← All drivers
malicious
Driver

kapchelper_x64.sys

ApcHelper EDR killer

From Unknown threat actor (signed with stolen NVIDIA certificate)
Status
On a known malicious list
Known variants
1 distinct hashes
Field notes

kapchelper_x64.sys (internally "ApcHelper") is a kernel driver used by the BurntCigar toolkit in Cuba (UNC2596) operations to terminate endpoint protection processes at kernel level. It was signed with a stolen NVIDIA certificate from the Lapsus$ breach of 2022. Sophos documented it alongside other signed malicious drivers in a December 2022 report showing criminal threat actors moving up the software trust chain.

Not a legitimate vendor driver. See the burntcigar.sysDriverburntcigar.sysBurntCigar EDR killerOpen plate → entry for context on the broader toolkit. If found, escalate to incident response.

What the record shows

kapchelper_x64.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “kapchelper_x64.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/kapchelper-x64-sys