HeartCrypt-Packed ‘AVKiller’ Tool Actively Deployed in Ransomware Attacks to Disable EDR

Threat actors are placing a higher priority on neutralizing endpoint detection and response (EDR) systems in order to remain stealthy in the dynamic world of multi-stage cyberattacks.

Since 2022, malware sophistication has surged, with tools specifically engineered to disable EDR on compromised endpoints.

These utilities, often developed by ransomware affiliates or sourced from underground markets, leverage packer-as-a-service solutions like HeartCrypt for obfuscation.

A notable example is the AVKiller tool, embedded within HeartCrypt-packed samples, which has been observed in active ransomware campaigns.

This payload, detected amid thousands of similar artifacts, exhibits heavy protection layers, targets a variable list of security vendors, and relies on malicious drivers signed with compromised certificates.

Rising Sophistication in EDR Evasion Tactics

For instance, one variant, uA8s.exe (SHA-1: 2bc75023f6a4c50b21eb54d1394a7b8417608728), injects malicious code into legitimate utilities like Beyond Compare’s Clipboard Compare, decoding itself upon execution to reveal an executable that scans for randomly named drivers, such ...