The IT Nerd

ESET Research has discovered a new threat actor, which it has named GhostRedirector. In June 2025, this threat actor compromised at least 65 Windows servers, mainly in Brazil, Thailand, Vietnam, and the United States. Other victims were located in Canada, Finland, India, the Netherlands, the Philippines, and Singapore. GhostRedirector used two previously undocumented, custom tools: a passive C++ backdoor that ESET has named Rungan, and a malicious Internet Information Services (IIS) module it has named Gamshen. GhostRedirector is very likely a China-aligned threat actor. While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service to manipulate Google search engine results, boosting the page ranking of a configured target website. Its purpose is to artificially promote various gambling websites.

Besides Rungan and Gamshen, GhostRedirector also uses a series of other custom tools, in addition to the publicly known exploits EfsPotato and BadPotato, to create a privileged user on the server that can be used to download and execute other malicious components with higher privileges. Alternatively, it can be used as a fallback in case the Rungan backdoor or other malicious tools are removed from the compromised server.

While the victims are located in different geographic regions, most of the compromised servers located in the United States appear to have been leased to companies that are based in Brazil, Thailand, and Vietnam, where most of the other compromised servers are actually located. Thus, ESET Research believes that GhostRedirector was more interested in targeting victims in Latin America and Southeast Asia. GhostRedirector hasn’t shown interest in a particular vertical or sector; instead, ESET has identified victims across multiple sectors, including education, healthcare, insurance, transportation, technology, and retail.

Based on ESET telemetry, GhostRedirector probably gains initial access to its victims by exploiting a vulnerability, likely an SQL Injection.  The attackers compromise a Windows server, then download and execute various malicious tools: a privilege escalation tool, malware that drops multiple webshells, or the already mentioned backdoor and IIS Trojan. In addition to the obvious purpose of the privilege escalation tools, they can also be used as a fallback in case the group loses access to the compromised server. Backdoor capabilities include network communication, file execution, directory listing, and manipulating both Services and Windows registry keys.

ESET telemetry detected attacks by GhostRedirector between December 2024 and April 2025, and an internet-wide scan from June 2025 identified further victims. ESET notified all the identified victims it discovered via the scan about the compromise. Mitigation recommendations can be found in our previously published comprehensive white paper.

For a more detailed analysis and technical breakdown of GhostRedirector, check out the latest ESET Research blogpost, “GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes,” on WeLiveSecurity.com.

Countries where GhostRedirector victims were detected:

ESET today celebrates the ten year anniversary of its Canadian operations. Since August 13, 2015, ESET Canada has grown steadily, earning the trust of more than 15,000 businesses nationwide. The Canadian sales and marketing operations in Toronto are strengthened through collaboration with the ESET Research Centre in Montreal, a key contributor to the company’s global threat research and regional threat detection capabilities. 

As an advocate for cybersecurity innovation in Canada, ESET has forged strong ties with leading tech ecosystems, including the city of Markham, home to its Canadian head office. Markham’s vibrant technology sector and collaborative business environment make it a strategic base for ESET’s continued engagement coast-to-coast. 

 Over the past decade, ESET Canada has grown its presence through strong reseller partnerships, a focus on key verticals such as education, manufacturing and critical infrastructure, and expanded services to meet the evolving threat landscape.  
 
10 highlights from ESET Canada’s 10-year journey include: 

• Nationwide Expansion: Enhanced presence across Canada, including increased support and engagement in Western Canada through dedicated tech, sales, and customer-facing roles. 
• Brand Visibility: Secured the company’s first major league sponsorship with the Calgary Flames.  
• Cloud-First Infrastructure: Opened a Canadian data centre to address data sovereignty. Today, more than 51 per cent of ESET Canada’s endpoint customers are on the cloud, surpassing the national average of 48.1 per cent. (Analysis: Mason) 
• Strategic Relocation: Moved operations to Markham to deepen ties with Canada’s innovation hub. 
• Industry Recognition: In 2025, ESET Canada received its 17^th eCN Reseller Choice Award and its first Markham Board of Trade Excellence Award for High Quality and Service. 
• Partner-First Mode: Established a robust partner ecosystem, with 95 per cent of revenue flowing through the reseller channel. 
• MSP Growth: Achieved consistent double-digit growth in MSP (Managed Service Provider) sales, driven by strong partner enablement, scalable offerings, and growing demand for flexible, subscription-based cybersecurity solutions. 
• MDR Expansion: Launched and scaled MDR (Managed Detection and Response) — now ESET Canada’s fastest-growing service. 
• Market Positioning: Maintained a consistent top 8 market position in the Endpoint Protection Platform (EPP) according to Gartner. In a rapidly shifting vendor landscape, ESET’s stability and trusted performance continue to stand out.  
• Customer Loyalty: Achieved a Net Promoter Score (NPS) of 54, far above industry benchmarks and a clear sign of customer trust. 

In addition to supporting more than 15,000 Canadian businesses, ESET helps safeguard households and individuals across the country with award-winning protection for smartphones, laptops, and connected homes.

This milestone in Canada comes as ESET celebrates 35 years as a global pioneer in proactive digital protection. Since 1987, ESET has grown into one of the world’s leading cybersecurity companies, protecting more than 100 million users across 180 countries with innovative, AI-native security solutions.  

ESET maintains regional offices in Bratislava, San Diego, Singapore, and Buenos Aires, supporting its vision of building a safer digital future for everyone. 

ESET researchers have discovered a previously unknown vulnerability in WinRAR, exploited in the wild by Russia-aligned group RomCom. According to ESET telemetry, malicious archives were used in spearphishing campaigns between July 18 to July 21, 2025, targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. The aim of the attacks was cyberespionage. This is at least the third time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild

Disguised as an application document, the weaponized archives exploited a path traversal flow to compromise its targets. In the spearphishing email, the attackers sent a CV hoping that a curious target would open it. According to ESET telemetry, none of the targets were compromised. The attackers, however, had conducted reconnaissance beforehand and the emails were highly targeted. Successful exploitation attempts delivered various backdoors used by RomCom group – specifically, a SnipBot variant, RustyClaw, and the Mythic agent.

ESET Research attributes the observed activities to RomCom with high confidence based on the targeted region, tactics, techniques, and procedures  (TTPs), and the malware used. RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned group that conducts both opportunistic campaigns against selected business verticals and targeted espionage operations. The group’s focus has shifted to include espionage operations collecting intelligence, in parallel with its more conventional cybercrime operations. The backdoor used by the group is capable of executing commands and downloading additional modules to the victim’s machine. It is not the first time that RomCom has used exploits to compromise its victims. In 2023-06, the group performed a spearphishing campaign targeting defense and governmental entities in Europe, with lures related to the Ukrainian World Congress.

For a more detailed analysis and technical breakdown of RomCom’s latest campaign, check out the latest ESET Research blogpost “RomCom exploits a new vulnerability in the wild, this time in WinRAR” on WeLiveSecurity.com.

ESET is proud to announce the winners of its tenth annual Women in Cybersecurity Scholarship. Selected from a highly competitive pool of applicants across the US and Canada, the ten scholarship recipients impressed the review panel with their academic achievements, passion for cybersecurity, and commitment to making a positive impact in STEM fields.

This year marks a milestone in the program’s evolution with the continued expansion of the Cybersecurity Trailblazer Award Tier, a designation reserved for the most exceptional applicants who have demonstrated outstanding technical proficiency, leadership, and a deep, sustained focus on cybersecurity. The recipients of this year’s Cybersecurity Trailblazer Awards are U.S.’ Alexis Eskenazi, Crystal Yang, and Ismat Jarin, each receiving a $10,000 scholarship in recognition of their exemplary work. The Canadian Trailblazer recipients are Azka Siddiqui and Constance Prevot, each receiving a $5,000 scholarship for their remarkable contributions and potential to drive change within the field.

This year, Canada also saw the launch of the Future Leader Award, a new scholarship tier recognizing emerging talent with strong potential in the field of cybersecurity. Five students were selected to receive $1,000 scholarships: Yushika Jhundoo, Meadow Agbor, Tina Ismail, Vrinda Joshi, and Yashvi Shah. Together, these individuals have shown exceptional promise as future leaders in cybersecurity. Their ambitions and achievements reflect the values at the heart of the Women in Cybersecurity Scholarship: innovation, inclusion, and impact.

ESET North America awarded $45,000 in scholarships this year to celebrate the program’s tenth anniversary, reaffirming its commitment to building a more inclusive and secure digital future.

Learn more about the Trailblazer Award recipients:

Alexis Eskenazi, Berkeley, California, United States: Alexis Eskenazi’s journey into cybersecurity began with competitive robotics, where building championship-level robots sparked her interest in how connected systems function. That passion led her to launch Eskenazi Ed-Tech & AI Consulting, bringing hands-on STEM education to over 400 students globally. From mentoring the world’s first all-female Indigenous robotics team in New Zealand to researching vulnerabilities in U.S. healthcare and semiconductor infrastructure, Alexis blends technical insight with education and policy to advance a more secure, inclusive digital world.

Crystal Yang, Katy, Texas, United States: Crystal Yang’s interest in cybersecurity was sparked by watching scam-baiting videos, which seem humorous on the surface, but reveal just how vulnerable people can be to social engineering. Determined to fight back, she built TimeWaster3000, an AI-powered bot that wastes scammers’ time using natural language processing and speech recognition. As the founder of Audemy.org, Crystal has also created AI-driven educational games used by more than 5,000 blind and visually impaired students worldwide and implemented in 19 schools. Today, she is focused on cybersecurity projects aimed at scam awareness and social engineering defense for businesses.

Ismat Jarin, Irvine, California, United States: Ismat Jarin’s path to cybersecurity began in her home country, where early experiences with societal biases and privacy violations fueled her resolve to protect underrepresented communities through technology. She became the first woman from her town to rank in the top 2% nationally for admission to her country’s top engineering university, later earning a Master’s in Systems and Security from UM Dearborn and now pursuing a Ph.D. at UC Irvine. Her research explores privacy risks in AI/LLMs and emerging technologies and has been published at leading conferences like PETS, NeurIPS(WiML) and CODASPY. Beyond research, Ismat is a passionate mentor and advocate, helping first-generation and underrepresented students find belonging and success in cybersecurity.

Azka Siddiqui, Mississauga, Ontario, Canada: Azka Siddiqui’s passion for computer science began in fourth grade when she programmed Dash robots during a classroom activity, sparking her fascination with the intersection of hardware and software. Her interest in cybersecurity solidified during a 2024 internship at Nokia, where she helped refine an advanced filter tool that monitored over 10,000 alarms. In addition to furthering her technical skills, Azka serves as Vice Chair of a national nonprofit empowering girls in STEM, has led a coding club spanning three Canadian provinces, and conducted research on smart-grid anomaly detection and eye-tracking technologies in university labs. This fall, Azka will begin her Honours Bachelor of Applied Science in Computer Engineering at the University of Waterloo, where she plans to focus on cybersecurity and AI with an emphasis on making digital spaces safer for women.

Constance Prevot, Mount Royal, Quebec, Canada: Constance Prevot’s journey into cybersecurity began at Concordia University, where a Capture-The-Flag competition sparked a passion that would shape her academic and professional path. She has since represented Canada at the 2024 International Cybersecurity Competition in Chile, served as a SOC Analyst at OnePoint for Desjardins, conducted adversary-focused research at GoSecure, and co-presented her findings at conferences including HOPE and BSides. As President of Concordia University’s Software Engineering and Computer Science Society, she has led initiatives to make cybersecurity education more accessible, including launching “compétitionsquebec,” a platform cataloging local competitions and training resources.

Future Leader Awards: This inaugural award proudly recognizes five exceptional students who exemplify the next generation of innovators and changemakers. With a $1,000 award, these students are being honored not only for their academic excellence but also for their passion and potential to shape the future of technology. This year’s awardees are:

• Yushika Jhundoo (Ottawa, ON) – Computer Science, University of Ottawa: Tech community builder and cybersecurity enthusiast dedicated to inclusive outreach and digital empowerment.
• Meadow Agbor (Calgary, AB) – Computer Information Systems, Mount Royal University (MRU): Cybersecurity intern and youth mentor with a passion for digital safety and inclusive community engagement.
• Tina Ismail (Mississauga, ON) – Electrical Engineering, McMaster University: Cybersecurity enthusiast and IEEE leader blending technical innovation, educational research, and creative expression.
• Vrinda Joshi (Markham, ON) – Systems Design Engineering (Co-op), University of Waterloo: STEM equity advocate and nonprofit co-founder empowering youth through coding, robotics, and hands-on innovation.
• Yashvi Shah (Caledon, ON) – Computer Engineering (Co-op), University of Toronto: Innovative researcher and tech educator with experience in AI, 3D simulation, and youth empowerment through coding and wellness initiatives.

Learn more about the Women in Cybersecurity Scholarship here.

The Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign, according to ESET researchers. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline’s evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.

Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.

Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group’s strategic focus on persistence and stealth within targeted networks.

BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.

ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.

In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.

ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.

For a more detailed analysis and technical breakdown of BladedFeline’s tools used in Operation RoundPress, check out the latest ESET Research blogpost “Whispering in the dark” on WeLiveSecurity.com.

ESET has participated in a major infrastructure disruption of the notorious infostealer, Danabot, by the US Department of Justice, the FBI, and US Department of Defense’s Defense Criminal Investigative Service. U.S. agencies were working closely with Germany’s Bundeskriminalamt, the Netherlands’ National Police, and the Australian Federal Police . ESET took part in the effort alongside Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru and Zscaler. ESET Research, which has been tracking Danabot since 2018, contributed assistance that included providing technical analysis of the malware and its backend infrastructure, as well as identifying Danabot’s C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland, Italy, Spain and Turkey historically being one of the most targeted countries. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more.

These law enforcement operations were conducted under Operation Endgame — an ongoing global initiative aimed at identifying, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation successfully took down critical infrastructure used to deploy ransomware through malicious software.

The authors of Danabot operate as a single group, offering their tool for rental to potential affiliates, who subsequently employ it for their malicious purposes by establishing and managing their own botnets. Danabot’s authors have developed a vast variety of features to assist customers with their malevolent motives. The most prominent features offered by Danabot include: the ability to steal various data from browsers, mail clients, FTP clients, and other popular software; keylogging and screen recording; real-time remote control of the victims’ systems; file grabbing (commonly used for stealing cryptocurrency wallets); support for Zeus-like webinjects and form grabbing; and arbitrary payload upload and execution. Besides utilizing its stealing capabilities, ESET Research has observed a variety of payloads being distributed via Danabot over the years.  Furthermore, ESET has encountered instances of Danabot being used to download ransomware onto already compromised systems.

In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks… for example, a DDoS attack against Ukraine’s Ministry of Defense soon after the Russian invasion of Ukraine.

Throughout its existence, according to ESET monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot’s developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process.  Recently, out of all distribution mechanisms ESET observed, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites or websites falsely promising users to help them find unclaimed funds. The latest addition to these social engineering techniques are deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure victims into execution of a malicious command secretly inserted into the user’s clipboard.

The typical toolset provided by Danabot’s authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communications between the bots and the actual C&C server. Affiliates can choose from various options to generate new Danabot builds, and it’s their responsibility to distribute these builds through their own campaigns.

For technical overview of Danabot and insight into its operation, check out ESET Research blogpost: “Danabot: Analyzing a fallen empire” on WeLiveSecurity.com. 

Yesterday I reported on a takedown of the Lumma Stealer network which is a big deal as this infostealer is a huge threat to computer users everywhere. Today ESET announced that has taken part in this takedown. The operation, spearheaded by Microsoft and supported by BitSight, Lumen, Cloudflare, CleanDNS, GMO Registry, and ESET, has successfully disrupted key elements of Lumma Stealer’s infrastructure, significantly impeding its ability to exfiltrate sensitive data from victims worldwide.

Key Contributions by ESET:

ESET contributed to the disruption by analyzing and processing tens of thousands of Lumma Stealer samples, identifying C&C servers, affiliate identifiers, and tracking the malware’s evolution in real time. Our automated telemetry enabled continuous monitoring of Lumma Stealer’s activities, supporting the takedown of over 3,000 malicious domains used since mid-2024.

ESET provided in-depth technical analysis and statistical breakdowns, helping cluster threat actors and understand the malware’s changing tactics.

The Threat of Lumma Stealer

Lumma Stealer (also known as LummaC or LummaC2) has been one of the most active infostealers in the cybercrime landscape over the past two years. Operated on a subscription-based MaaS model, it allowed cybercriminals to steal browser data, credentials, cryptocurrency wallets, and more, which are frequently sold on underground marketplaces to ransomware groups and other threat actors.

The malware’s infrastructure included Telegram-based dead-drop resolvers, weekly domain updates, and an elaborate affiliate tracking system through unique LID and UID identifiers. Its modular design and advanced anti-analysis techniques like control flow flattening and encrypted stack strings made detection and mitigation difficult—until now.

Global Disruption Impact

The collaborative disruption effort has rendered large portions of Lumma Stealer’s command-and-control network inoperable, striking a major blow to its ability to continue operations. While the actors behind Lumma Stealer are likely to attempt to regroup or pivot, this intervention marks a significant disruption to one of the most pervasive infostealer operations in recent years.

What Comes Next

ESET will continue to monitor the cybercrime ecosystem for signs of Lumma Stealer’s return or rebranding and remains committed to disrupting infostealer malware families that put organizations and individuals at risk.

Read the Full Technical Report

To explore the complete in-depth technical analysis, infrastructure breakdowns, sample statistics, and obfuscation techniques used by Lumma Stealer, visit the ESET We Live Security Blog: https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-lumma-stealer/

ESET researchers have uncovered a Russia-aligned espionage operation, which ESET named RoundPress, targeting webmail servers via XSS vulnerabilities. Behind it is most likely the Russia-aligned Sednit (also known as Fancy Bear or APT28) cyberespionage group, holding the ultimate goal of stealing confidential data from specific email accounts. Most of the targets are related to the current war in Ukraine; they are either Ukrainian governmental entities or defense companies in Bulgaria and Romania. Notably, some of these defense companies are producing Soviet-era weapons to be sent to Ukraine. Other targets include African, EU, and South American governments.

“Last year, we observed different XSS vulnerabilities being used to target additional webmail software: Horde, MDaemon, and Zimbra. Sednit also started to use a more recent vulnerability in Roundcube, CVE-2023-43770. The MDaemon vulnerability — CVE-2024-11182, now patched — was a zero day, most likely discovered by Sednit, while the ones for Horde, Roundcube, and Zimbra were already known and patched,” says ESET researcher Matthieu Faou, who discovered and investigated Operation RoundPress.

Sednit sends these XSS exploits by email; the exploits lead to the execution of malicious JavaScript code in the context of the webmail client web page running in a browser window. Therefore, only data accessible from the target’s account can be read and exfiltrated.

In order for the exploit to work, the target must be convinced to open the email message in the vulnerable webmail portal. This means that the email needs to bypass any spam filtering, and the subject line needs to be convincing enough to entice the target into reading the email message — abusing well-known news media such as Ukrainian news outlet Kyiv Post or Bulgarian news portal News.bg. Among the headlines used as spearphishing were: “SBU arrested a banker who worked for enemy military intelligence in Kharkiv” and “Putin seeks Trump’s acceptance of Russian conditions in bilateral relations”.

The attackers unleash JavaScript payloads SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA upon the targets. Those are capable of credential stealing; exfiltration of the address book, contacts, and log-in history; and exfiltration of email messages. SpyPress.MDAEMON is able to set up a bypass for two-factor authentication protection; it exfiltrates the two-factor authentication secret and creates an app password, which enables the attackers to access the mailbox from a mail application.

“Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups, including Sednit, GreenCube, and Winter Vivern. Because many organizations don’t keep their webmail servers up to date, and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft,” explains Faou.

The Sednit group — also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy — has been operating since at least 2004. The U.S. Department of Justice named the group as one of those responsible for the Democratic National Committee (DNC) hack just before the 2016 U.S. elections and linked the group to the GRU. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many other incidents.

For a more detailed analysis and technical breakdown of Sednit’s tools used in Operation RoundPress, check out the latest ESET Research blogpost “Operation RoundPress” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

ESET is warning organizations to stay alert as “EDR killers” – tools designed to disable Endpoint Detection and Response (EDR) solutions- grow more accessible and more widely used by ransomware affiliates. While not a new threat, these tools are becoming easier to deploy, making them relevant for enterprises and mid-sized organizations alike. 

An EDR killer works by disabling or impairing EDR agents on compromised machines, blinding defenders and paving the way for attackers to move stealthily and deliver malicious payloads. These tools are typically deployed after initial access has already been achieved, a process that itself should set off multiple alarms in a well-defended environment. 

Once used only by highly skilled threat actors, EDR killers are now distributed by ransomware-as-a-service (RaaS) operators like RansomHub, lowering the technical bar for attackers. Variants range from basic script-based tools to more advanced versions that exploit vulnerable drivers or repurpose legitimate software, like rootkit removal tools, to disable security systems. 

Despite these developments, ESET stresses that EDR killers aren’t cause for panic, but they are a reminder of the importance of strong, layered security. Organizations with solid defences, good detection practices, and well-trained staff remain in a strong position to detect and disrupt these tools before they cause severe damage. 

ESET recommends the following best practices to reduce exposure: 

• Use a hardened, updated EDR solution: Leading tools already detect many known EDR killer behaviours. 
• Restrict user permissions: Prevent users without admin rights from modifying or disabling security controls. 
• Monitor for suspicious downloads and file transfers: Watch for scripts, drivers, or tools commonly used in these attacks. 
• Block Potentially Unsafe Applications (PUSA): Review app control policies to minimize exposure to misused software. 
• Invest in staff training: Phishing awareness and safe file handling are still your first line of defence. 

The rise of EDR killers reflects an evolving cybercrime landscape, where increasingly advanced tools are being commercialized and shared. As attackers adapt their tactics, defenders must do the same. A resilient, multi-layered approach, backed by regular reviews and user education, remains the best strategy for staying ahead. 

ESET continues to track the development of EDR killer tools and their use in real-world attacks. For further insights and technical analysis, visit ESET’s threat research blog, WeLiveSecurity.