MalwareRansomwareUsed by 1 actor

Susanoo

Susanoo is an EDR killer observed by ESET in ransomware intrusions, specifically in activity attributed to the DeadLock gang. It is used to disable or interfere with endpoint detection and response products prior to ransomware deployment, fitting ESET’s assessment that EDR killers are a fundamental stage of modern ransomware attacks after attackers obtain high privileges. ESET reported that Susanoo includes a graphical user interface and process-targeting options, including a dedicated Sophos-related process list and a broader TNT process list. In addition to Susanoo, DeadLock was observed using another EDR killer called DLKiller as well as anti-rootkit tools such as GMER and PC Hunter. The available content does not provide specific infection vectors, technical implementation details such as BYOVD usage, or concrete indicators of compromise for Susanoo.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

DeadLock

ESET researchers have observed DeadLock using two EDR killers, DLKiller (also mentioned as an unnamed loader by Cisco Talos) and Susanoo, and anti-rootkits such as GMER and PC Hunter.

via eset welivesecurity blogwelivesecurity.com

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique

T1068Exploitation for Privilege EscalationEvidence2

BYOVD-based EDR killers exploit vulnerable drivers to escalate kernel-level privileges.

Impact

1 technique

T1489Service StopEvidence1

EDR killers stop protected services of security products and tamper with their functionality.

Other

2 techniques

T1562Impair DefensesEvidence1

Over the past year, security researchers have observed an expansion of the ecosystem around these tools, which can disable endpoint detection and response (EDR) platforms and other threat detection products in a targeted environment.

T1562.001Disable or Modify ToolsEvidence1

EDR killers terminate or suspend EDR/AV processes and services to bypass detection.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

dark readingNews

Apr 14, 2026

EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses

An EDR killer tool that disables endpoint detection and response products, typically via BYOVD techniques using vulnerable Windows drivers.

eset welivesecurity blogNews

Mar 19, 2026

EDR killers explained: Beyond the drivers

GUI-based EDR killer used by DeadLock that allows manual interaction and targeted killing of monitored processes, including Sophos-related processes.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.