Find notable cyber news and cases, enriched with sources, timelines, and signals.

EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers

Technical Analysis
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

54 EDR killers were found abusing BYOVD through 34 vulnerable drivers, showing how ransomware operators can disable endpoint defenses before encryption. The finding matters because the technique gives attackers kernel-level privileges to terminate protection software and undermine Microsoft's driver trust model.

Related Happenings

Gentlemen ransomware EDR-killer tooling

Malware Activity
H score35 First: 19.06.2026 01:31 Last: 19.06.2026 01:31 Sources 1

About this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...

AI-assisted EDR-evasion malware development lab

Malware Activity
H score12 First: 02.06.2026 14:00 Last: 02.06.2026 14:00 Sources 1

About this happening: A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...

Microsoft Defender for Endpoint automatic endpoint isolation preview

Security Tool/Service
H score10 First: 26.05.2026 15:19 Last: 26.05.2026 15:19 Sources 1

About this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...

Microsoft adds Cloud-Initiated Driver Recovery for Windows Update driver rollbacks

Security Tool/Service
H score10 First: 15.05.2026 15:29 Last: 15.05.2026 15:29 Sources 1

About this happening: Microsoft is adding **Cloud-Initiated Driver Recovery** to **Windows Update**, giving it a remote rollback control for **problematic Windows drivers**. The capability reduces how...

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
H score57 First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...

Timeline

  1. 19.03.2026 20:52 2 articles · 3mo ago

    EDR killer BYOVD analysis

    Technical Analysis Update

    Endpoint detection and response (EDR) killers are being built as separate pre-encryption tools that disable security controls before ransomware lockers run, and 54 of the tools analyzed use bring your own vulnerable driver (BYOVD) against 34 vulnerable drivers to gain kernel-mode privileges, terminate EDR processes, tamper with kernel callbacks, and abuse Microsoft's driver trust model. The analysis also identifies script-based variants that use taskkill, net stop, sc delete, or Windows Safe Mode, anti-rootkit utilities such as GMER, HRSword, and PC Hunter, and driverless blockers like EDRSilencer and EDR-Freeze that suppress EDR outbound traffic.

    Show sources