EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical Analysis
Summary
Hide ▲
Show ▼
54 EDR killers were found abusing BYOVD through 34 vulnerable drivers, showing how ransomware operators can disable endpoint defenses before encryption. The finding matters because the technique gives attackers kernel-level privileges to terminate protection software and undermine Microsoft's driver trust model.
Related Happenings
Microsoft Defender for Endpoint automatic endpoint isolation preview
Security Tool/Service
First: 26.05.2026 15:19
Last: 26.05.2026 15:19
Sources 1
About this happening:
Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...
Microsoft Defender for Endpoint automatic endpoint isolation preview
Security Tool/ServiceAbout this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...
Microsoft adds Cloud-Initiated Driver Recovery for Windows Update driver rollbacks
Security Tool/Service
First: 15.05.2026 15:29
Last: 15.05.2026 15:29
Sources 1
About this happening:
Microsoft is adding **Cloud-Initiated Driver Recovery** to **Windows Update**, giving it a remote rollback control for **problematic Windows drivers**. The capability reduces how...
Microsoft adds Cloud-Initiated Driver Recovery for Windows Update driver rollbacks
Security Tool/ServiceAbout this happening: Microsoft is adding **Cloud-Initiated Driver Recovery** to **Windows Update**, giving it a remote rollback control for **problematic Windows drivers**. The capability reduces how...
2025 Automotive carmakers ransomware surge
Target Trend
First: 16.04.2026 11:35
Last: 16.04.2026 11:35
Sources 1
About this happening:
In **2025**, ransomware became the **fastest-growing** and most disruptive threat to **automotive carmakers**, accounting for **44% of attacks** and **more than doubling** over th...
2025 Automotive carmakers ransomware surge
Target TrendAbout this happening: In **2025**, ransomware became the **fastest-growing** and most disruptive threat to **automotive carmakers**, accounting for **44% of attacks** and **more than doubling** over th...
Halcyon automotive ransomware mitigation guidance
Advisory/Mitigation
First: 16.04.2026 11:35
Last: 16.04.2026 11:35
Sources 1
About this happening:
**Halcyon** urged **automotive sector IT teams** to harden their environments against a **ransomware threat** that is pressuring carmakers and their suppliers. The guidance priori...
Halcyon automotive ransomware mitigation guidance
Advisory/MitigationAbout this happening: **Halcyon** urged **automotive sector IT teams** to harden their environments against a **ransomware threat** that is pressuring carmakers and their suppliers. The guidance priori...
GPUBreach GPU Rowhammer research enables GDDR6 page-table corruption and privilege escalation
Technical Analysis
First: 07.04.2026 00:44
Last: 07.04.2026 00:44
Sources 1
About this happening:
**GPUBreach** research shows **Rowhammer** bit flips in **GDDR6** can corrupt **GPU page tables**, creating a path to **arbitrary GPU memory read/write** and potential **full syst...
GPUBreach GPU Rowhammer research enables GDDR6 page-table corruption and privilege escalation
Technical AnalysisAbout this happening: **GPUBreach** research shows **Rowhammer** bit flips in **GDDR6** can corrupt **GPU page tables**, creating a path to **arbitrary GPU memory read/write** and potential **full syst...
Timeline
-
19.03.2026 20:52 2 articles · 2mo ago
EDR killer BYOVD analysis
Technical Analysis UpdateEndpoint detection and response (EDR) killers are being built as separate pre-encryption tools that disable security controls before ransomware lockers run, and 54 of the tools analyzed use bring your own vulnerable driver (BYOVD) against 34 vulnerable drivers to gain kernel-mode privileges, terminate EDR processes, tamper with kernel callbacks, and abuse Microsoft's driver trust model. The analysis also identifies script-based variants that use taskkill, net stop, sc delete, or Windows Safe Mode, anti-rootkit utilities such as GMER, HRSword, and PC Hunter, and driverless blockers like EDRSilencer and EDR-Freeze that suppress EDR outbound traffic.
Show sources
- 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security — thehackernews.com — 19.03.2026 20:52
- 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security — thehackernews.com — 19.03.2026 20:52