ABYSSWORKER

ABYSSWORKER is a malicious Windows kernel-mode driver/rootkit used for defense evasion, especially to disable or interfere with endpoint security products. It has been observed masquerading as legitimate security vendor drivers, including Palo Alto Networks Cortex XDR PnP Device Filter Driver (tdevflt.sys) and, in other reporting, a CrowdStrike Falcon driver. The malware is associated with BYOVD-style tradecraft and EDR-killer activity, and has been used alongside packed loaders such as HEARTCRYPT. Reporting links it to financially motivated ransomware operations including Medusa, DragonForce, and activity discussed in relation to Osiris intrusions; commercial tooling such as AbyssKiller pairs the ABYSSWORKER rootkit with a loader and has been observed in the wild. Some reporting also refers to related activity or samples as Poortry.

High-confidence capabilities described in the content include terminating processes and threads, removing or tampering with kernel callbacks, detaching MiniFilter components, replacing driver major functions to disable targeted drivers, restoring hooks, manipulating files, protecting the malware client process by stripping and denying handles, and rebooting the system. Elastic reported that ABYSSWORKER exposes multiple IOCTL handlers, requires a hardcoded enablement password, creates a device at \device\czx9umpTReqbOOKF and a symbolic link at \??\fqg0Et4KlNt4s1JT, and can target different EDR vendors. The malware has been signed with revoked or likely stolen certificates from Chinese companies; one reported sample masquerading as Palo Alto Networks tdevflt.sys had SHA256 8284c8676cc22c4b2e66826ac16986da7ddecba1f2776b16771be17bfdc45dc2 and was described as installable as a kernel service from C:\windows\temp\tdevflt.sys. Public reporting places ABYSSWORKER in ransomware intrusion chains as a kernel-level tool for silencing defenses prior to or during ransomware deployment.