EDR Killer Malware Abuses Revoked EnCase Kernel Driver to Terminate Security Tools
Huntress reported an intrusion in which attackers deployed a custom EDR killer that disables endpoint security by abusing a legitimate but long-revoked kernel driver originally shipped with Guidance Software’s EnCase forensics product. The malware embeds the vulnerable driver (reported as EnPortv.sys) and uses a Bring Your Own Vulnerable Driver (BYOVD) approach: once the driver is loaded, it exposes an IOCTL interface that enables user-mode code to terminate arbitrary processes from kernel mode, bypassing user-mode protections including Protected Process Light (PPL). The tool is described as capable of targeting 59 endpoint security products.
In the observed incident, initial access was achieved by successfully authenticating to SonicWall SSL VPN using previously compromised credentials, with reporting noting the absence of MFA on the VPN account. Post-compromise activity included internal reconnaissance (e.g., ICMP ping sweeps, NetBIOS/SMB probing) and high-rate SYN activity, followed by execution of the EDR killer disguised as a legitimate utility (e.g., a firmware update tool). The malware reportedly uses a custom encoding scheme to conceal the embedded driver, writes it to disk under an OEM-like path, hides it, timestomps it to blend in, and registers it as a Windows kernel service for persistence; despite the driver’s certificate being expired and revoked for years, Windows can still load it due to signature verification and timestamping behavior.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Huntress publicly reports BYOVD-based EDR killer technique
Huntress disclosed details of the intrusion and explained that Windows can still load certain older cross-signed drivers even when their certificates are expired or revoked, enabling abuse of the EnCase driver in a BYOVD attack. The company also recommended mitigations such as enabling MFA for remote access, reviewing VPN logs, and enforcing Microsoft's vulnerable driver blocklist with HVCI, WDAC, and ASR controls.
Huntress disrupts intrusion before ransomware deployment
Huntress said it detected and stopped the attack during the preparation stage, before the likely final ransomware payload could be launched.
EDR killer deployed using revoked EnCase kernel driver
The threat actor deployed a custom 64-bit 'EDR killer' disguised as a firmware update utility that dropped and installed the old EnCase EnPortv.sys driver as a fake OEM-style kernel service. The malware used the vulnerable signed driver to obtain kernel-level process-killing capability and repeatedly terminate 59 targeted EDR/AV processes, bypassing protections such as PPL.
Intruders conduct internal reconnaissance after VPN access
After gaining access, the attackers performed aggressive internal discovery activity, including ping sweeps, NetBIOS probing, SMB activity, and high-rate SYN flooding to map the environment and identify targets.
Attackers access network using compromised SonicWall VPN credentials
In the observed intrusion, attackers authenticated to a SonicWall SSL VPN using previously compromised credentials on an account without MFA, gaining initial access to the victim's Windows environment.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Why a decade-old EnCase driver still works as an EDR killer - Help Net Security
helpnetsecurity.com
Open sourceEnCase Driver Weaponized as EDR Killers Persist
darkreading.com
Open sourceEDR killer tool uses signed kernel driver from forensic software
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AuKill Malware Abuses Signed Process Explorer Driver to Disable EDR
Sophos X-Ops reported that the **AuKill** malware uses a bring-your-own-vulnerable-driver (**BYOVD**) technique to disable endpoint detection and response tools before follow-on payloads such as ransomware or backdoors are deployed. The tool abuses an outdated, Microsoft-signed Process Explorer driver, `PROCEXP.SYS`, and was linked to at least three intrusions involving ransomware operators including **Medusa Locker** and **LockBit**. Researchers identified six variants developed between late 2022 and early 2023, indicating active refinement of the malware. AuKill requires administrative privileges, installs itself as a Windows service, drops the vulnerable driver into the system drivers directory, and repeatedly kills processes and disables services tied to security products; some versions also unload defensive drivers. Sophos said the malware shares strong code and behavioral similarities with the open-source **Backstab** project, suggesting the author reused existing offensive techniques to build the tool. The findings highlight continued criminal use of signed but vulnerable drivers to evade defenses and weaken security controls ahead of broader compromise.
May 25, 2026
Signed vulnerable drivers used to disable EDR and aid ransomware attacks
Researchers and incident responders reported continued abuse of **Bring Your Own Vulnerable Driver (BYOVD)** techniques to disable endpoint protections, including **CrowdStrike Falcon**, by loading legitimately signed but flawed Windows kernel drivers. One newly analyzed zero-day driver family included more than 15 variants with valid Microsoft signatures and an IOCTL path such as `0x22E010` that accepted a process ID and invoked `ZwOpenProcess` and `ZwTerminateProcess` from kernel mode, allowing attackers to kill protected security processes without alerts. A proof-of-concept dubbed **PoisonKiller** demonstrated successful termination of the CrowdStrike EDR process through the driver’s symbolic link, underscoring the risk created by trusted but unrevoked third-party drivers. Separate reporting from Sophos and industry coverage tied the same broader tactic to real intrusions and ransomware activity, including ongoing abuse of **Terminator** and related tools built around vulnerable **Zemana** drivers. Attackers used IOCTL flaws to place their own processes on allow lists and then terminate AV and EDR components, while some incidents showed operators switching to alternatives such as **AuKill** when initial attempts failed. Defenders were urged to combine tamper protection, strict privilege controls, patching, and aggressive blocklisting of unnecessary vulnerable drivers, as signed-driver abuse has spread from advanced actors to commodity ransomware crews and lower-tier criminals.
May 25, 2026
ESET Research Finds BYOVD Dominates EDR Killer Use in Ransomware Intrusions
**ESET Research** reported that **EDR killers** have become a standard component of modern ransomware operations, with attackers routinely disabling endpoint detection and response tools before launching encryptors. Across nearly 90 EDR killer tools observed in the wild, 54 were found to use the **Bring Your Own Vulnerable Driver (BYOVD)** technique, abusing 34 signed but vulnerable drivers to obtain kernel-level privileges and tamper with security products. The research says this approach is especially attractive to ransomware affiliates because it creates a short, reliable window for encryption while avoiding the need to constantly rebuild encryptors to evade detection. The reporting also highlights how **ransomware-as-a-service** operations contribute to the diversity of EDR killer tooling: operators typically provide the encryptor and infrastructure, while affiliates choose the EDR-disabling utility used during an intrusion. Although BYOVD remains the dominant method because of its reliability and relatively low development cost, researchers also observed a growing set of tools that disable protections without loading drivers, including methods that disrupt EDR communications, suspend processes, or abuse built-in administrative utilities. The findings reinforce that vulnerable-driver abuse remains a key defensive gap, while non-kernel alternatives are also expanding the range of pre-encryption attack techniques defenders must monitor.
Apr 14, 2026