Threat Actors Abused Microsoft-Signed Kernel Drivers to Disable EDR and AV
Multiple threat actors used malicious but legitimately signed Microsoft kernel drivers in targeted intrusions across telecommunications, BPO, MSSP, financial, and other sectors, according to SentinelOne. The toolkit combined the STONESTOP userland component with the POORTRY kernel driver to evade defenses by terminating, suspending, and resuming antivirus and EDR processes; later variants also added file deletion and overwrite functions. SentinelOne identified three versions of the toolkit, including two signed through Microsoft’s WHQL process, indicating that attackers were able to weaponize trusted driver signing to operate at the kernel level while undermining endpoint protections.
SentinelOne said it first reported the issue to Microsoft’s Security Response Center in October 2022 under case 75361, after which Microsoft published advisory ADV220005. The company also linked similar signed-driver abuse to a separate intrusion that ended with Hive ransomware deployment in the medical sector. Based on repeated use by distinct intruders, SentinelOne assessed with high confidence that the drivers were likely supplied through a service model, enabling multiple actors to buy or obtain signed kernel tools specifically built to neutralize security software during attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
SentinelOne assesses a supplier model for malicious signed drivers
Based on its investigation, SentinelOne assessed with high confidence that different threat actors used similar malicious signed drivers likely developed and supplied as a service. The finding suggested a shared ecosystem enabling multiple intrusion sets to leverage the same defense-evasion tooling.
Separate intrusion links similar signed-driver abuse to Hive ransomware
SentinelOne linked similar abuse of signed malicious drivers to a separate intrusion in the medical sector that culminated in Hive ransomware deployment. This indicated the technique was being used across distinct operations rather than a single campaign.
Later POORTRY variant adds destructive file-handling features
A later version of the malicious signed driver toolkit added capabilities to delete and overwrite files, expanding beyond process tampering for defense evasion. SentinelOne identified three toolkit versions overall, including two signed through Microsoft's WHQL process.
Threat actors use signed POORTRY/STONESTOP toolkit in targeted intrusions
Multiple threat actors used a toolkit built around the POORTRY kernel driver and STONESTOP userland component during active intrusions against telecommunications, BPO, MSSP, financial, and other sectors. The tooling was primarily used to evade defenses by terminating, suspending, and resuming AV and EDR processes.
Microsoft publishes advisory ADV220005
After SentinelOne's disclosure, Microsoft published security advisory ADV220005 addressing the issue of malicious drivers signed through its ecosystem. The advisory marked Microsoft's formal response to the reported abuse.
SentinelOne reports malicious signed driver abuse to Microsoft
SentinelOne said it first disclosed the abuse of malicious Microsoft-signed kernel drivers to the Microsoft Security Response Center under case 75361. The disclosure concerned a toolkit including the POORTRY driver and STONESTOP component used to evade security tools during intrusions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Signed vulnerable drivers used to disable EDR and aid ransomware attacks
Researchers and incident responders reported continued abuse of **Bring Your Own Vulnerable Driver (BYOVD)** techniques to disable endpoint protections, including **CrowdStrike Falcon**, by loading legitimately signed but flawed Windows kernel drivers. One newly analyzed zero-day driver family included more than 15 variants with valid Microsoft signatures and an IOCTL path such as `0x22E010` that accepted a process ID and invoked `ZwOpenProcess` and `ZwTerminateProcess` from kernel mode, allowing attackers to kill protected security processes without alerts. A proof-of-concept dubbed **PoisonKiller** demonstrated successful termination of the CrowdStrike EDR process through the driver’s symbolic link, underscoring the risk created by trusted but unrevoked third-party drivers. Separate reporting from Sophos and industry coverage tied the same broader tactic to real intrusions and ransomware activity, including ongoing abuse of **Terminator** and related tools built around vulnerable **Zemana** drivers. Attackers used IOCTL flaws to place their own processes on allow lists and then terminate AV and EDR components, while some incidents showed operators switching to alternatives such as **AuKill** when initial attempts failed. Defenders were urged to combine tamper protection, strict privilege controls, patching, and aggressive blocklisting of unnecessary vulnerable drivers, as signed-driver abuse has spread from advanced actors to commodity ransomware crews and lower-tier criminals.
May 25, 2026
EDR Killer Malware Abuses Revoked EnCase Kernel Driver to Terminate Security Tools
Huntress reported an intrusion in which attackers deployed a custom **EDR killer** that disables endpoint security by abusing a legitimate but long-revoked kernel driver originally shipped with Guidance Software’s *EnCase* forensics product. The malware embeds the vulnerable driver (reported as `EnPortv.sys`) and uses a **Bring Your Own Vulnerable Driver (BYOVD)** approach: once the driver is loaded, it exposes an `IOCTL` interface that enables user-mode code to terminate arbitrary processes from kernel mode, bypassing user-mode protections including **Protected Process Light (PPL)**. The tool is described as capable of targeting **59** endpoint security products. In the observed incident, initial access was achieved by successfully authenticating to **SonicWall SSL VPN** using previously compromised credentials, with reporting noting the absence of **MFA** on the VPN account. Post-compromise activity included internal reconnaissance (e.g., ICMP ping sweeps, NetBIOS/SMB probing) and high-rate SYN activity, followed by execution of the EDR killer disguised as a legitimate utility (e.g., a firmware update tool). The malware reportedly uses a custom encoding scheme to conceal the embedded driver, writes it to disk under an OEM-like path, hides it, timestomps it to blend in, and registers it as a Windows kernel service for persistence; despite the driver’s certificate being expired and revoked for years, Windows can still load it due to signature verification and timestamping behavior.
Mar 21, 2026
Poortry Driver Evolved Into an EDR-Wiping Tool Used in Ransomware Intrusions
Sophos reported that new variants of the **Poortry** malicious kernel driver and its **Stonestop** loader have evolved into a more destructive tool used to disable security defenses during ransomware attacks. Previously known for terminating processes, the latest samples can patch kernel callbacks, interfere with filter drivers, kill security processes, and delete critical EDR files from disk, effectively shifting Poortry from an EDR killer to an **EDR wiper**. Researchers said the malware continues to develop even after Microsoft closed the attestation-signing loophole that earlier versions abused. The toolset has been linked to major ransomware operations including **CUBA, BlackCat, Medusa, LockBit, and RansomHub**, where it is used to clear the way for encryption by impairing endpoint protection. Sophos observed attackers switching rapidly between differently signed Poortry variants during intrusions, suggesting access to multiple stolen or leaked certificates and an adaptive evasion strategy. In one RansomHub-related intrusion, Poortry and Stonestop were deployed before ransomware execution, reinforcing assessments that the driver now functions as a rootkit-like sabotage platform for pre-ransomware defense evasion.
Jan 1, 2026