MalwareRansomware

SmilingKiller

SmilingKiller is an EDR killer used in ransomware intrusions to disable endpoint security before encryptor deployment. ESET observed it during LockBit and Dire Wolf intrusions. The malware is described as a modified or forked proof-of-concept-derived tool: ESET found it was inspired by kill-floor and switched the abused vulnerable driver to K7RKScan.sys. It is part of the broader BYOVD-style EDR killer ecosystem, where attackers use legitimate but vulnerable signed drivers to gain the privileges needed to terminate or interfere with security products. SmilingKiller also uses control-flow flattening to hinder code analysis and reverse engineering. High-confidence context directly links it to ransomware affiliate activity rather than a specific proprietary operator-developed platform. Known directly mentioned characteristics and indicators include its use in LockBit and Dire Wolf intrusions, inspiration from kill-floor, abuse of the K7RKScan.sys driver, and code obfuscation via control-flow flattening.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique

T1068Exploitation for Privilege EscalationEvidence2

BYOVD-based EDR killers exploit vulnerable drivers to escalate kernel-level privileges.

Stealth

2 techniques

T1027Obfuscated Files or InformationEvidence2

Commercial EDR killers especially use obfuscation and encryption (e.g., CardSpaceKiller).

T1027.005Indicator Removal from ToolsEvidence1

EDR killers like SmilingKiller use control-flow flattening and code obfuscation.

Other

2 techniques

T1562Impair DefensesEvidence1

Today, that picture has grown much more complex, with threat actors now deploying script-based tools, misusing legitimate anti-rootkit software, and using fully driverless methods to silence security products before encryption begins.

T1562.001Disable or Modify ToolsEvidence1

EDR killers terminate or suspend EDR/AV processes and services to bypass detection.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cyber security newsNews

Mar 20, 2026

Ransomware Actors Expand EDR Killer Tactics Beyond Vulnerable Drivers

EDR killer used in ransomware intrusions to disable endpoint protections, with control-flow flattening used to hinder analysis.

the hacker newsNews

Mar 19, 2026

54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security

An EDR killer tool derived from or associated with forked proof-of-concept code, used to disable security products.

eset welivesecurity blogNews

Mar 19, 2026

EDR killers explained: Beyond the drivers

Modified EDR killer inspired by kill-floor; adds obfuscation and switches to a different vulnerable driver while retaining core logic.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.