Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

EDR killer abusing EnPortv.sys to disable 59 security tools

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A custom EDR killer abused EnPortv.sys to disable endpoint security tools on infected Windows hosts, creating a window for follow-on intrusion activity. The 64-bit executable targeted 59 EDR and antivirus processes and repeatedly terminated any that restarted. It also registered the driver as a fake OEM hardware service to make persistence harder to remove. The activity appeared alongside an intrusion that used compromised SonicWall SSL VPN credentials and no MFA.

Related Happenings

Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store

Security Tool/Service
First: 03.05.2026 21:11 Last: 03.05.2026 21:11 Sources 1

About this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...

Open Happening

Dragon Boss Solutions LLC adware malicious update

Malware Activity
First: 16.04.2026 22:07 Last: 16.04.2026 22:07 Sources 1

About this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...

Open Happening

ClockRemoval.ps1 antivirus-disabling malware activity linked to Dragon Boss Solutions LLC

Malware Activity
First: 15.04.2026 17:40 Last: 15.04.2026 17:40 Sources 1

About this happening: A signed software operation linked to **Dragon Boss Solutions LLC** was observed using **ClockRemoval.ps1** to disable antivirus on **more than 23,000 endpoints worldwide**, raisi...

Open Happening

EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers

Technical Analysis
First: 19.03.2026 20:52 Last: 19.03.2026 20:52 Sources 1

About this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...

Open Happening

Pirated software installer cryptojacking campaign

Campaign
First: 18.02.2026 18:00 Last: 18.02.2026 18:00 Sources 1

About this happening: A **cryptojacking campaign** now spreads through **pirated software bundles**, using a **multi-stage infection chain** to deploy a **bespoke XMRig miner** and maintain persistence...

Open Happening

Timeline

  1. 04.02.2026 16:17 2 articles · 3mo ago

    EDR killer abused EnPortv.sys to disable security tools

    Technical Analysis Update

    A Huntress-reported intrusion on the affected organization used compromised SonicWall SSL VPN credentials and the absence of MFA for initial access, then deployed a 64-bit EDR killer disguised as a firmware update utility to abuse EnPortv.sys, terminate 59 EDR and antivirus processes, bypass Protected Process Light (PPL), and persist as a fake OEM hardware service; Huntress associated the activity with ransomware and said it was stopped before the final payload was deployed.

    Show sources
    Open in new tab