‘AuKill’ EDR killer malware

‘AuKill’ EDR killer malware abuses Process Explorer driver

@ndma 26 Apr 2023

Threat Actor



The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.

Incidents analyzed by the cybersecurity firm show the use of AuKill since the start of 2023 to deploy various ransomware strains such as Medusa Locker and LockBit. Six different versions of the malware have been identified to date. The oldest AuKill sample features a November 2022 compilation timestamp.


https://www.theregister.com/2023/04/24/microsoft_windows_driver_aukill_ransomware/ https://thehackernews.com/2023/04/ransomware-hackers-using-aukill-tool-to.html https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

Last updated