EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical Analysis
Summary
Hide ▲
Show ▼
54 EDR killers were found abusing BYOVD through 34 vulnerable drivers, showing how ransomware operators can disable endpoint defenses before encryption. The finding matters because the technique gives attackers kernel-level privileges to terminate protection software and undermine Microsoft's driver trust model.
Related Happenings
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
AI-assisted EDR-evasion malware development lab
Malware Activity
H score12
First: 02.06.2026 14:00
Last: 02.06.2026 14:00
Sources 1
About this happening:
A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...
AI-assisted EDR-evasion malware development lab
Malware ActivityAbout this happening: A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...
Microsoft Defender for Endpoint automatic endpoint isolation preview
Security Tool/Service
H score10
First: 26.05.2026 15:19
Last: 26.05.2026 15:19
Sources 1
About this happening:
Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...
Microsoft Defender for Endpoint automatic endpoint isolation preview
Security Tool/ServiceAbout this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...
Microsoft adds Cloud-Initiated Driver Recovery for Windows Update driver rollbacks
Security Tool/Service
H score10
First: 15.05.2026 15:29
Last: 15.05.2026 15:29
Sources 1
About this happening:
Microsoft is adding **Cloud-Initiated Driver Recovery** to **Windows Update**, giving it a remote rollback control for **problematic Windows drivers**. The capability reduces how...
Microsoft adds Cloud-Initiated Driver Recovery for Windows Update driver rollbacks
Security Tool/ServiceAbout this happening: Microsoft is adding **Cloud-Initiated Driver Recovery** to **Windows Update**, giving it a remote rollback control for **problematic Windows drivers**. The capability reduces how...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
Timeline
-
19.03.2026 20:52 2 articles · 3mo ago
EDR killer BYOVD analysis
Technical Analysis UpdateEndpoint detection and response (EDR) killers are being built as separate pre-encryption tools that disable security controls before ransomware lockers run, and 54 of the tools analyzed use bring your own vulnerable driver (BYOVD) against 34 vulnerable drivers to gain kernel-mode privileges, terminate EDR processes, tamper with kernel callbacks, and abuse Microsoft's driver trust model. The analysis also identifies script-based variants that use taskkill, net stop, sc delete, or Windows Safe Mode, anti-rootkit utilities such as GMER, HRSword, and PC Hunter, and driverless blockers like EDRSilencer and EDR-Freeze that suppress EDR outbound traffic.
Show sources
- 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security — thehackernews.com — 19.03.2026 20:52
- 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security — thehackernews.com — 19.03.2026 20:52