MalwareRansomwareExploits 1 CVE

GhostDriver

GhostDriver is a publicly available BYOVD process-killing tool used to terminate antivirus and EDR processes by leveraging vulnerable kernel drivers. The provided content describes it as an open-source/publicly available utility, including a Rust-based AV killer variant, that accepts one or more target process names and kills protected processes in kernel mode. Multiple sources in the content state that GhostDriver leverages vulnerable drivers to kill processes; one observed implementation used the vulnerable RentDrv2 driver and exploited CVE-2023-44976 for kernel-mode process termination, while another mention associates GhostDriver with use of truesight.sys. It is discussed alongside other EDR-killer tools such as TrueSightKiller, AuKill, Poortry/BurntCigar, Gmer, and Warp AVKiller.

The content links GhostDriver to real-world post-exploitation and ransomware-adjacent activity. Researchers observed GhostDriver.exe from GitHub in campaigns assessed with medium confidence to interconnected pro-Ukrainian hacktivist groups including 4BID, where it was used as part of BYOVD-based EDR-killing activity after initial compromise of victim environments. In those campaigns, victims included organizations in Russia, Belarus, Kazakhstan, the UAE, Syria, and Egypt, with affected sectors including government, healthcare, and aviation. Initial access in many cases came via Microsoft Exchange ProxyShell exploitation followed by deployment of the fd.aspx ASP.NET web shell and additional tooling. Separately, GhostDriver is listed by Symantec/Broadcom reporting as a commonly used BYOVD tool in the broader ecosystem of ransomware and defense-impairment operations, including reporting around Black Basta and Reynolds, though the provided content does not directly attribute GhostDriver development to those actors.

High-confidence behavioral characteristics from the content are: use of vulnerable signed drivers for BYOVD-style defense evasion; termination of AV/EDR processes, including protected processes; kernel-mode process killing; and operation as a publicly available tool obtainable from GitHub/open-source sources. The content does not provide unique file hashes or standalone network indicators specific to GhostDriver itself.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2023-44976Local EDR Process Termination via Hangzhou Shunwang Rentdrv2 IOCTLExploited in the wild

GhostDriver.sys зашит внутри GhostDriver и представляет собой бинарный драйвер, известный как RentDrv2 (BadRentdrv2). Он содержит уязвимость CVE-2023-44976, позволяющую: принимать команды в пользовательском режиме через DeviceIoControl; выполнять операции над процессами в режиме ядра; обходить механизмы защиты, включая Protected Process. | Еще одна утилита для завершения процессов защитных решений называется GhostDriver.exe и представляет собой одноименный открытый проект GhostDriver.

via securelist rusecurelist.ru

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique

T1068Exploitation for Privilege EscalationEvidence2

BYOVD 脆弱なカーネルドライバを持ち込んで、EDRの検知機構を書き換えたり無効化したりする系。基本方には、カーネル空間のメモリを書き換えるような脆弱性を持つカーネルドライバが使用される。

Defense Impairment

1 technique

T1553Subvert Trust ControlsEvidence1

脆弱な署名済みドライバを武器化し ... Process Explorer(ProcExp)ドライバ(Microsoft署名済み)を悪用

Other

2 techniques

T1562Impair DefensesEvidence2

ランサムウェアを実行するために邪魔なAV系プロセスをキルするのはよくある。... カーネルレベルからプロセスキルや検知機能阻害を行う感じ。

T1562.001Disable or Modify ToolsEvidence1

taskkill、net stop、sc deleteなどの組み込みの管理ツールやコマンドを悪用して、セキュリティ製品のプロセスやサービスを改ざんします。

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app3 days ago

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

securelist ruNews

Jun 8, 2026

Хактивисты выходят за рамки политически мотивированных атак | Securelist

Open-source BYOVD utility used to terminate security processes. It drops and loads the vulnerable RentDrv2 driver, communicates with it via DeviceIoControl, repeatedly kills target processes at kernel level, and attempts to remove the driver and related artifacts afterward.

sdsgNews

Mar 22, 2026

ESETの公開した90種類以上のEDR Killerを調査した記事を読んで思ったこと - Slapdash Safeguards

truesight.sysを利用するRust製BYOVD AV/EDR Killerで、指定したセキュリティプロセスを終了させる。

security affairsNews

Feb 11, 2026

Reynolds ransomware uses BYOVD to disable security before encryption

BYOVD-associated defense-evasion tool referenced as commonly used by ransomware groups to disable security products prior to encryption.

sdsgNews

Feb 9, 2026

Black BastaはランサムウェアにBYOVDによるEDR回避を導入 - Slapdash Safeguards

Listed as a commonly used BYOVD tool.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.