Eriyahnit takes inspiration from the cruel and villainous character Airachnid from the Transformers series. To make the name more unique, the name ‘Eriyahnit’ was chosen instead of ‘Airachnid Eriyahnit is a fileless initial access and persistence kit. It registers itself on the system as a scheduled task, and when executed, all operations occur in memory. Even if detected by antivirus solutions, it cannot be quarantined without manual intervention
Eriyahnit is used to establish persistence on a device, bypass security mechanisms, and obtain full system control. However, Eriyahnit has one major limitation: for the program to execute successfully, it must either bypass User Account Control (UAC) or run on a system where UAC is disabled. Of course, this only applies to the initial access stage once a device has been compromised by Eriyahnit, UAC no longer provides meaningful protection.
Eriyahnit’s greatest advantage is that even if it is detected, it cannot be quarantined, because technically there is no malicious file to isolate. All operations are executed through PowerShell and occur in memory.
If your device has been infected with Eriyahnit, there is no need to panic. Eriyahnit was released strictly for educational and awareness purposes, and potential misuse has been taken into consideration. Using the AntiEriyahnit utility distributed alongside it, you can easily remove Eriyahnit from your device without requiring any technical knowledge
After configuring the necessary settings in Eriyahnit, the program will generate a .ps1 file. When this file is executed with administrator privileges, the infection process will begin and the device will become compromised. Eriyahnit becomes especially dangerous when combined with a UAC bypass technique.
If you want to remove Eriyahnit from an infected system, you can do so by opening a PowerShell console with administrator privileges and copy-pasting the AntiEriyahnit code into it. This allows the system to be cleaned without requiring advanced technical knowledge.
Disclaimer: Eriyahnit is shared strictly for educational and awareness purposes. Potential misuse scenarios were taken into consideration, which is why it is distributed together with AntiEriyahnit. The developer is not responsible for any misuse of the software.
(And to share my personal opinion: Eriyahnit operates at an APT/TTP-level capability, and for effective real-world usage it would need to be combined with a proper UAC bypass technique. I do not think most hackers are capable of doing that. Of course, there will be individuals who can, but those people would most likely keep such knowledge private
The .ps1 file generated by Eriyahnit must be run with administrator privileges, and PowerShell must have permission to execute .ps1 files.
Alternatively, you can copy the code from the provided .ps1 file and paste it into a PowerShell window that is running as administrator.
To allow PowerShell to run .ps1 files, use the following command:
Set-ExecutionPolicy RemoteSigned -Scope Process
After creating the task, start it with:
Start-ScheduledTask -TaskName "test"
To delete the task:
Unregister-ScheduledTask -TaskName "test" -Confirm:$false
If Eriyahnit's code execution task continues even after you have deleted it, it means a PowerShell session is still active in the background. This is intentional – designed to make Eriyahnit more effective.
To get rid of it:
-
Find all running PowerShell processes
Run this command to identify malicious processes:Get-CimInstance Win32_Process -Filter "Name='powershell.exe'" | Select-Object ProcessId, CommandLine | Format-List -
Terminate the malicious process
Use the PID (e.g., 1388) from the output:Stop-Process -Id 1388 -Force
Warning: If someone knowledgeable modifies Eriyahnit, stopping it may not be this easy.