kapchelper_x64.sys
ApcHelper EDR killer
kapchelper_x64.sys (internally "ApcHelper") is a kernel driver used by the BurntCigar toolkit in Cuba (UNC2596) operations to terminate endpoint protection processes at kernel level. It was signed with a stolen NVIDIA certificate from the Lapsus$ breach of 2022. Sophos documented it alongside other signed malicious drivers in a December 2022 report showing criminal threat actors moving up the software trust chain.
Not a legitimate vendor driver. See the burntcigar.sysDriverburntcigar.sysBurntCigar EDR killerOpen plate → entry for context on the broader toolkit. If found, escalate to incident response.
kapchelper_x64.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “kapchelper_x64.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/kapchelper-x64-sys
