EDRChoker Uses Windows QoS Throttling to Blind Cloud-Connected EDR Agents
Researchers and security outlets highlighted EDRChoker, an open-source red-team tool that uses Windows Policy-Based Quality of Service (QoS) to throttle outbound traffic from selected EDR processes to near-zero bandwidth, disrupting telemetry, policy updates, and remote management without killing processes or injecting code. The technique reportedly creates per-process QoS policies with random GUID-based names and can persist across reboots, with a cleanup mode available to remove the rules. In demonstrations, throttling EDR agent traffic to extremely low rates caused TLS handshakes and other communications to time out, leaving agents disconnected from their management servers.
The approach differs from earlier evasion tools that rely on Windows Firewall or the Windows Filtering Platform (WFP), such as EDRSilencer, because QoS enforcement occurs through pacer.sys at the NDIS layer below WFP, potentially avoiding packet-drop artifacts that defenders monitor in firewall and WFP logs. Coverage of the release described the method as exposing a weakness in cloud-dependent EDR architectures and urged defenders to audit QoS policies, review PowerShell and Windows event logs for policy creation, and improve detection of attacker activity before administrative privileges are obtained on endpoints.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Cyber Security News reports newly released open-source EDRChoker
Cyber Security News reported that EDRChoker had been newly released as an open-source red-team tool using Windows QoS and pacer.sys at the NDIS layer to throttle selected EDR processes to near-zero bandwidth. The report emphasized persistence across reboots, cleanup support, and the architectural weakness this poses for cloud-connected EDR products.
r/netsec post amplifies the EDRChoker technique
A Reddit post on r/netsec highlighted the EDRChoker method, describing it as a defense-evasion technique that abuses Policy-based QoS to hard-cap EDR bandwidth and cause telemetry timeouts. The post did not add a distinct new technical development beyond publicizing the existing technique.
EDRChoker technique and tool are published
A zerosalarium article described EDRChoker, a tool that uses Windows Policy-based QoS to throttle EDR agent traffic to 8 bits per second, with a lab demonstration against Elastic Defend showing loss of server connectivity. The write-up contrasted the approach with WFP-based methods and included detection and mitigation guidance.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
New EDRChoker Tool Uses Policy-Based Quality of Service to Block EDR Processes
cybersecuritynews.com
Open sourceEDRChoker: Choking The Telemetry Stream to Bypass Defenses : r/netsec
reddit.com
Open sourceGitHub - TwoSevenOneT/EDRChoker: A tool uses the QoS Policy (Pacer.sys) to throttle Endpoint Detection and Response (EDR) agents from connecting to the server. · GitHub
github.com
Open sourceEDRChoker: Choking The Telemetry Stream to Bypass Defenses
zerosalarium.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EDR Killer Malware Abuses Revoked EnCase Kernel Driver to Terminate Security Tools
Huntress reported an intrusion in which attackers deployed a custom **EDR killer** that disables endpoint security by abusing a legitimate but long-revoked kernel driver originally shipped with Guidance Software’s *EnCase* forensics product. The malware embeds the vulnerable driver (reported as `EnPortv.sys`) and uses a **Bring Your Own Vulnerable Driver (BYOVD)** approach: once the driver is loaded, it exposes an `IOCTL` interface that enables user-mode code to terminate arbitrary processes from kernel mode, bypassing user-mode protections including **Protected Process Light (PPL)**. The tool is described as capable of targeting **59** endpoint security products. In the observed incident, initial access was achieved by successfully authenticating to **SonicWall SSL VPN** using previously compromised credentials, with reporting noting the absence of **MFA** on the VPN account. Post-compromise activity included internal reconnaissance (e.g., ICMP ping sweeps, NetBIOS/SMB probing) and high-rate SYN activity, followed by execution of the EDR killer disguised as a legitimate utility (e.g., a firmware update tool). The malware reportedly uses a custom encoding scheme to conceal the embedded driver, writes it to disk under an OEM-like path, hides it, timestomps it to blend in, and registers it as a Windows kernel service for persistence; despite the driver’s certificate being expired and revoked for years, Windows can still load it due to signature verification and timestamping behavior.
Mar 21, 2026
ESET Research Finds BYOVD Dominates EDR Killer Use in Ransomware Intrusions
**ESET Research** reported that **EDR killers** have become a standard component of modern ransomware operations, with attackers routinely disabling endpoint detection and response tools before launching encryptors. Across nearly 90 EDR killer tools observed in the wild, 54 were found to use the **Bring Your Own Vulnerable Driver (BYOVD)** technique, abusing 34 signed but vulnerable drivers to obtain kernel-level privileges and tamper with security products. The research says this approach is especially attractive to ransomware affiliates because it creates a short, reliable window for encryption while avoiding the need to constantly rebuild encryptors to evade detection. The reporting also highlights how **ransomware-as-a-service** operations contribute to the diversity of EDR killer tooling: operators typically provide the encryptor and infrastructure, while affiliates choose the EDR-disabling utility used during an intrusion. Although BYOVD remains the dominant method because of its reliability and relatively low development cost, researchers also observed a growing set of tools that disable protections without loading drivers, including methods that disrupt EDR communications, suspend processes, or abuse built-in administrative utilities. The findings reinforce that vulnerable-driver abuse remains a key defensive gap, while non-kernel alternatives are also expanding the range of pre-encryption attack techniques defenders must monitor.
Apr 14, 2026
Storm-0249 Uses EDR Abuse and ClickFix for Stealthy Ransomware Deployment
Storm-0249, an initial access broker previously known for selling access to compromised networks, has adopted advanced techniques to facilitate ransomware attacks. The group now leverages social engineering tactics such as ClickFix, which tricks users into executing malicious commands via the Windows Run dialog. These commands use legitimate utilities like `curl.exe` to download and execute fileless PowerShell scripts from spoofed Microsoft domains, ultimately deploying malicious MSI packages with SYSTEM privileges. The attack chain includes DLL sideloading, where a trojanized DLL is placed alongside legitimate EDR components (notably SentinelOne's `SentinelAgentWorker.exe`), allowing the attacker's code to run within trusted processes and evade detection. Once persistence is established, Storm-0249 abuses EDR tools to collect system information and maintain stealthy access, making detection and remediation challenging for defenders. This evolution in Storm-0249's tactics demonstrates a shift from mass phishing to highly targeted, stealthy operations that exploit trusted security software for malicious purposes. The abuse of EDR solutions not only enables the bypassing of traditional security controls but also provides a reliable foothold for ransomware deployment. Security researchers recommend implementing robust email filtering, monitoring for unusual use of legitimate utilities, and updating detection rules to identify these advanced techniques. Organizations are urged to review their EDR configurations and monitor for signs of DLL sideloading and unauthorized PowerShell activity to mitigate the risk posed by this threat actor.
Mar 21, 2026