Keypoints
- Threat actor gained initial access to a client via Atera RMM purchased from an initial access broker.
- Rogue virtual machine DESKTOP-J8AOTJS was used to test an AV/EDR bypass tool (disabler.exe) built from EDRSandBlast code and a vulnerable driver.
- Unit 42 investigators gained visibility into the rogue systems and recovered multiple toolkits, demo videos, and PII, enabling wider protections for other organizations.
- Evidence tied the bypass tool distribution to a forum account KernelMode and a purchaser account Marti71; identical demonstration videos appeared on both the rogue system and forum posts.
- Attack activity included Cobalt Strike beacons, scheduled tasks for persistence, credential dumping with Mimikatz, lateral movement via RDP and PsExec, and data exfiltration with Rclone to an SFTP host.
- Analysis of recovered files (including a Kazakhstan P-1 form and social profiles) allowed Unit 42 to attribute a likely individual associated with KernelMode and the tool’s development.
- Indicators including file hashes, hostnames, IPs, and domains were published and organizations are advised to block them and enable agent tampering protections.
MITRE Techniques
- [TA0001] Initial Access – Access to the client network via Atera RMM purchased from an initial access broker. [‘Access to the client network via Atera RMM purchased from an initial access broker.’]
- [TA0003] Persistence – Creation of scheduled tasks to routinely execute Cobalt Strike beacons. [‘Creation of scheduled tasks to routinely execute Cobalt Strike beacons.’]
- [TA0005] Defense Evasion – Use of an AV/EDR bypass tool disabler.exe that leverages EDRSandBlast static library and loads a vulnerable driver. [‘AV/EDR bypass tool called disabler.exe. It uses the static library from EDRSandBlast’]
- [TA0006] Credential Access – Execution of Mimikatz and PowerShell to obtain an lsass.exe process dump. [‘Leveraged Mimikatz and executed PowerShell to obtain lsass.exe process dump.’]
- [TA0007] Discovery – Internal discovery on a compromised domain controller with commands using nltest, net, dsquery, and rundll32. [‘A series of internal discovery commands on a compromised domain controller using built-in tools such as nltest, net, dsquery and rundll32.’]
- [TA0008] Lateral Movement – Use of Windows RDP and PsExec to move within the victim environment. [‘Used Windows RDP and PsExec for lateral movement within the victim environment.’]
- [TA0010] Exfiltration – Use of Rclone to transfer data to an SFTP server controlled by the actor. [‘Utilized Rclone to exfiltrate data to an SFTP server.’]
- [TA0011] Command and Control – Cobalt Strike Beacon activity observed across multiple systems. [‘Engaged in Cobalt Strike Beacon activity across multiple systems.’]
Indicators of Compromise
- [File Hashes / Host-based] Known malicious binaries recovered from the rogue system – 3758c5eb1fbab2362ef23091f082710606c1b4ebaeaff9b514896dc2a1e2ab17 (disabler.exe), 6106d1ce671b92d5…7143 (WNBIOS.sys / WN_64.sys), and multiple additional Cobalt Strike beacon hashes.
- [File Names] Notable files on the rogue VM – disabler.exe (AV/EDR bypass tool), WN_64.sys / WNBIOS.sys (vulnerable driver), mimikatz.exe (credential tool).
- [Hostnames] Rogue virtual machine identifier – DESKTOP-J8AOTJS (hostname shown in demo videos and agent panels).
- [IP Addresses / Domains] Network infrastructure tied to the incident – 94.75.225[.]81 (external IP of DESKTOP-J8AOTJS), 82.192.88[.]95 (SFTP server used by Rclone), 89.251.22[.]32 (Cobalt Strike payload host), beamofthemoon[.]com (C2-related domains).
- [Other Artifacts] Cobalt Strike watermark and campaign tag – watermark ID 1357776117 (associated with ~160 unique IPv4s/domains on Threatfox).
Unit 42 responded to an extortion incident where a threat actor attempted to bypass Cortex XDR and accidentally exposed key parts of their operation. The actor had bought access to the victim’s environment via Atera RMM from an initial access broker, and then used a rogue virtual machine to test an AV/EDR bypass against installed endpoint agents. That virtual machine, identified as DESKTOP-J8AOTJS, ultimately connected in ways that allowed investigators to observe the attacker’s toolset, recordings, and other artifacts directly.
The primary bypass binary, disabler.exe, was found to reuse code from the open-source EDRSandBlast project with minor edits and removal of CLI features. The tool operates by unhooking EDR user-mode libraries and kernel callbacks and attempts to load a companion vulnerable driver (WNBIOS.sys / WN_64.sys) to gain the necessary privileges. Multiple copies of the tool and matching demonstration videos were recovered on the rogue system; those recordings matched videos posted to underground forums by an account named KernelMode.
During the investigation, Unit 42 cataloged how the attacker moved through the environment. Cobalt Strike beacons were present and persisted via scheduled tasks. The actor used credential theft tools, including Mimikatz and variants (SafetyKatz, mmk.exe), and executed PowerShell to dump lsass.exe. Internal discovery commands were run against domain controllers with built-in utilities such as nltest, net, and dsquery, and lateral movement occurred via Windows RDP and PsExec. The attackers staged exfiltration using Rclone, transferring stolen data to an SFTP server under their control.
File and directory evidence on the rogue VM offered additional context about the attacker’s ecosystem. A shared Z: drive contained an encrypted archive named ContiTraining.rar with a torrent for the publicly leaked Conti playbook and a long list of penetration-testing and red-team tooling, including Cobalt Strike and Metasploit archives. The drive also held personally identifiable information for an individual, escrow payment details, multiple builds of Mimikatz, various kernel utilities and obfuscation tools, and demonstration videos of disabler.exe successfully bypassing multiple EDR products.
To identify the seller and potential developer of the bypass tool, investigators pivoted from folder names and artifacts to underground forum activity on Russian-language sites such as XSS and Exploit. One purchaser account, Marti71, posted looking for “out-of-the-box” antivirus-killing solutions, and KernelMode replied with a bypass tool offering and demo materials. Unit 42 located KernelMode’s sales thread and recovered matching demonstration videos; comparing those recordings to the ones found on DESKTOP-J8AOTJS showed they were identical, linking the forum actor to the rogue system’s content.
Additional operational failures by the threat actor revealed more identifying details. A recovered P-1 “act of completed work” spreadsheet included the name of a Kazakhstan-based limited liability company. That, combined with application titles visible in the Windows taskbar from demo videos (including a partial username “Andry” associated with WinBox sessions) allowed analysts to find a corresponding LinkedIn and VKontakte presence. Unit 42 assessed with moderate confidence that the individual tied to that online profile is one of the people behind KernelMode and likely a developer or primary operator of the AV/EDR bypass tool, though investigators could not conclusively prove sole ownership of the rogue virtual machine or exclusive responsibility for the entire attack.
From Cobalt Strike configuration data extracted during the response, Unit 42 identified a consistent watermark ID (1357776117) used across beacons; Threatfox has cataloged roughly 160 unique IPv4 addresses and domains associated with that watermark, some of which overlap with infrastructure linked to Black Basta/Dark Scorpius activity. Although Cobalt Strike is frequently leveraged in ransomware campaigns, Unit 42 did not observe a ransomware deployment in this case—likely because the actor lost access to the environment before additional steps could be executed.
The broader takeaways are that AV/EDR bypass tools continue to proliferate in underground markets, often sold on subscription models with regular updates, and that attackers frequently reuse open-source bypass code, pair it with vulnerable drivers, and demonstrate their efficacy with recorded videos. Monitoring underground forums and analyzing operational artifacts can expose seller identities and help defenders block tooling, infrastructure, and behaviors. Organizations should consider blocking the indicators provided in this report, enable agent tampering protections, and review endpoint policies and configurations to detect and prevent similar bypass attempts.
Read more: https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/