{
	"id": "870bf764-d3b3-4664-bbbe-f7d5581001e0",
	"created_at": "2026-04-06T00:17:28.605701Z",
	"updated_at": "2026-04-10T03:31:49.927234Z",
	"deleted_at": null,
	"sha1_hash": "f8d9c9269b18c8d3b2d51a68c95d22a7d7abb231",
	"title": "PoorTry Windows driver evolves into a full-featured EDR wiper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2168317,
	"plain_text": "PoorTry Windows driver evolves into a full-featured EDR wiper\r\nBy Bill Toulas\r\nPublished: 2024-08-28 · Archived: 2026-04-05 21:56:25 UTC\r\nThe malicious PoorTry kernel-mode Windows driver used by multiple ransomware gangs to turn off Endpoint Detection and\r\nResponse (EDR) solutions has evolved into an EDR wiper, deleting files crucial for the operation of security solutions and\r\nmaking restoration harder.\r\nThough Trend Micro had warned about this functionality added on Poortry since May 2023, Sophos has now confirmed\r\nseeing the EDR wiping attacks in the wild.\r\nThis evolution of PoorTry from an EDR deactivator to an EDR wiper represents a very aggressive shift in tactics by\r\nransomware actors, who now prioritize a more disruptive setup phase to ensure better outcomes in the encryption stage.\r\nhttps://www.bleepingcomputer.com/news/security/poortry-windows-driver-evolves-into-a-full-featured-edr-wiper/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/poortry-windows-driver-evolves-into-a-full-featured-edr-wiper/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nPoorTry, also known as 'BurntCigar,' was developed in 2021 as a kernel-mode driver to disable EDR and other security\r\nsoftware.\r\nThe kit, used by several ransomware gangs, including BlackCat, Cuba, and LockBit, first gained attention when its\r\ndevelopers found ways to get their malicious drivers signed through Microsoft's attestation signing process. Other\r\ncybercrime groups, such as Scattered Spider, were also seen utilizing the tool in breaches focused on credential theft and\r\nSIM-swapping attacks.\r\nThroughout 2022 and 2023, Poortry continued to evolve, optimizing its code and using obfuscation tools like VMProtect,\r\nThemida, and ASMGuard to pack the driver and its loader (Stonestop) for evasion.\r\nEvolution to a wiper\r\nThe latest report by Sophos is based on a RansomHub attack in July 2024 that employed Poortry to delete critical executable\r\nfiles (EXEs), dynamic link libraries (DLLs), and other essential components of security software.\r\nThis ensures that EDR software cannot be recovered or restarted by defenders, leaving the system completely unprotected in\r\nthe following encryption phase of the attack.\r\nThe process starts with the user-mode component of PoorTry, identifying the security software's installation directories and\r\nthe critical files within those directories.\r\nIt then sends requests to the kernel-mode component to systematically terminate security-related processes and then delete\r\ntheir crucial files.\r\nPaths to those files are hardcoded onto PoorTry, while the user-mode component supports deletion either by file name or\r\ntype, giving it some operational flexibility to cover a broader range of EDR products.\r\nDeleting by file type functionality\r\nsource: Sophos\r\nThe malware can be fine-tuned only to delete files crucial to the EDR's operation, avoiding unnecessary noise in the risky\r\nfirst phases of the attack.\r\nSophos also notes that the latest Poortry variants employ signature timestamp manipulation to bypass security checks on\r\nWindows and use the metadata from other software like Internet Download Manager by Tonec Inc.\r\nhttps://www.bleepingcomputer.com/news/security/poortry-windows-driver-evolves-into-a-full-featured-edr-wiper/\r\nPage 3 of 5\n\nDriver properties\r\nsource: Sophos\r\nThe attackers were seen employing a tactic known as \"certificate roullete,\" where they deploy multiple variants of the same\r\npayload signed with different certificates to increase their chances that at least one will execute successfully.\r\nVarious certificates used for signing the Poortry driver over time\r\nsource: Sophos\r\nDespite efforts to track PoorTry's evolution and stop its effectiveness, the developers of the tool have shown a remarkable\r\nability to adapt to new defense measures.\r\nThe EDR wiping functionality gives the tool an edge over defenders responding to attacks but could also provide new\r\nopportunities for detecting the attacks in the pre-encryption phase.\r\nhttps://www.bleepingcomputer.com/news/security/poortry-windows-driver-evolves-into-a-full-featured-edr-wiper/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/poortry-windows-driver-evolves-into-a-full-featured-edr-wiper/\r\nhttps://www.bleepingcomputer.com/news/security/poortry-windows-driver-evolves-into-a-full-featured-edr-wiper/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/poortry-windows-driver-evolves-into-a-full-featured-edr-wiper/"
	],
	"report_names": [
		"poortry-windows-driver-evolves-into-a-full-featured-edr-wiper"
	],
	"threat_actors": [
		{
			"id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312",
			"created_at": "2024-06-07T02:00:03.998431Z",
			"updated_at": "2026-04-10T02:00:03.64336Z",
			"deleted_at": null,
			"main_name": "RansomHub",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8",
			"created_at": "2023-06-23T02:04:34.386651Z",
			"updated_at": "2026-04-10T02:00:04.772256Z",
			"deleted_at": null,
			"main_name": "Muddled Libra",
			"aliases": [
				"0ktapus",
				"Scatter Swine",
				"Scattered Spider"
			],
			"source_name": "ETDA:Muddled Libra",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c",
			"created_at": "2023-11-01T02:01:06.643737Z",
			"updated_at": "2026-04-10T02:00:05.340198Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"Scattered Spider",
				"Roasted 0ktapus",
				"Octo Tempest",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "MITRE:Scattered Spider",
			"tools": [
				"WarzoneRAT",
				"Rclone",
				"LaZagne",
				"Mimikatz",
				"Raccoon Stealer",
				"ngrok",
				"BlackCat",
				"ConnectWise"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0",
			"created_at": "2023-10-03T02:00:08.510742Z",
			"updated_at": "2026-04-10T02:00:03.374705Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"UNC3944",
				"Scattered Swine",
				"Octo Tempest",
				"DEV-0971",
				"Starfraud",
				"Muddled Libra",
				"Oktapus",
				"Scatter Swine",
				"0ktapus",
				"Storm-0971"
			],
			"source_name": "MISPGALAXY:Scattered Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9",
			"created_at": "2023-10-14T02:03:13.99057Z",
			"updated_at": "2026-04-10T02:00:04.531987Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"0ktapus",
				"LUCR-3",
				"Muddled Libra",
				"Octo Tempest",
				"Scatter Swine",
				"Scattered Spider",
				"Star Fraud",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "ETDA:Scattered Spider",
			"tools": [
				"ADRecon",
				"AnyDesk",
				"ConnectWise",
				"DCSync",
				"FiveTran",
				"FleetDeck",
				"Govmomi",
				"Hekatomb",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"Mimikatz",
				"Ngrok",
				"PingCastle",
				"ProcDump",
				"PsExec",
				"Pulseway",
				"Pure Storage FlashArray",
				"Pure Storage FlashArray PowerShell SDK",
				"RedLine Stealer",
				"Rsocx",
				"RustDesk",
				"ScreenConnect",
				"SharpHound",
				"Socat",
				"Spidey Bot",
				"Splashtop",
				"Stealc",
				"TacticalRMM",
				"Tailscale",
				"TightVNC",
				"VIDAR",
				"Vidar Stealer",
				"WinRAR",
				"WsTunnel",
				"gosecretsdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824",
			"created_at": "2024-06-19T02:03:08.062614Z",
			"updated_at": "2026-04-10T02:00:03.655475Z",
			"deleted_at": null,
			"main_name": "GOLD HARVEST",
			"aliases": [
				"Octo Tempest ",
				"Roasted 0ktapus ",
				"Scatter Swine ",
				"Scattered Spider ",
				"UNC3944 "
			],
			"source_name": "Secureworks:GOLD HARVEST",
			"tools": [
				"AnyDesk",
				"ConnectWise Control",
				"Logmein"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434648,
	"ts_updated_at": 1775791909,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8d9c9269b18c8d3b2d51a68c95d22a7d7abb231.pdf",
		"text": "https://archive.orkl.eu/f8d9c9269b18c8d3b2d51a68c95d22a7d7abb231.txt",
		"img": "https://archive.orkl.eu/f8d9c9269b18c8d3b2d51a68c95d22a7d7abb231.jpg"
	}
}