MalwareRansomware

AbyssKiller

AbyssKiller is a commercially sold EDR killer used in ransomware intrusions to disable endpoint security before encryptor deployment. ESET described it as one of the most commonly observed commercial EDR killers in the wild. The tool pairs the ABYSSWORKER rootkit with a HeartCrypt-packed loader, and the use of HeartCrypt indicates anti-detection and anti-analysis measures consistent with commercial EDR-killer tooling. ESET telemetry and reporting linked AbyssKiller to affiliates of Medusa, DragonForce, and the now-disrupted BlackSuit ransomware gang. The available content identifies it specifically as part of the broader underground market for commercial defense-evasion tooling used by ransomware affiliates. No specific IOCs are provided in the supplied content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique

T1068Exploitation for Privilege EscalationEvidence2

BYOVD-based EDR killers exploit vulnerable drivers to escalate kernel-level privileges.

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence2

Commercial EDR killers especially use obfuscation and encryption (e.g., CardSpaceKiller).

T1027.002Software PackingEvidence2

Commercial EDR killers rely on packers like HeartCrypt or VX Crypt, and also advanced code protectors like Themida and VMProtect.

T1140Deobfuscate/Decode Files or InformationEvidence1

Some EDR killers store encrypted drivers and shellcode in dedicated files on disk.

Other

2 techniques

T1562Impair DefensesEvidence1

Today, that picture has grown much more complex, with threat actors now deploying script-based tools, misusing legitimate anti-rootkit software, and using fully driverless methods to silence security products before encryption begins.

T1562.001Disable or Modify ToolsEvidence1

EDR killers terminate or suspend EDR/AV processes and services to bypass detection.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyber security newsNews

Mar 20, 2026

Ransomware Actors Expand EDR Killer Tactics Beyond Vulnerable Drivers

Commercial EDR killer used to disable endpoint security tools in ransomware operations; it pairs the ABYSSWORKER rootkit with a HeartCrypt-packed loader.

eset welivesecurity blogNews

Mar 19, 2026

EDR killers explained: Beyond the drivers

Commercial EDR killer built around the ABYSSWORKER rootkit and a HeartCrypt-packed loader; widely used by ransomware affiliates.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.