HeartCrypt’s EDR Killer Tools called ‘AVKiller’ are currently being utilized in ransomware attacks.

Cybersecurity teams have recently faced a significant threat from a novel payload known as “AVKiller,” which has been observed disabling endpoint defences to facilitate ransomware deployment. First detected in mid-2024, this tool utilises the HeartCrypt packer-as-a-service to obscure its true functionality, allowing it to bypass traditional static signature checks. Attackers typically deliver AVKiller through a dropper that masquerades as a legitimate utility, often by injecting malicious code into signed executables like Beyond Compare. Upon execution, AVKiller decodes its heavily protected payload in memory, searches for specific security drivers, and terminates associated processes, thereby creating a clear path for subsequent ransomware encryption. Initial samples of AVKiller targeted Sophos products, but later variants expanded their focus to include a wide range of vendors such as Bitdefender, Kaspersky, SentinelOne, and Microsoft Defender.

The impact of AVKiller has been profound, as evidenced by a high-profile incident involving the RansomHub group, which successfully deployed the payload against a large enterprise network. This attack disabled dynamic shellcode detection and device control mechanisms before unleashing file encryption. Within minutes, crucial servers were compromised, and recovery efforts were severely hampered by the absence of active EDR protection. Analysis of telemetry data revealed that AVKiller executed multiple SysCall-blocking routines, preventing live response tools from injecting into protected processes. This level of sophistication highlights the growing trend of adversaries investing in specialised off-the-shelf tools to neutralise security operations. The infection begins with a dropper executable packed by HeartCrypt, designed to evade static AV signatures. Once in memory, AVKiller employs a custom loader that decrypts the embedded payload using an XOR routine, searching for a five-letter randomly generated name hardcoded within the decoded payload.