Executive Summary
In early February 2026, threat actors exploited compromised SonicWall SSLVPN credentials to infiltrate a corporate network. Once inside, they deployed a custom 'EDR killer' malware that utilized a signed but revoked EnCase forensic driver to disable 59 endpoint detection and response (EDR) and antivirus tools. This 'Bring Your Own Vulnerable Driver' (BYOVD) technique allowed attackers to gain kernel-level access, effectively neutralizing security defenses and facilitating further malicious activities. The intrusion was disrupted before ransomware deployment, but it underscores the growing trend of adversaries weaponizing legitimate drivers to bypass endpoint security measures. (huntress.com)
This incident highlights the critical need for organizations to enforce multi-factor authentication (MFA) on VPN access, regularly update and monitor security tools, and implement strict controls over driver installations to prevent the exploitation of vulnerable drivers. (helpnetsecurity.com)
Why This Matters Now
The increasing use of BYOVD techniques by threat actors to disable security tools poses a significant risk to organizations, emphasizing the urgency for enhanced security measures and vigilance against such sophisticated attacks.
Attack Path Analysis
The adversary initiated the attack by exploiting a vulnerable driver to disable Endpoint Detection and Response (EDR) systems, thereby evading detection. With security defenses impaired, they escalated privileges to gain higher-level access within the system. Subsequently, the attacker moved laterally across the network, compromising additional systems. They established command and control channels to maintain persistent access and control over the compromised environment. The adversary then exfiltrated sensitive data from the network. Finally, they executed actions causing significant impact, such as deploying ransomware to encrypt critical data.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a vulnerable driver to disable EDR systems, facilitating initial access without detection.
Related CVEs
CVE-2019-16098
CVSS 7.8A privilege escalation and code execution vulnerability in the RTCore64.sys driver used by MSI Afterburner allows attackers to execute arbitrary code with kernel privileges.
Affected Products:
Micro-Star International MSI Afterburner – 4.6.2.15658
Exploit Status:
exploited in the wildCVE-2025-68947
CVSS 4.7A vulnerability in the NSecKrnl.sys driver allows attackers to terminate arbitrary processes, including security software, leading to potential system compromise.
Affected Products:
NsecSoft NSecKrnl.sys – All versions prior to patch
Exploit Status:
exploited in the wildCVE-2025-61156
CVSS 7.8An insecure access control vulnerability in the ThreatFire System Monitor's TfSysMon.sys driver allows unprivileged users to terminate protected processes, including security software.
Affected Products:
PC Tools ThreatFire System Monitor – 4.7.0.53 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Defense Evasion
Exploitation for Privilege Escalation
Device Driver Discovery
Abuse Elevation Control Mechanism
Hijack Execution Flow
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Devices
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
EDR evasion techniques directly undermine core security products and services, requiring immediate defensive adaptations against vulnerable driver exploitation methods.
Financial Services
Critical infrastructure faces elevated risks from EDR killers bypassing endpoint protection, potentially exposing sensitive financial data and compliance frameworks.
Health Care / Life Sciences
Healthcare systems relying on EDR protection are vulnerable to sophisticated evasion attacks, threatening HIPAA compliance and patient data security.
Government Administration
Government networks face severe threats from advanced EDR bypass techniques that could compromise classified systems and critical infrastructure operations.
Sources
- EDR killers explained: Beyond the drivershttps://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/Verified
- BlackByte ransomware uses new EDR evasion techniquehttps://www.techtarget.com/searchsecurity/news/252525965/BlackByte-ransomware-uses-new-EDR-evasion-techniqueVerified
- Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Toolshttps://thehackernews.com/2026/02/reynolds-ransomware-embeds-byovd-driver.htmlVerified
- Disclosure for CVE-2025-61156https://github.com/D7EAD/CVE-2025-61156Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to disable security systems, escalate privileges, move laterally, establish command channels, exfiltrate data, and execute impactful actions, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to disable security systems would likely be constrained, limiting their capacity to evade detection.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing their capacity to gain higher-level access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely be constrained, limiting their ability to compromise additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing their capacity to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts would likely be constrained, limiting their ability to remove sensitive data from the network.
The attacker's ability to execute impactful actions would likely be constrained, reducing the potential damage to critical data.
Impact at a Glance
Affected Business Functions
- Endpoint Security Monitoring
- Incident Response
- System Integrity
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive system configurations and security logs.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the attacker's ability to compromise additional systems.
- • Deploy Inline Intrusion Prevention Systems (IPS) to detect and prevent exploitation attempts targeting vulnerable drivers.
- • Utilize Multicloud Visibility & Control to monitor and manage security policies across cloud environments, enhancing detection of anomalous activities.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious behaviors indicative of command and control activities.
