frequently seen commercial EDR killers in the wild. Telemetry linked AbyssKiller/ABYSSWORKER usage to affiliates associated with Medusa, DragonForce, and the now-disrupted BlackSuit gang. Symantec also reported DragonForce actors using ABYSSWORKER in a December 2025 intrusion against a major U.S. services company. Additional reporting cited its use in BYOVD-style attacks to terminate antivirus processes and disable endpoint security products, including in an Osiris ransomware intrusion.

Technically, ABYSSWORKER is signed with likely stolen and revoked certificates from Chinese companies. Elastic observed samples on VirusTotal dated from 2024-08-08 to 2025-02-24, with most packed using VMProtect. The driver uses obfuscation including constant-returning functions, opaque predicates, and derivation functions. During initialization it resolves kernel module pointers, creates a device at \device\czx9umpTReqbOOKF and a symbolic link at \??\fqg0Et4KlNt4s1JT, and initializes a client-protection mechanism.

Its capabilities include protecting the malware client process by stripping existing handles from other processes and registering ObRegisterCallback pre-operation callbacks to deny new handles to protected processes and threads. Through multiple IOCTL handlers, it supports file manipulation, process and thread termination, callback removal, driver tampering, mini-filter detachment, hook restoration, and system rebooting. Elastic reported a hardcoded enablement password delivered via IOCTL 0x222080: 7N6bCAoECbItsUR5-h4Rp2nkQxybfKb0F-wgbJGHGh20pWUuN1-ZxfXdiOYps6HTp0X. IOCTL 0x2220c0 loads kernel API pointers and related structures, including callback lists and 25 function mappings supplied by the client.

Documented kernel-level actions include removing registered notification callbacks associated with PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine, ObRegisterCallbacks, and CmRegisterCallback; removing MiniFilter callbacks and devices by module name; replacing all major functions of a targeted driver module with IopInvalidDeviceRequest; detaching devices associated with FltMgr.sys; brute-forcing thread IDs to locate system threads belonging to a targeted module and terminating them via APCs that call PsTerminateSystemThread; restoring original major functions for NTFS and PNP drivers when hooks are detected outside legitimate modules; and rebooting the machine via HalReturnToFirmware. It also performs file copy and deletion by manually constructing IRPs and invoking device major functions directly.

Overall, ABYSSWORKER is best characterized as a commercially used kernel-mode EDR-killer/rootkit employed in ransomware operations to gain kernel privileges, disable security tooling, and facilitate later-stage encryption and data theft activity.