Mass exploitation of signed vulnerable drivers by 54 EDR killer tools via BYOVD technique
Summary
Hide ▲
Show ▼
Security vendors have identified 54 distinct EDR killer tools that abuse Bring Your Own Vulnerable Driver (BYOVD) techniques by exploiting 34 vulnerable, signed drivers to disable endpoint detection and response (EDR) solutions. The tools are deployed primarily by ransomware groups, affiliates, and underground service providers to neutralize security controls before executing file-encrypting malware. Attackers gain kernel-mode privileges (Ring 0) to terminate EDR processes, disable protection mechanisms, and tamper with kernel callbacks, thereby undermining endpoint defenses through abuse of Microsoft’s driver trust model.
Timeline
-
19.03.2026 20:52 1 articles · 3h ago
54 EDR killer tools abuse 34 vulnerable signed drivers via BYOVD to disable security software
Security analysis identifies 54 EDR killer tools that exploit 34 vulnerable, signed drivers using Bring Your Own Vulnerable Driver (BYOVD) techniques to gain kernel-mode access and terminate or disable EDR solutions. The tools are deployed primarily by ransomware groups, affiliates, and underground service providers to neutralize endpoint defenses prior to encryption. Attackers gain elevated privileges to tamper with kernel callbacks and undermine endpoint protections through abuse of Microsoft’s trusted driver model.
Show sources
- 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security — thehackernews.com — 19.03.2026 20:52
Information Snippets
-
54 EDR killer tools have been documented leveraging BYOVD to exploit 34 different vulnerable yet signed drivers.
First reported: 19.03.2026 20:521 source, 1 articleShow sources
- 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security — thehackernews.com — 19.03.2026 20:52
-
Threat actors use BYOVD to achieve kernel-mode privileges (Ring 0), enabling unrestricted access to system memory and hardware.
First reported: 19.03.2026 20:521 source, 1 articleShow sources
- 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security — thehackernews.com — 19.03.2026 20:52
-
EDR killers are often executed just before the ransomware payload to simplify encryptor development and maintain stability across builds.
First reported: 19.03.2026 20:521 source, 1 articleShow sources
- 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security — thehackernews.com — 19.03.2026 20:52
-
Attackers belong to closed ransomware groups, modify existing proof-of-concept tools, or purchase commoditized EDR killer services on underground markets.
First reported: 19.03.2026 20:521 source, 1 articleShow sources
- 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security — thehackernews.com — 19.03.2026 20:52
-
Additional EDR killer classes include script-based tools using commands like taskkill or net stop, Safe Mode exploitation, anti-rootkit utilities (e.g., GMER, PC Hunter), and driverless variants that block outbound traffic to induce "coma" states in EDR solutions.
First reported: 19.03.2026 20:521 source, 1 articleShow sources
- 54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security — thehackernews.com — 19.03.2026 20:52