CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

EDR Killer Tool Abuses Revoked EnCase Kernel Driver

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A custom EDR killer tool has been observed using a revoked but still valid EnCase kernel driver to disable 59 security tools. The attack involved breaching a network via compromised SonicWall SSL VPN credentials and exploiting the lack of multi-factor authentication (MFA). The tool terminates security processes using the driver's kernel-mode IOCTL interface, bypassing Windows protections like Protected Process Light (PPL). The intrusion is suspected to be related to ransomware activity, though the final payload was not deployed.

Timeline

  1. 04.02.2026 16:17 1 articles · 8h ago

    EDR Killer Tool Uses Revoked EnCase Kernel Driver

    A custom EDR killer tool has been observed using a revoked but still valid EnCase kernel driver to disable 59 security tools. The attack involved breaching a network via compromised SonicWall SSL VPN credentials and exploiting the lack of multi-factor authentication (MFA). The tool terminates security processes using the driver's kernel-mode IOCTL interface, bypassing Windows protections like Protected Process Light (PPL). The intrusion is suspected to be related to ransomware activity, though the final payload was not deployed.

    Show sources
    Open in new tab

Information Snippets

  • The EDR killer tool uses the 'EnPortv.sys' kernel driver, which was issued a certificate in 2006 and expired in 2010 but remains valid due to Windows' signature enforcement mechanism.

    First reported: 04.02.2026 16:17
    1 source, 1 article
    Show sources

  • The attackers breached the network using compromised SonicWall SSL VPN credentials and exploited the lack of MFA.

    First reported: 04.02.2026 16:17
    1 source, 1 article
    Show sources

  • The tool targets 59 processes related to EDR and antivirus tools, executing a kill loop every second to terminate any restarted processes.

    First reported: 04.02.2026 16:17
    1 source, 1 article
    Show sources

  • The kernel driver is installed as a fake OEM hardware service, providing reboot-resistant persistence.

    First reported: 04.02.2026 16:17
    1 source, 1 article
    Show sources

  • The attack involved aggressive internal reconnaissance, including ICMP ping sweeps, NetBIOS name probes, and SMB-related activity, with SYN flooding exceeding 370 SYNs/sec.

    First reported: 04.02.2026 16:17
    1 source, 1 article
    Show sources