#ESETresearch analyzed more than 80 EDR killers, seen across real-world intrusions, and used ESET telemetry to document how these tools operate, who uses them, and how they evolve beyond simple driver abuse.
-
#ESETresearch analyzed more than 80 EDR killers, seen across real-world intrusions, and used ESET telemetry to document how these tools operate, who uses them, and how they evolve beyond simple driver abuse. https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
By following attacker workflows, we identified how affiliates reuse the same vulnerable drivers across unrelated codebases and how individual EDR killers switch drivers over time, demonstrating that driver-centric attribution is unreliable.
We emphasize that in RaaS gangs, it is the affiliates, not the operators, who select and deploy the EDR killers, complicating defense strategies, but also revealing otherwise hidden affiliations.
Our research highlights a significant rise in commercialized tooling, including packer-as-a-service ecosystems and hardened EDR killers that incorporate encrypted drivers, obfuscation, and external payload staging.
Based on these findings and the difficulties of driver blocking, we emphasize a prevention-first approach to defense that focuses on stopping the user-mode component of the EDR killer before any vulnerable driver is loaded, rather than relying solely on kernel-level blocking.
IoCs are available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/edr_killers -
R relay@relay.infosec.exchange shared this topic
