Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

CardSpaceKiller

CardSpaceKiller is a commercial EDR killer used to disable endpoint detection and response software prior to ransomware deployment. ESET reporting places it within the growing underground market for EDR killers and describes such tools as a fundamental pre-encryption stage in modern ransomware intrusions, typically deployed after attackers obtain high privileges and before the encryptor runs. CardSpaceKiller has been observed in intrusions involving Akira, Medusa, Qilin, Crytox, and MedusaLocker, and is specifically noted as consistently appearing across Akira, Medusa, and MedusaLocker attacks. The tool is marketed on underground marketplaces as a service. CardSpaceKiller is consistently packed with the VX Crypt packer-as-a-service and uses anti-analysis and anti-detection techniques including call-by-hash API resolution and string obfuscation. Broader reporting on commercial EDR killers associated with CardSpaceKiller also notes common use of driver decoupling, encrypted embedded drivers or external encrypted payloads, code obfuscation, anti-VM behavior, and continuous repacking to hinder detection. No specific infection vector or standalone IOC values are provided in the source content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique
T1068Exploitation for Privilege EscalationEvidence2

BYOVD-based EDR killers exploit vulnerable drivers to escalate kernel-level privileges.

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence2

Commercial EDR killers especially use obfuscation and encryption (e.g., CardSpaceKiller).

T1027.002Software PackingEvidence2

Commercial EDR killers rely on packers like HeartCrypt or VX Crypt, and also advanced code protectors like Themida and VMProtect.

T1140Deobfuscate/Decode Files or InformationEvidence1

Some EDR killers store encrypted drivers and shellcode in dedicated files on disk.

Other

2 techniques
T1562Impair DefensesEvidence1

Today, that picture has grown much more complex, with threat actors now deploying script-based tools, misusing legitimate anti-rootkit software, and using fully driverless methods to silence security products before encryption begins.

T1562.001Disable or Modify ToolsEvidence1

EDR killers terminate or suspend EDR/AV processes and services to bypass detection.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.