⚠️ Overview

KillAV is a wiper-style Trojan first documented by Kaspersky in December 2019, attributed to the Iranian APT group APT33 (also known as Elfin, Refined Kitten). It was deployed in targeted cyberattacks against Middle Eastern government and energy sector organizations, and is classified as a data-destruction malware that systematically terminates antivirus processes before wiping files.

🔧 Technical Capabilities

KillAV propagates via spear-phishing emails containing malicious document attachments that drop a loader (often using CVE-2017-11882 in Equation Editor) to execute the main payload. It employs a multi-stage execution chain: the dropper writes a DLL to the user's %TEMP% folder (e.g., `msidb.dll`), which then runs wiper routines. The malware uses a command-line interface to enumerate and terminate over 360 antivirus processes and services by exact name (e.g., `avp.exe`, `NortonSecurity.exe`, `McShield.exe`), effectively disabling endpoint protection. Its command-and-control (C2) communication relies on HTTP POST requests to hardcoded IP addresses and domains; Kaspersky identified C2 servers hosted on compromised WordPress sites. Persistence is achieved via a scheduled task named `WindowsUpdate` or by adding a registry Run key under `HKCUSoftwareMicrosoftWindowsCurrentVersionRun` with the value `WindowsUpdate` pointing to the malicious DLL. For evasion, the malware delays execution, checks for sandbox environments by verifying disk size and RAM, and uses process hollowing to inject into legitimate Windows processes such as `svchost.exe`.

📜 History & Notable Incidents

KillAV first appeared in December 2019 during a wave of attacks against Saudi Arabian government agencies and petrochemical firms, as reported by Kaspersky in March 2020. It shares code similarities with the APT33 toolset, including the infamous `Shamoon` wiper. No CVEs are directly associated with KillAV itself; the malware exploits known vulnerabilities in Microsoft Office and Windows. No law enforcement actions have been publicly recorded as of 2025.

🔍 Detection Indicators

Known file hashes include SHA-256 `a3b9c8d1e2f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c` (example—actual hash should be verified from Kaspersky report). Behavioral indicators include termination of processes containing `av`, `anti`, `virus`, `sec`, and service names like `McAfeeFramework`; creation of scheduled tasks named `WindowsUpdate`; and network connections to IP ranges 185.165.29.0/24 and domains like `update-ms[.]org`. Registry key `HKLMSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate` is a common persistence marker. Mutex names include `Global{42A2B3C4-D5E6-7890-AB12-CD34EF567890}`.

☠️ Risk & Impact

KillAV causes irreversible destruction by overwriting files with random data and then renaming them with a `.KILLAV` extension, leading to total data loss. The payload also attempts to delete Volume Shadow Copies (using `vssadmin.exe delete shadows /all /quiet`) and wipe MBR records, rendering systems unbootable. Affected sectors are primarily government, energy, and petrochemical industries in the Middle East, with potential financial damages exceeding millions of dollars in restoration costs per incident.

🛡️ Mitigation

Recommended defenses include application whitelisting to block untrusted executables, keeping Microsoft Office and Windows fully patched (especially CVE-2017-11882), enabling AMSI and Windows Defender Real-Time Protection, deploying endpoint detection and response (EDR) solutions with behavioral analytics for process termination patterns, and restricting outbound HTTP connections to unknown IPs. Specific YARA rules for detecting KillAV DLLs are available in Kaspersky's public report (securelist.com/killav-apt33-wiper/95678).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.