Find notable cyber news and cases, enriched with sources, timelines, and signals.

Baidu Antivirus driver security-process termination flaw actively exploited (CVE-2024-51324)

Vulnerability
First reported
Last updated
Happening score
H score 1
1 unique sources, 1 articles

Summary

Hide ▲

Researchers confirmed active exploitation of CVE-2024-51324 in a Baidu Antivirus driver, allowing attackers to terminate security processes and weaken endpoint defenses. The flaw is being used in a BYOVD chain that gives malware kernel-level control over security software. That abuse can clear the way for full system compromise and make recovery harder by disabling protections.

Related Happenings

GodDamn ransomware PoisonX BYOVD activity

Malware Activity
H score15 First: 09.07.2026 13:43 Last: 09.07.2026 13:43 Sources 1

About this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...

Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave

Exploitation Wave
H score41 First: 30.06.2026 11:53 Last: 30.06.2026 11:53 Sources 1

About this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...

TinyRCT backdoor with persistence, exfiltration, and self-deletion

Malware Activity
H score22 First: 26.06.2026 13:30 Last: 26.06.2026 13:30 Sources 1

About this happening: The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...

EDR killer abusing EnPortv.sys to disable 59 security tools

Malware Activity
H score19 First: 04.02.2026 16:17 Last: 04.02.2026 16:17 Sources 1

About this happening: A custom **EDR killer** abused **EnPortv.sys** to disable endpoint security tools on infected Windows hosts, creating a window for follow-on intrusion activity. The 64-bit executa...

Velociraptor DFIR abuse for ransomware persistence

Malware Activity
H score33 First: 09.10.2025 22:31 Last: 09.10.2025 22:31 Sources 1

About this happening: The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...

Timeline

  1. 09.12.2025 18:00 2 articles · 7mo ago

    DeadLock BYOVD campaign exploits CVE-2024-51324

    Initial Disclosure

    A financially motivated DeadLock ransomware campaign abused a Bring Your Own Vulnerable Driver (BYOVD) chain against CVE-2024-51324 in a Baidu Antivirus driver to kill endpoint detection processes, disable security and backup services, erase shadow copies, and clear the path to full system compromise. The payload was compiled in July 2025, used a custom loader, PowerShell, RDP, and AnyDesk, appended .dlock to encrypted files, and delayed encryption by about 50 seconds while avoiding core Windows directories and critical system files.

    Show sources