← All drivers
malicious
Driver

burntcigar.sys

BurntCigar EDR killer

From Unknown criminal threat actor
Status
On a known malicious list
Known variants
1 distinct hashes
Field notes

burntcigar.sys is a malicious kernel driver designed to terminate endpoint protection processes before criminal threat actors deploy their payload. First observed in November 2021, it has been documented by Sophos, Mandiant, and Fortinet as a defense-evasion tool used by the Cuba (UNC2596) criminal group, among others. BlackCat, LockBit, and other data-extortion operators have also been documented using it.

BurntCigar targets over 200 security processes by name. Early variants were signed with stolen NVIDIA certificates; later versions abused Microsoft's WHQL attestation signing before Microsoft deactivated the fraudulent accounts. Sophos documented a further evolution in which the driver moved beyond process termination to actively wiping endpoint protection files from disk.

The tool uses a user-mode loader (sometimes called Stonestop) to install and start the driver. It is on the public LOLDrivers list.

Not a legitimate vendor driver. Its presence has no innocent explanation. If found, escalate to incident response.

What the record shows

burntcigar.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “burntcigar.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/burntcigar-sys