Signed vulnerable drivers used to disable EDR and aid ransomware attacks
Researchers and incident responders reported continued abuse of Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint protections, including CrowdStrike Falcon, by loading legitimately signed but flawed Windows kernel drivers. One newly analyzed zero-day driver family included more than 15 variants with valid Microsoft signatures and an IOCTL path such as 0x22E010 that accepted a process ID and invoked ZwOpenProcess and ZwTerminateProcess from kernel mode, allowing attackers to kill protected security processes without alerts. A proof-of-concept dubbed PoisonKiller demonstrated successful termination of the CrowdStrike EDR process through the driver’s symbolic link, underscoring the risk created by trusted but unrevoked third-party drivers.
Separate reporting from Sophos and industry coverage tied the same broader tactic to real intrusions and ransomware activity, including ongoing abuse of Terminator and related tools built around vulnerable Zemana drivers. Attackers used IOCTL flaws to place their own processes on allow lists and then terminate AV and EDR components, while some incidents showed operators switching to alternatives such as AuKill when initial attempts failed. Defenders were urged to combine tamper protection, strict privilege controls, patching, and aggressive blocklisting of unnecessary vulnerable drivers, as signed-driver abuse has spread from advanced actors to commodity ransomware crews and lower-tier criminals.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Reporting links Black Basta ransomware to BYOVD security bypasses
A report said Black Basta ransomware operators used bring-your-own-vulnerable-driver techniques to bypass Windows security controls during attacks. The development adds a specific ransomware crew to the list of threat actors operationally abusing vulnerable signed drivers to disable defenses.
GitHub repository publishes BYOVD research methodology and CVE examples
A GitHub repository named BYOVD was published describing research use cases for vulnerable driver discovery and reverse-engineering methodology. The project references CVE-2025-52915 and CVE-2025-1055, adding public technical material on BYOVD tradecraft and analysis workflows.
PoisonKiller proof of concept demonstrates CrowdStrike process termination
The researcher developed a proof-of-concept exploit called PoisonKiller that successfully used the vulnerable driver's symbolic link to kill the CrowdStrike EDR process from kernel mode. The demonstration highlighted the ongoing risk posed by trusted but unrevoked vulnerable drivers in Windows environments.
Researcher reverse engineers zero-day driver used to disable CrowdStrike EDR
A researcher analyzed a previously unknown signed kernel driver used in a BYOVD attack chain and found it could terminate protected security processes, including CrowdStrike Falcon, via an IOCTL handler using ZwOpenProcess and ZwTerminateProcess. The researcher identified more than 15 variants of the malicious driver, all reportedly carrying valid Microsoft signatures and showing no VirusTotal detections.
GitHub repo dead-av publishes BYOVD tool to continuously kill EDR and AV
A GitHub repository named dead-av was published describing a rewritten implementation of BlackSnufkin's BYOVD research that can continuously terminate EDR and antivirus processes. The release adds new public offensive tooling related to vulnerable-driver abuse for disabling endpoint protections.
Reporting highlights Microsoft-signed driver use in ransomware attacks
Cybersecurity Dive reported on ransomware attacks involving a Microsoft-signed driver, underscoring continued operational abuse of signed vulnerable drivers to bypass endpoint protections. The coverage reflected broader industry attention to BYOVD as an active ransomware tradecraft.
BadRentdrv2 GitHub repo publishes BYOVD driver for killing EDR and AV
A GitHub repository named BadRentdrv2 was published describing a vulnerable driver used for BYOVD that can terminate multiple endpoint detection and antivirus products on both 32-bit and 64-bit Windows systems. The project references CVE-2023-44976 and adds public technical material on offensive abuse of vulnerable drivers to disable security tools.
Sophos publishes research on continued Terminator abuse
Sophos published research describing how BYOVD techniques had spread beyond advanced actors, with ransomware operators and lower-tier criminals using Terminator-family tools and vulnerable drivers to kill AV and EDR processes. The report also noted discussion among criminals about custom malicious drivers signed with stolen or leaked certificates.
Sophos observes Terminator BYOVD attacks in late 2023
Sophos reported multiple real-world incidents in late 2023 in which attackers abused vulnerable Zemana-signed drivers and Terminator variants to disable security tools. The cases included activity likely tied to exploitation of vulnerable Citrix applications, a healthcare intrusion involving XMRig delivery and Ternimator, and one intrusion where attackers switched to AuKill after initial attempts failed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Black Basta Ransomware Uses BYOVD to Bypass Windows Security
ctrlaltnod.com
Open sourceGitHub - BlackSnufkin/BYOVD: BYOVD research use cases featuring vulnerable driver discovery and reverse engineering methodology. (CVE-2025-52915, CVE-2025-1055,). · GitHub
github.com
Open sourceResearcher Reverse Engineered 0-Day Used to Disable CrowdStrike EDR
cybersecuritynews.com
Open sourceIt’ll be back: Attackers still abusing Terminator tool and variants | SOPHOS
sophos.com
Open sourceGitHub - carved4/dead-av: kill all EDR and AV processes continuously, a rewritten implementation of BlackSnufkin's BYOVD research · GitHub
github.com
Open sourceMicrosoft-signed driver used in ransomware attacks | Cybersecurity Dive
cybersecuritydive.com
Open sourceGitHub - keowu/BadRentdrv2: A vulnerable driver exploited by me (BYOVD) that is capable of terminating several EDRs and antivirus software in the market, rendering them ineffective, working for both x32 and x64(CVE-2023-44976). · GitHub
github.com
Open sourceIt’ll be back: Attackers still abusing Terminator tool and variants | native | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Threat Actors Abused Microsoft-Signed Kernel Drivers to Disable EDR and AV
Multiple threat actors used malicious but legitimately signed Microsoft kernel drivers in targeted intrusions across telecommunications, BPO, MSSP, financial, and other sectors, according to SentinelOne. The toolkit combined the **STONESTOP** userland component with the **POORTRY** kernel driver to evade defenses by terminating, suspending, and resuming antivirus and EDR processes; later variants also added file deletion and overwrite functions. SentinelOne identified three versions of the toolkit, including two signed through Microsoft’s **WHQL** process, indicating that attackers were able to weaponize trusted driver signing to operate at the kernel level while undermining endpoint protections. SentinelOne said it first reported the issue to Microsoft’s Security Response Center in October 2022 under case `75361`, after which Microsoft published advisory `ADV220005`. The company also linked similar signed-driver abuse to a separate intrusion that ended with **Hive ransomware** deployment in the medical sector. Based on repeated use by distinct intruders, SentinelOne assessed with high confidence that the drivers were likely supplied through a service model, enabling multiple actors to buy or obtain signed kernel tools specifically built to neutralize security software during attacks.
May 26, 2026
ESET Research Finds BYOVD Dominates EDR Killer Use in Ransomware Intrusions
**ESET Research** reported that **EDR killers** have become a standard component of modern ransomware operations, with attackers routinely disabling endpoint detection and response tools before launching encryptors. Across nearly 90 EDR killer tools observed in the wild, 54 were found to use the **Bring Your Own Vulnerable Driver (BYOVD)** technique, abusing 34 signed but vulnerable drivers to obtain kernel-level privileges and tamper with security products. The research says this approach is especially attractive to ransomware affiliates because it creates a short, reliable window for encryption while avoiding the need to constantly rebuild encryptors to evade detection. The reporting also highlights how **ransomware-as-a-service** operations contribute to the diversity of EDR killer tooling: operators typically provide the encryptor and infrastructure, while affiliates choose the EDR-disabling utility used during an intrusion. Although BYOVD remains the dominant method because of its reliability and relatively low development cost, researchers also observed a growing set of tools that disable protections without loading drivers, including methods that disrupt EDR communications, suspend processes, or abuse built-in administrative utilities. The findings reinforce that vulnerable-driver abuse remains a key defensive gap, while non-kernel alternatives are also expanding the range of pre-encryption attack techniques defenders must monitor.
Apr 14, 2026
AuKill Malware Abuses Signed Process Explorer Driver to Disable EDR
Sophos X-Ops reported that the **AuKill** malware uses a bring-your-own-vulnerable-driver (**BYOVD**) technique to disable endpoint detection and response tools before follow-on payloads such as ransomware or backdoors are deployed. The tool abuses an outdated, Microsoft-signed Process Explorer driver, `PROCEXP.SYS`, and was linked to at least three intrusions involving ransomware operators including **Medusa Locker** and **LockBit**. Researchers identified six variants developed between late 2022 and early 2023, indicating active refinement of the malware. AuKill requires administrative privileges, installs itself as a Windows service, drops the vulnerable driver into the system drivers directory, and repeatedly kills processes and disables services tied to security products; some versions also unload defensive drivers. Sophos said the malware shares strong code and behavioral similarities with the open-source **Backstab** project, suggesting the author reused existing offensive techniques to build the tool. The findings highlight continued criminal use of signed but vulnerable drivers to evade defenses and weaken security controls ahead of broader compromise.
May 25, 2026