Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Baidu Antivirus driver security-process termination flaw actively exploited (CVE-2024-51324)

Vulnerability
First reported
Last updated
Happening score
H score 20
1 unique sources, 1 articles

Summary

Hide ▲

Researchers confirmed active exploitation of CVE-2024-51324 in a Baidu Antivirus driver, allowing attackers to terminate security processes and weaken endpoint defenses. The flaw is being used in a BYOVD chain that gives malware kernel-level control over security software. That abuse can clear the way for full system compromise and make recovery harder by disabling protections.

Related Happenings

EDR killer abusing EnPortv.sys to disable 59 security tools

Malware Activity
First: 04.02.2026 16:17 Last: 04.02.2026 16:17 Sources 1

About this happening: A custom **EDR killer** abused **EnPortv.sys** to disable endpoint security tools on infected Windows hosts, creating a window for follow-on intrusion activity. The 64-bit executa...

Open Happening

Velociraptor DFIR abuse for ransomware persistence

Malware Activity
First: 09.10.2025 22:31 Last: 09.10.2025 22:31 Sources 1

About this happening: The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...

Open Happening

Storm-2603 Velociraptor-abuse ransomware campaign

Campaign
First: 09.10.2025 22:31 Last: 09.10.2025 22:31 Sources 1

About this happening: The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...

Open Happening

VMware Aria Operations and VMware Tools CVE-2025-41244 exploitation wave

Exploitation Wave
First: 30.09.2025 17:54 Last: 30.09.2025 17:54 Sources 1

About this happening: A **CVE-2025-41244** exploitation wave has affected **VMware Aria Operations** and **VMware Tools** since **mid-October 2024**, creating **privilege-escalation** risk on vulnerabl...

Latest development: 31.10.2025 09:09

CISA added CVE-2025-41244 affecting Broadcom VMware Tools and VMware Aria Operations to the KEV catalog after reports of active exploitation in the wild. Broadcom had already addressed the flaw, which NVISO Labs says was abused as a zero-day since mid-October 2024 to escalate a local actor to root on vulnerable VMs. Federal Civilian Executive Branch agencies must apply mitigations by November 20, 2025.

Open Happening

Dell Control Vault ReVault firmware memory corruption flaw

Vulnerability
First: 22.08.2025 23:21 Last: 22.08.2025 23:21 Sources 1

About this happening: Researchers disclosed **ReVault**, a set of **five CVEs** in **Dell Control Vault** firmware that could enable **code execution**, **secret-key extraction**, and **permanent firmw...

Open Happening

Timeline

  1. 09.12.2025 18:00 2 articles · 5mo ago

    DeadLock BYOVD campaign exploits CVE-2024-51324

    Initial Disclosure

    A financially motivated DeadLock ransomware campaign abused a Bring Your Own Vulnerable Driver (BYOVD) chain against CVE-2024-51324 in a Baidu Antivirus driver to kill endpoint detection processes, disable security and backup services, erase shadow copies, and clear the path to full system compromise. The payload was compiled in July 2025, used a custom loader, PowerShell, RDP, and AnyDesk, appended .dlock to encrypted files, and delayed encryption by about 50 seconds while avoiding core Windows directories and critical system files.

    Show sources
    Open in new tab