The PCHunter is an advanced Windows system analysis and security tool designed for in-depth inspection and malware removal. It is frequently used by security professionals for deep detection of malicious activity, including rootkits, hidden processes, and unauthorized kernel drivers.
However, recent threat intelligence indicates that multiple ransomware operators are abusing the PCHunter tool to disable security products before deploying ransomware or performing data exfiltration.

Threat Overview

Observed Abuse

Attackers have been leveraging the PChunter to terminate security product services and processes prior to launching payloads. Various threat actors have been confirmed to use PCHunter in their ransomware campaigns, including 

• Qilin
• Akira
• MedusaLocker
• Makop

Threat research teams at Broadcom have observed multiple pre-ransomware activities involving PChunter, where it was used to neutralize defences, thereby enabling:

• Ransomware deployment
• Data exfiltration
• Secondary malware deployment

Current Status

• PCHunter dropper and driver both currently have a good reputation, which allows it to execute due to reputation-based trust.
• Despite its benign reputation, PCHunter is actively used by attackers to disable protection layers.

Implementation

1. 1. PCHunter will be blocked statically using the VID/signature: Hacktool.PCHunter.
   2. Reputation-based changes and SDS blocking will extend protection to CB (Carbon Black) product as well.

If the tool has to be used, you can exclude PCHunter detections using:

• Hash-based exclusion, or
• VID (Hacktool.PCHunter) exclusion