HRSword
HRSword is a legitimate commercial security tool associated with the Huorong Network Security Suite that has been repeatedly repurposed by ransomware operators to disable endpoint protection and EDR products on compromised Windows systems. Reporting cited here describes it as a kernel-driver-based component/tool from Huorong Network Technology / Beijing Huorong Network Technology Co., Ltd., and in one case notes it is designed to monitor various system components and provide broad system visibility. Across multiple incident-response and threat-intelligence reports, attackers installed or executed HRSword as part of defense-evasion activity, often alongside other security-disabling utilities such as kill.exe, PCHunter, GMER, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd, and frequently in conjunction with vulnerable or signed kernel drivers.
Observed malicious use cases center on ransomware intrusions. Cisco Talos reported Crytox affiliates using HRSword to disable a target’s EDR after exploiting a public-facing application lacking MFA. Huntress observed HRSword in an August 2025 KawaLocker/KAWA4096 intrusion that began with access via a compromised RDP account; the actor used tasklist/find to identify security tooling, after which security-related services crashed, and installed/removed Huorong-signed drivers via sc.exe. Symantec reported Trigona affiliates installing HRSword as a kernel driver service and repurposing it to disable security software before credential theft, remote access, and custom data exfiltration. Talos also noted HRSword in broader ransomware engagements in 2025, and Qilin intrusions were reported using tools such as dark-kill and HRSword to terminate security software.
The malware/tool has therefore been associated in the provided content with Crytox, KawaLocker (KAWA4096), Trigona, and Qilin ransomware activity. The sectors explicitly mentioned in related reporting include manufacturing and construction in some ransomware campaigns, and Trigona activity targeting high-value documents such as invoices and PDFs on network drives. High-confidence indicators from the Huntress case include HRSword executable s.exe SHA256 ecca86e9b79d5a391a433d8d782bf54ada5a9ee04038dbaf211e0f087b5dad52, hrwfpdrv.sys SHA256 01a3dabb4684908082cb2ac710d5d42afae2d30f282f023d54d7e945ad3272f5, and sysdiag.sys SHA256 11b262c936ffa8eb83457efd3261578376d49d6e789c7c026f1fa0b91929e135. In that same incident, the drivers hrwfpdr/sysdiag were reported as signed with certificates issued by Beijing Huorong Network Technology Co., Ltd. Overall, HRSword is best characterized here as a legitimate Huorong security utility that has been co-opted as an EDR-killer/defense-evasion tool in ransomware attack chains.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
1 technique
Persistence
The kernel drivers installed as part of the threat actor’s tooling, sysdiag.sys and hrwfpdr.sys, were installed and later removed using a batch file that employed the Service Control Manager, sc.exe. Service Control Manager commands such as sc start <driver>, sc stop <driver>, and sc delete <driver> were observed in EDR telemetry.
Privilege Escalation
2 techniques
Privilege Escalation
Many of these tools exploit vulnerable kernel drivers to terminate endpoint protection processes, bypassing standard user-mode defenses by operating at the deepest level of the operating system.
The kernel drivers installed as part of the threat actor’s tooling, sysdiag.sys and hrwfpdr.sys, were installed and later removed using a batch file that employed the Service Control Manager, sc.exe. Service Control Manager commands such as sc start <driver>, sc stop <driver>, and sc delete <driver> were observed in EDR telemetry.
Stealth
1 technique
Stealth
Discovery
2 techniques
Discovery
Impact
1 technique
Impact
Other
2 techniques
Other
Several means were employed by the threat actor to identify and “remediate” security tooling on the endpoint... deploying tools to disable those security tools. Shortly after, the Windows services associated with those installed security tools were observed crashing.
Once a Quick Assist session is established, the adversary loads tooling to collect information about the target system and establish persistence... disable endpoint protections... Of note, we also observed the affiliates using HRSword to disable the target’s EDR solution.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A utility used by the attackers to disable security tools, reportedly by abusing vulnerable kernel drivers to terminate protections during the Trigona intrusion chain.
A kernel driver component repurposed by attackers to disable security software on victim machines as part of defense evasion.
HRSword is a Huorong Network Security Suite tool installed as a kernel driver service during recent Trigona attacks, apparently to support follow-on actions against security products.
Tool used to disable/terminate security tooling to evade detection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.