Malware Families Employing BYOVD and Driver-Based EDR Bypass Techniques
Multiple malware families have adopted advanced techniques to bypass endpoint detection and response (EDR) solutions by leveraging Bring Your Own Vulnerable Driver (BYOVD) attacks and stealthy driver installations. Notably, DeadLock ransomware has been observed exploiting a vulnerable Baidu driver to achieve kernel-level defense bypass, allowing it to disable security products and facilitate ransomware deployment. Similarly, Makop ransomware has evolved to incorporate GuLoader and BYOVD-based EDR killers, specifically targeting networks with exposed Remote Desktop Protocol (RDP) services to gain initial access and evade detection.
In parallel, the ValleyRAT malware family has demonstrated the use of stealthy driver installation methods to circumvent Windows 11 security protections. The public leak of the ValleyRAT builder has expanded its accessibility, enabling a broader range of threat actors to deploy this sophisticated backdoor. These developments highlight a growing trend among threat actors to exploit driver vulnerabilities and kernel-level techniques to undermine modern security controls across various malware campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers report DeadLock using Baidu driver for kernel-level bypass
A December 2025 report said DeadLock ransomware was deploying a BYOVD-based EDR killer that exploited a Baidu driver to disable defenses at the kernel level. The technique was presented as a defense-evasion method used in the ransomware's operations.
Researchers report Makop using GuLoader and BYOVD EDR killers
A December 2025 report said Makop ransomware had evolved its intrusion chain to use GuLoader and bring-your-own-vulnerable-driver techniques to deploy EDR-killer capabilities. The activity was described as targeting networks exposed through RDP services.
Researchers report ValleyRAT using signed rootkit driver on Windows 11
Analysis published in December 2025 described ValleyRAT using a multi-stage infection chain that installs a validly signed kernel-mode rootkit driver to bypass Windows 11 protections and remove antivirus and EDR drivers from several Chinese security vendors. The report highlighted the malware's modular design and the threat posed by its stealthy driver installation technique.
ValleyRAT activity surges after builder leak
Following the builder's public release, ValleyRAT detections increased sharply, with 85% of detections occurring in the last six months. The surge indicates the malware spread significantly after becoming more widely accessible.
ValleyRAT builder is publicly leaked
The ValleyRAT (also known as Winos/Winos4.0) builder and its development structure were publicly released, enabling broader use of the malware beyond its original Chinese-speaking operators. This leak complicated attribution and lowered the barrier for additional threat actors to deploy the malware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
DeadLock Ransomware Deploys BYOVD EDR Killer by Exploiting Baidu Driver for Kernel-Level Defense Bypass
securityonline.info
Open sourceMakop Ransomware Evolves: GuLoader and BYOVD EDR Killers Used to Attack RDP-Exposed Networks
securityonline.info
Open sourceValleyRAT Malware Uses Stealthy Driver Install to Bypass Windows 11 Protections
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ESET Research Finds BYOVD Dominates EDR Killer Use in Ransomware Intrusions
**ESET Research** reported that **EDR killers** have become a standard component of modern ransomware operations, with attackers routinely disabling endpoint detection and response tools before launching encryptors. Across nearly 90 EDR killer tools observed in the wild, 54 were found to use the **Bring Your Own Vulnerable Driver (BYOVD)** technique, abusing 34 signed but vulnerable drivers to obtain kernel-level privileges and tamper with security products. The research says this approach is especially attractive to ransomware affiliates because it creates a short, reliable window for encryption while avoiding the need to constantly rebuild encryptors to evade detection. The reporting also highlights how **ransomware-as-a-service** operations contribute to the diversity of EDR killer tooling: operators typically provide the encryptor and infrastructure, while affiliates choose the EDR-disabling utility used during an intrusion. Although BYOVD remains the dominant method because of its reliability and relatively low development cost, researchers also observed a growing set of tools that disable protections without loading drivers, including methods that disrupt EDR communications, suspend processes, or abuse built-in administrative utilities. The findings reinforce that vulnerable-driver abuse remains a key defensive gap, while non-kernel alternatives are also expanding the range of pre-encryption attack techniques defenders must monitor.
Apr 14, 2026
Black Basta Embeds BYOVD Driver Inside Ransomware Payload to Disable EDR
**Black Basta** ransomware operators have been observed embedding a **Bring Your Own Vulnerable Driver (BYOVD)** component directly inside the ransomware payload, a shift from the more common approach of deploying an external “EDR killer” tool prior to encryption. The technique abuses a legitimate, signed but vulnerable Windows driver to gain **kernel-level** privileges and terminate security tooling (AV/EDR) on the victim host, reducing the chance defenders can stop the attack before encryption begins. Reporting attributes the finding to analysis by **Symantec** (and the **Carbon Black Threat Hunter Team**), which described the embedded-driver approach as a notable evolution in Black Basta tradecraft and consistent with broader ransomware trends toward BYOVD-based defense evasion. One account also links the activity to the **Cardinal** cybercrime group and notes the behavior had not been seen in prior Black Basta campaigns, suggesting either a retooling or a renewed operational tempo that could be adopted by other ransomware families seeking to reliably neutralize endpoint protections.
Mar 21, 2026
Signed vulnerable drivers used to disable EDR and aid ransomware attacks
Researchers and incident responders reported continued abuse of **Bring Your Own Vulnerable Driver (BYOVD)** techniques to disable endpoint protections, including **CrowdStrike Falcon**, by loading legitimately signed but flawed Windows kernel drivers. One newly analyzed zero-day driver family included more than 15 variants with valid Microsoft signatures and an IOCTL path such as `0x22E010` that accepted a process ID and invoked `ZwOpenProcess` and `ZwTerminateProcess` from kernel mode, allowing attackers to kill protected security processes without alerts. A proof-of-concept dubbed **PoisonKiller** demonstrated successful termination of the CrowdStrike EDR process through the driver’s symbolic link, underscoring the risk created by trusted but unrevoked third-party drivers. Separate reporting from Sophos and industry coverage tied the same broader tactic to real intrusions and ransomware activity, including ongoing abuse of **Terminator** and related tools built around vulnerable **Zemana** drivers. Attackers used IOCTL flaws to place their own processes on allow lists and then terminate AV and EDR components, while some incidents showed operators switching to alternatives such as **AuKill** when initial attempts failed. Defenders were urged to combine tamper protection, strict privilege controls, patching, and aggressive blocklisting of unnecessary vulnerable drivers, as signed-driver abuse has spread from advanced actors to commodity ransomware crews and lower-tier criminals.
May 25, 2026