Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

PowerTool

PowerTool is a post-compromise utility observed in ransomware intrusions, primarily used to disable security software and evade detection. The provided content specifically states that Akira threat actors used PowerTool to exploit the Zemana AntiMalware driver in order to terminate antivirus-related processes. It was also observed alongside tools such as PCHunter, Universal Virus Sniffer, and Process Hacker in activity intended to evade detection or disable antivirus protections. In Akira-related incidents, PowerTool appeared after initial access obtained through methods including VPN access without MFA, exploitation of Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269, exposed RDP, spear phishing, and valid account abuse. In separate reporting on Qilin/GOLD FEATHER intrusions, CTU researchers observed PowerTool deployed post-compromise, possibly to disable antivirus software, after RDP was abused for initial access and lateral movement. High-confidence associations in the content link PowerTool to Akira ransomware operators and to Qilin-related activity. The content does not provide standalone malware family details, persistence mechanisms, or specific IOCs for PowerTool beyond its use to terminate antivirus processes via the Zemana AntiMalware driver.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Qilin

CTU researchers have observed remote desktop protocol (RDP) abused for initial access and lateral movement before the post-compromise PCHunter and PowerTool tools were deployed, possibly with the intention of disabling antivirus software.

via secureworks threat profilessecureworks.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

2 techniques
T1070.001Clear Windows Event LogsEvidence1
TacticStealth

For defense evasion, tools such as GMER, IOBit, and PowerTool are deployed to disable endpoint protection and clear event logs.

T1070.004File DeletionEvidence1
TacticStealth

The threat actor was observed deleting files that had been dropped to disk.

Other

2 techniques
T1562.001Disable or Modify ToolsEvidence3

Step 5 - Defense Evasion T1562.001... | Both PowerTool or KillAV tool abuses Zemana AntiMalware driver to terminate AV/EDR processes at kernel level... Disables Windows Defender via PowerShell

T1562Impair DefensesEvidence2

The operators frequently disable security software to evade detection and for lateral movement. The government experts observed the use of PowerTool by Akira threat actors to exploit the Zemana AntiMalware driver and terminate antivirus-related processes.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.