Baidu Antivirus driver security-process termination flaw actively exploited (CVE-2024-51324)
Vulnerability
Summary
Hide ▲
Show ▼
Researchers confirmed active exploitation of CVE-2024-51324 in a Baidu Antivirus driver, allowing attackers to terminate security processes and weaken endpoint defenses. The flaw is being used in a BYOVD chain that gives malware kernel-level control over security software. That abuse can clear the way for full system compromise and make recovery harder by disabling protections.
Related Happenings
GodDamn ransomware PoisonX BYOVD activity
Malware Activity
H score15
First: 09.07.2026 13:43
Last: 09.07.2026 13:43
Sources 1
About this happening:
The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
GodDamn ransomware PoisonX BYOVD activity
Malware ActivityAbout this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation Wave
H score41
First: 30.06.2026 11:53
Last: 30.06.2026 11:53
Sources 1
About this happening:
CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation WaveAbout this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware Activity
H score22
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware ActivityAbout this happening: The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
EDR killer abusing EnPortv.sys to disable 59 security tools
Malware Activity
H score19
First: 04.02.2026 16:17
Last: 04.02.2026 16:17
Sources 1
About this happening:
A custom **EDR killer** abused **EnPortv.sys** to disable endpoint security tools on infected Windows hosts, creating a window for follow-on intrusion activity. The 64-bit executa...
EDR killer abusing EnPortv.sys to disable 59 security tools
Malware ActivityAbout this happening: A custom **EDR killer** abused **EnPortv.sys** to disable endpoint security tools on infected Windows hosts, creating a window for follow-on intrusion activity. The 64-bit executa...
Velociraptor DFIR abuse for ransomware persistence
Malware Activity
H score33
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
About this happening:
The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Velociraptor DFIR abuse for ransomware persistence
Malware ActivityAbout this happening: The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Timeline
-
09.12.2025 18:00 2 articles · 7mo ago
DeadLock BYOVD campaign exploits CVE-2024-51324
Initial DisclosureA financially motivated DeadLock ransomware campaign abused a Bring Your Own Vulnerable Driver (BYOVD) chain against CVE-2024-51324 in a Baidu Antivirus driver to kill endpoint detection processes, disable security and backup services, erase shadow copies, and clear the path to full system compromise. The payload was compiled in July 2025, used a custom loader, PowerShell, RDP, and AnyDesk, appended .dlock to encrypted files, and delayed encryption by about 50 seconds while avoiding core Windows directories and critical system files.
Show sources
- DeadLock Ransomware Uses BYOVD to Evade Security Measures — www.infosecurity-magazine.com — 09.12.2025 18:00
- DeadLock Ransomware Uses BYOVD to Evade Security Measures — www.infosecurity-magazine.com — 09.12.2025 18:00