burntcigar.sys
BurntCigar EDR killer
burntcigar.sys is a malicious kernel driver designed to terminate endpoint protection processes before criminal threat actors deploy their payload. First observed in November 2021, it has been documented by Sophos, Mandiant, and Fortinet as a defense-evasion tool used by the Cuba (UNC2596) criminal group, among others. BlackCat, LockBit, and other data-extortion operators have also been documented using it.
BurntCigar targets over 200 security processes by name. Early variants were signed with stolen NVIDIA certificates; later versions abused Microsoft's WHQL attestation signing before Microsoft deactivated the fraudulent accounts. Sophos documented a further evolution in which the driver moved beyond process termination to actively wiping endpoint protection files from disk.
The tool uses a user-mode loader (sometimes called Stonestop) to install and start the driver. It is on the public LOLDrivers list.
Not a legitimate vendor driver. Its presence has no innocent explanation. If found, escalate to incident response.
burntcigar.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “burntcigar.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/burntcigar-sys
