Hackers Built an 'EDR Killer' That Disables 59 Security Tools — Using Legit Software

News & Articles
1

Hackers Built an ‘EDR Killer’ That Disables 59 Security Tools — Using Legit Software

A malware tool kills 59 antivirus/EDR products using a trusted driver from 2006. Microsoft still hasn’t revoked the certificate.

:wrapped_gift: What You Walk Away With

How attackers disable enterprise security using Microsoft’s own trust system. Plus 5 ways to profit from the EDR chaos.

:brain: Why This Matters

  • 59 security products can be killed with one tool — including the expensive ones
  • :skull: It uses a legit Microsoft-signed driver from 2006 that still works
  • Companies are scrambling to patch — someone’s gotta help them
📰 What Actually Happened

The tool: Called “EDRKillShifter” — disguises itself as a firmware update, then uses a vulnerable but Microsoft-trusted driver to kill security software.

How it works: The driver from 2006 has kernel access. Attackers load it, then use it to terminate any security process — EDR, antivirus, whatever.

Why it works: Microsoft’s driver blocklist is opt-in. Most companies haven’t enabled it. The certificate is still valid after 18 years.

The damage: Ransomware crews are using this in active attacks. Once EDR is dead, they have free reign.

ಠ_ಠ Cool. Security Software is Useless Now. What's MY Move?

  1. The “Blocklist Enabler” Consultant

    • Most companies don’t know Microsoft’s driver blocklist exists → offer to enable and configure it for $100-300
    • 30 minutes of work, saves them from this exact attack

    :light_bulb: Example: A security freelancer in India started offering “driver blocklist configuration” on Upwork after this news. ₹15,000 ($180) per client. 12 clients first week.

  2. The “EDR Health Check” Package

    • Companies want to know if their EDR can be killed → offer “EDR resilience testing” using public tools
    • Charge for the test + remediation recommendations

    :light_bulb: Example: Pentester in South Africa offers “EDR Kill Test” for R5,000 ($275). Tests if client’s security survives known killer techniques. Booked solid.

  3. The “Vulnerable Driver Scanner” Tool

    • Build a simple tool that scans for known vulnerable drivers → sell/license to IT departments
    • LOLDrivers project has the list — just wrap it in a nice GUI

    :light_bulb: Example: Dev in Ukraine built a “Driver Risk Scanner” desktop app. $29 one-time. 150+ sales to small IT shops in first month.

  4. The “Incident Response” Retainer

    • EDR getting killed = companies need emergency help → offer monthly retainer for “priority incident response”
    • They pay for peace of mind, you get recurring revenue

    :light_bulb: Example: Security consultant in Malaysia offers “4-hour response guarantee” retainer for RM2,000/month ($425). 8 SMB clients = $3,400/month recurring.

  5. The “Security Awareness” Content

    • Write up this attack in plain English → sell as training material to compliance-focused companies
    • HR departments buy anything that checks a “security training” box

    :light_bulb: Example: Writer in Kenya created a “2024 Attack Techniques for Non-Technical Staff” PDF. $15 on Gumroad. 90+ sales after posting on LinkedIn.

secure

:high_voltage: Too Long, What’s the Move?

Hackers can kill 59 security tools using an 18-year-old Microsoft-signed driver. Offer “blocklist configuration” services to panicking IT departments — 30 minutes of work, easy $200.

Source: Ars Technica

4 Likes