MalwareMar 19, 2026

54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security

Security researchers identified 54 EDR killer tools that exploit 34 signed vulnerable drivers using the BYOVD (bring your own vulnerable driver) technique to disable endpoint detection and response solutions before deploying ransomware. The analysis reveals three primary threat actor categories developing these tools—closed ransomware groups, attackers forking proof-of-concept code, and cybercriminals offering them as a service on underground marketplaces. Organizations are urged to implement layered defenses and block commonly misused drivers to prevent these defense-evasion attacks.

Read at source

Summary

Full text

54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security Ravie LakshmananMar 19, 2026Threat Detection / Endpoint Security A new analysis of endpoint detection and response (EDR) killers has revealed that 54 of them leverage a technique known as bring your own vulnerable driver (BYOVD) by abusing a total of 34 vulnerable drivers. EDR killer programs have been a common presence in ransomware intrusions as they offer a way for affiliates to neutralize security software before deploying file-encrypting malware. This is done so in an attempt to evade detection. "Ransomware gangs, especially those with ransomware-as-a-service (RaaS) programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time-consuming," ESET researcher Jakub Souček said in a report shared with The Hacker News. "More importantly, encryptors are inherently very noisy (as they inherently need to modify a large number of files in a short period); making such malware undetected is rather challenging." EDR killers act as a specialized, external component that's run to disable security controls before executing the lockers themselves, thereby keeping the latter simple, stable, and easy to rebuild. That's not to say there have not been instances where EDR termination and ransomware modules have been fused into one single binary. Reynolds ransomware is a case in point. A majority of the EDR killers rely on legitimate yet vulnerable drivers to gain elevated privileges and achieve their goals. Among the nearly 90 EDR killer tools detected by the Slovakian cybersecurity company, more than half of them utilize the well-known BYOVD tactic simply because it's reliable. "The goal of a BYOVD attack is to gain kernel-mode privileges, often called Ring 0," Bitdefender explains. "At this level, code has unrestricted access to system memory and hardware. Since an attacker cannot load an unsigned malicious driver, they 'bring' a driver signed by a reputable vendor (such as a hardware manufacturer or an old antivirus version) that has a known vulnerability." Armed with the kernel access, threat actors can terminate EDR processes, disable security tools, tamper with kernel callbacks, and undermine endpoint protections. The result is an abuse of Microsoft's driver trust model to evade defenses, taking advantage of the fact that the vulnerable driver is legitimate and signed. The BYOVD-based EDR killers are primarily developed by three types of threat actors - Closed ransomware groups like DeadLock and Warlock that do not rely on affiliates Attackers forking and tweaking existing proof-of-concept code (e.g., SmilingKiller and TfSysMon-Killer) Cybercriminals marketing such tools on underground marketplaces as a service (e.g., DemoKiller aka Бафомет, ABYSSWORKER, and CardSpaceKiller) ESET said it also identified script-based tools that make use of built-in administrative commands like taskkill, net stop, or sc delete to interfere with the regular functioning of security product processes and services. Select variants have also been found to combine scripting with Windows Safe Mode. "Since Safe Mode loads only a minimal subset of the operating system, and security solutions typically aren’t included, malware has a higher chance of disabling protection," the company noted. "At the same time, such activity is very noisy, as it requires a reboot, which is risky and unreliable in unknown environments. Therefore, it is seen only rarely in the wild." The third category of EDR killers are anti-rootkits, which include legitimate utilities such as GMER, HRSword, and PC Hunter, that offer an intuitive user interface to terminate protected processes or services. A fourth, emerging class is a set of driverless EDR killers like EDRSilencer and EDR-Freeze that block outbound traffic from EDR solutions and cause the programs to enter a "coma" like state. "Attackers aren’t putting much effort into making their encryptors undetected," ESET said. "Rather, all the sophisticated defense-evasion techniques have shifted to the user-mode components of EDR killers. This trend is most visible in commercial EDR killers, which often incorporate mature anti-analysis and anti-detection capabilities." To combat ransomware and EDR killers, blocking commonly misused drivers from loading is a necessary defense mechanism. However, given that EDR killers are executed only at the last stage and just before launching the encryptor, a failure at this stage means the threat actor can easily switch to another tool to accomplish the same task. The implication is that organizations need layered defenses and detection strategies in place to proactively monitor, flag, contain, and remediate the threat at each every stage of the attack lifecycle. "EDR killers endure because they're cheap, consistent, and decoupled from the encryptor – a perfect fit for both encryptor developers, who don’t need to focus on making their encryptors undetectable, and affiliates, who possess an easy-to-use, powerful utility to disrupt defenses prior to encryption," ESET said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, endpoint security, Malware, ransomware, threat detection, Threat Intelligence, vulnerability management, windows security Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures

Indicators of Compromise

malware — Reynolds ransomware
malware — DeadLock
malware — Warlock
malware — SmilingKiller
malware — TfSysMon-Killer
malware — DemoKiller
malware — ABYSSWORKER
malware — CardSpaceKiller
malware — EDRSilencer
malware — EDR-Freeze