3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
AbyssWalker

AbyssWalker

ID: a0088daacd49e0dbad122c3558c1583077726
Cybercrime Cybercriminal Malware Dev Ransomware Affiliate
Threat types: Ransomware, RaaS
Unknown
Updated: 2026-04-13
Created: 2026-02-24
Progress: 73% Completeness: 66% Freshness: 90%
Operation zone:
Aliases Limited alias preview
ABYSSWORKER EDR killer driver
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

AbyssWalker (ABYSSWORKER) is a malicious Windows kernel driver used in ransomware intrusion chains (notably Medusa-associated activity) to disable or degrade endpoint security tooling. It exposes an IOCTL-driven interface to terminate processes, remove callbacks, detach minifilters, and interfere with other drivers. The driver is reported as signed with revoked certificates, enabling kernel loading in environments enforcing signing.


Technique Technique name Tactics Evidence
T1211 Exploitation for Defense Evasion TA0005
  • 2025-03-19 — Kernel driver used to disable anti-malware and EDR capabilities aligns with driver-based defense evasion patterns. · ref
T1553.002 Code Signing TA0005
  • 2025-03-19 — Driver samples are signed with revoked certificates; code signing is leveraged to load kernel-mode code. · ref
T1562.001 Disable or Modify Tools TA0005
  • 2025-03-19 — Driver removes callbacks, detaches minifilters, replaces driver major functions, and terminates processes to impair defenses. · ref
T1105 Ingress Tool Transfer TA0011
  • 2025-03-19 — Campaign chain deploys loader and driver onto victim systems prior to ransomware; consistent with staged tool transfer. · ref
T1543.003 Windows Service TA0003 TA0004
  • 2025-03-19 — INFERENCE (confidence: medium): kernel drivers are typically installed via service creation; driver creates device objects after initialization indicating successful load. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-24T16:57:53+00:00

AbyssWalker

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — AbyssWalker


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — AbyssWalker (ABYSSWORKER driver)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-24T16:59:11+00:00

IOC Appendix — AbyssWalker (Seed Set)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-24T16:59:27+00:00

OSINT Library — AbyssWalker


2025-03-19 — Elastic Security Labs — “Shedding light on the ABYSSWORKER driver”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.